Use filters to extract relevant data for use elsewhere in Cortex XSIAM.
Filters enable you to extract relevant data for use elsewhere. For example, if an alert has several files with varying file types and extensions, you can filter the files by file extension or file type, and use the filtered files in a detonation playbook.
Note the following:
Filters try to cast the transformed value and arguments to the appropriate type. The task fails if casting fails. For example, “a” Equals {“some”: “object”} => Error
If the filter's left-side value expects a single item but receives a list, the filter passes if at least one item meets the requirements. For example, [“a”, “b”, “c”] Equals “b” => true.
If the filter's left-side value expects a list but receives a single item, it converts it to a list with a single item. For example, “a” Contains “a” => True.
Some filters are implemented as automations, meaning custom transformers, automation with the filter tag. You can find examples in the automation description. For more information about creating custom filters, Create custom filter and transformer operators.
Filters in conditional tasks do not iterate the items of the root. Instead, they fetch the left-side value and the right-side value and compare them.
Filter categories
Boolean: Determines whether a field is true or false, or the string representation is true or false.
Date: Determines whether the left-side time value is earlier than, later than, or the same time as the right-side time value.
Supported time and date formats:
Format
Example
ANSIC
Tues Jan _2 15:04:05 2019
UnixDate
Tues Jan _2 15:04:05 MST 2019
RubyDate
Tues Jan 02 15:04:05 -0700 2019
RFC822
02 Jan 19 15:04 MST
RFC822Z
02 Jan 19 15:04 -0700 // RFC822 with numeric zone
RFC850
Tuesday, 02-Jan-19 15:04:05 MST
RFC1123
Tues, 02 Jan 2019 15:04:05 MST
RFC1123Z
Tues, 02 Jan 2019 15:04:05 -0700 // RFC1123 with numeric zone
RFC3339
2019-01-02T15:04:05Z07:00
RFC3339Nano
2019-01-02T15:04:05.999999999Z07:00
Kitchen
3.04PM
Stamp
Jan _2 15:04:05
StampMilli
Jan _2 15:04:05.000
StampMicro
Jan _2 15:04:05.000000
StampNano
Jan _2 15:04:05.000000000
General: Includes general filters, such as contains, doesn’t contain, In, empty, etc.
String: Determines the relationship between the left-side string value and the right-side string value, such as starts with, includes, in the list, and so on. The string filter returns partial matches as True.
Number: Determines the relationship between the left-side number value and the right-side number value, such as equals, greater than, less than, etc.
Unknown: Miscellaneous filter category.