Transformers operators - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-01
Category
Administrator Guide
Abstract

Transformers enable you to transfer or render one value to another value. Description of system transformer operators.

Transformers enable you to take one value and transform or render it to another value. When you have more than one transformer, you can reorder them using click-and-drag.

Note the following:

  • Transformers try to cast the transformed value (and arguments) to the necessary type. Tasks will fail if casting has failed, for example {“some”: “object”} To upper case => Error.

  • Some transformers are applied on each item of the result. For example, a, b, c To upper case => A, B, C.

  • Some transformers operate on the entire list. For example, a, b, c count => 3.

  • Some transformers are implemented as automations (meaning custom transformers automation with the transformer tag. You can find examples in the automation description. For more information about creating custom transformers, see Create custom filter and transformer operators.

Transformer categories

Date: Transforms the date. For example:

Name

Description

Example

Date to string

Converts any date to a specified string format. The date input must be in ISO format. For example, 2021-10-06T13:44:07. The default output format is RFC822.

format: The desired string output format. For example, if you want to convert to RFC822 format, enter 02 Jan 06 15:04 MST.

The following are available output format options:

  • Layout = 01/02 03:04:05PM '06 -0700 // The reference time, in numerical order

  • RFC3339Nano = 2006-01-02T15:04:05.999999999Z07:00

  • Kitchen = 3:04PM // Handy time stamps

  • Stamp = Jan _2 15:04:05

  • StampMilli = Jan _2 15:04:05.000

  • StampMicro = Jan _2 15:04:05.000000

  • StampNano = Jan _2 15:04:05.000000000

This transformer is in GO language.

2021-10-06T13:44:07 => 06 Oct 21 13:44 EDT

Date to Unix

Converts any date to Unix format. See the Filter operators for a list of supported time and date formats.

Mon, 02 Jan 2006 15:04:05 MST => 1136214245

General: Includes general transformers, such as sort, splice, stringify, etc. The following table describes the General examples:

Name

Description

Example

Unique

Returns a de-duped version of a list.

a, b, a, c, d, a, b => a, b, c, d

Slice

Returns part of a specified list in a range of from index (included) through to index (not included)

from: Zero based index at which to begin extraction (default: 0).

to: Zero based index before which to end extraction (default: list length).

a, b, c, d from: 1, to: 3 => b, c

Slice by item

Returns part of a list specified in a range of from item (included) through to item (not included).

from: Item from which to begin the extraction. If not specified, extracts from the beginning of the list.

to: Item before which to end the extraction. If not specified, extracts from the end of the list.

a, b, c, d from: b, to: d => b, c

Sort

Sorts an entire list. Supports strings and numbers.

descending:

true to sort in descending order, default is false.

b, c, a => a, b, c

2.1, 1.2, 3.4 descending: true

=> 3.4, 2.1, 1.2

Get index

Get item at the given index.

index: Index of the item to get.

b, c, a index: 0 =>b

b, c, a index -1 => nil

Splice

Adds or removes items to/from an array.

index: (required) Zero-based index at which to begin add/remove items.

deleteCount: Number of elements to remove from ‘index’, default is 0.

item: Item to add to the array after ‘index’ position.

a, b, c, d,index: 1 deleteCount: 2=> a, d

a, b, c, d, index: 2 item: w

=> a, b, c, w, d

Index of

Returns the first index of the element in the array, or -1 if not found.

item: Item to locate in the array.

fromLast: true to get the index from last. (default is false).

a, b, a, c, d, a, b, item: b => 1

a, b, a, c, d, a, b, item: a fromLast: true => 5

a, b, a, c, d, a, b, item: w => -1

Get field

Extracts a given field from the given object.

field: (required) The field to extract from the result

{“name”: “john”, “color”: “white”} field: “color” “white”

Stringify

Converts the given item to a string.

{ “name”:“john”, “color”: “white” } =>‘{“name”:“john”,“color”:“white”}’

Count

Returns the number of elements.

b, c, a => 3

null => 0

a => 1

Join

Concatenates all elements.

separator: Specifies a string to separate each pair of adjacent elements of the array, default is an empty string.

b, c, a separator: , => b,c,a

b, c, a => bca

String: Transforms strings. To make regex case non-sensitive, use the (?i) prefix (for example (?i)yourRegexText. The following table describes string examples.

Name

Description

Example

replace match

Returns a string with some or all matches of a regex pattern, and replaces with a specified string.

regex: A regex pattern to be replaced by the replaceWith argument.

replaceWith: The string that replaces the string specified in the toReplace argument, default is an empty string.Detailed RegEx syntax can be found on https://github.com/google/re2/wiki/Syntax

pluto,is,not,a,planet regex: “,” replaceWith: “;” =>“pluto;is;not;a;planet”

“pluto is not a planet” regex .*to replaceWith vega => vega is not a planet

Substring

Returns a subset of a string between one index and another, or through the end of the string.

from (required): An integer between 0 and the length of the string, specifying the offset into the string of the first character to include in the returned substring.

to (optional): An integer between 0 and the length of the string, which specifies the offset into the string of the first character not to include in the returned substring.

pluto is not a planet from: 4 to: 10 => o is n

Split

Splits a string into an array of strings, using a specified delimiter string to determine where to make each split.

delimiter: Specifies the string which denotes the points at which each split should occur, default delimiter is,.

hello world,bye bye world => hello world, bye bye world

hello world delimiter

=> hello, world

Split & trim

Splits a string into an array of strings and removes whitespace from both ends of the string, using a specified delimiter string to determine where to make each split.Argumentsdelimiter: Specifies the string which denotes the points at which each split should occur (default delimiter is”,”).

hello & world delimiter: & => hello, world

From string

Returns a subset of a string from the first from string occurrence.

from (required): String to substring from.

pluto is not a planet from: pluto is => not a planet

To string

Returns a subset of a string until the first to string occurrence.

to (required): String to substring until.

pluto is not a planet to: a planet => pluto is not

concat

Returns a string concatenated with given prefix and suffix.

prefix: A prefix to concat to the start of the argument.

suffix: A suffix to concat to the end of the argument.

night prefix good => good night

night suffix shift=> night shift

Number: Transforms a number. Examples:

Name

Description

Example

Floor

Returns the highest integer less than or equal to the number.

1.2=> 1

Ceil

Returns the lowest integer greater than or equal to the number.

1.2 =>2

Round

Returns the nearest integer, rounding half way from zero.

7.68 => 8

2.43 => 2

2.5 => 3

Absolute

Returns the absolute value of the given number.

-2 => 2

Decimal precision

Truncates the number of digits after the decimal point, according to the by argument.

by: Number of digits to keep after the decimal point, default is 0.

8.6666 by: 2 => 8.66

Modulus (remainder)

The modular operator (%) returns the division remainder.

by (required): Modulo by, default:0

20 by: 3=> 2

To percent

Converts a number to a percent.

withsign: Specify true to include %. Default is false

0.22 => 20

0.22 withsign: true =>20%

Quadratic equation

Returns the result of the Quadratic Formula.b (required): The b number of: ax2 + bx + c = 0, default is 0.c (required): The c number of: ax2 + bx + c = 0, default is 0.

1 b: 3 c: 2=> -1.00, -2.00

3 b: 2 c: 4=> (-0.333 +1.106i), (-0.333 -1.106i)