Built-in Filters - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Abstract

Description of the built-in filters available for playbook tasks.

General filters

Filter

Description

Contains

Tests whether the value on the left is contained in the value on the right. Can be used for any kind of object (not limited to a string).

Doesn't Contain

Tests whether the value on the left is NOT contained in the value on the right. Can be used for any kind of object (not limited to a string).

Has length of

Tests whether a list specified on the left has the number of items specified on the right.

In

Tests whether the value on the left is contained in the object on the right.

Is defined

Tests whether a key on the left exists in context.

Note

Is defined considers false and empty strings and lists to be defined values. If you don't want those to be included as defined, use Is not empty.

Is empty

Tests whether the value of a key is empty.

Is not empty

Tests whether the value of a key is NOT empty.

Not defined

Tests whether a key on the left does NOT exist in context.

Note

Not defined considers false and empty strings and lists to be defined values. If you don't want those to be included as defined, use Is empty.

Not in

Tests whether the value on the left is NOT contained in the object on the right.

String filters

Filter

Description

Doesn't end with

Tests whether the string on the left is NOT the end of the string on the right.

Doesn't equal

Tests whether the strings are NOT the same.

Doesn't include

Tests whether the string on the right is NOT a substring of the string on the left.

Doesn't start with

Tests whether the string on the right is NOT the beginning of the string on the left.

Ends with

Tests whether the string on the left is the end of the string on the right.

Equals

Tests whether the strings are the same.

Has length

Tests whether the two strings have the same length.

In list

Tests whether the string on the left is in the list on the right.

Includes

Tests whether the string on the right is a substring of the string on the left.

Matches - regex

Tests whether the string on the left matches the regex on the right. Uses Go-style regex.

Not in list

Tests whether the string on the left is NOT a substring of the string on the right.

Starts with

Tests whether the string on the right is the beginning of the string on the left.

StringContainsArray

Tests whether a substring or an array of substrings on the left is within a string array on the right. Supports single strings as well. For example, for substrings ['a', 'b', 'c'] in string 'a' the script returns true.

Number filters

Filter

Description

Doesn't equal

Tests whether the number on the left does NOT equal the number on the right.

Equals

Tests whether the number on the left equals the number on the right.

Greater or equal

Tests whether the number on the left is greater than or equal to the number on the right.

Greater than

Tests whether the number on the left is greater than the number on the right.

InRange

Tests whether the number on the left is within a range specified on the right. For example, if the left value is 4, and the range on the right is 1,8, the condition is true.

Less or equal

Tests whether the number on the left is less than or equal to the number on the right.

Less than

Tests whether the number on the left is less than the number on the right.

Date filters

Filter

Description

After

Tests whether the date on the left is after the date on the right.

AfterRelativeDate

Tests whether the date on the left occurred after the provided relative time (such as '6 months ago') on the right. Returns True or False.

Before

Tests whether the date on the left is before the date on the right.

Same as

Tests whether the two dates are the same.

Boolean filters

Filter

Description

Is false

Tests whether the value on the left evaluates to false.

Is true

Tests whether the value on the left evaluates to true.

Other filters

Filter

Description

CheckIfSubdomain

Tests whether the value on the left is a subdomain of the value on the right.

CIDRBiggerThanPrefix

Tests whether the CIDR prefix on the left is bigger than the defined maximum prefix on the right.

GreaterCidrNumAddresses

Tests whether the number of available addresses in IPv4 or IPv6 CIDR on the right is greater than the input given on the left.

IsInCidrRanges

Tests whether the IPv4 address on the left is contained in at least one of the comma-delimited CIDR ranges on the right. Multiple IPv4 addresses can be passed in a comma-delimited list and each address is tested.

IsNotInCidrRanges

Tests whether the IPv4 address on the left is NOT contained in at least one of the comma-delimited CIDR ranges on the right. Multiple IPv4 addresses can be passed in a comma-delimited list and each address is tested.

IsRFC1918Address

Tests whether an IPv4 address on the left is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) on the right.

LowerCidrNumAddresses

Tests whether the number of available addresses in IPv4 or IPv6 CIDR on the right is less than the input given on the left.