Filters and transformers - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Use filters and transformers to manipulate data. Use filters and transformers in playbook tasks or when mapping an instance. transformer mapping

In Cortex XSIAM, data is extracted and collected from various sources, such as playbook tasks, command results, and fetched incidents, and presented in JSON format. The data can be manipulated by using filters and transformers. You can add filters and transformers in a Playbook task or when mapping an instance.


Creating filters enables you to extract relevant data, which you can use elsewhere in Cortex XSIAM. For example, if an alert has several files with varying file types and extensions, you can filter the files by file extension or file type, and use the filtered files in a detonation playbook.

You can filter as many objects as required. Cortex XSIAM automatically calculates the context root to which to filter. You can change the context root, as necessary.


Creating transformers enables you to take one value and transform or render it to another value. For example, converting a date in non-Unix format to Unix format. Another example is applying the count transformer, which renders the number of elements.

When you have more than one transformer, they apply in the order that they appear. You can reorder them using click-and-drag.