Create filters and transformers in a playbook - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-25
Category
Administrator Guide
Abstract

Filter transformer playbooks mapping.

You can create filters and transformers when adding or editing a task in a playbook or when mapping an instance.

You can filter as many nested objects as required. automatically calculates the context root to which to filter. For example, if you want to extract all Item names in EWS, in the Get field, type EWS.Items.Name, calculates that the context root is EWS.items.

Warning

You can change the context data root to which to filter, but it is not recommended to select a different root, as it affects the filter results. The drop-down list displays the filter root for backward compatibility.

  1. Create or edit a playbook task.

  2. In the field you want to add a filter or transformer, click the curly brackets and then select Filters and Transformers.

  3. In the Get field, type or select data you want to filter or transform. For example, EWS.Items.Name.

  4. (Optional) To filter the data, do the following.

    1. In the Filter section, click Add filter.

      When adding a filter, automatically populates the context root to which to filter.

    2. Select the data you want to filter.

    3. Select the Filter operators.

    4. Add the value.

    5. Click the tick box to save the filter.

    For an example, see Create a filter example.

  5. (Optional) To apply transformers to the field, click Add transformer.

    1. Click the transformer and select the relevant transformer.

      For example, you may want to change the date format for when incidents occurred.

    2. Select the Transformers operators.

    3. Click the tick box to save.

  6. (Optional) To test the filter or transformation click Test and select the investigation or add it manually.