Use filters and transformers to manipulate data. Use filters and transformers in playbook tasks or when mapping an instance.
In Cortex XSIAM, data is extracted and collected from various sources, such as playbook tasks, command results, and fetched incidents, and presented in JSON format. The data can be manipulated by using filters and transformers.
Filters
Filters enable you to extract relevant data which you can use elsewhere in Cortex XSIAM. For example, if an alert has several files with varying file types and extensions, you can filter the files by file extension or file type, and use the filtered files in a detonation playbook. You can filter as many objects as required. Cortex XSIAM automatically calculates the context root to which to filter. You can change the context root as necessary.
Caution
You can change the context data root to filter, but it is not recommended to select a different root, as it affects the filter results. The drop-down list displays the filter root for backward compatibility.
Transformers
Transformers modify or format data to make it suitable for further processing or presentation. For example, you can convert a date in non-Unix format to Unix format. Another example is applying the count
transformer, which renders the number of elements. When you have more than one transformer, they apply in the order that they appear. You can reorder them using click-and-drag.
Create or edit a playbook task.
In the field you want to add a filter or transformer (for example, inputs or outputs), click the curly brackets and then select Filters and Transformers.
In the Get field, type or select data you want to filter or transform. For example,
EWS.Items.Name
.(Optional) To filter the data, do the following.
In the Filter section, click Add filter.
When adding a filter, the context root to filter is automatically populated.
Select the data you want to filter.
Select the filter operators.
Add the value.
Click the checkbox to save the filter.
(Optional) To apply transformers to the field, click Add transformer.
Click the transformer and select the relevant transformer.
By default, the transformer is set to
To upper case(String)
. Click it to pick a different transformer, for example to change the date format for when incidents occurred.Select the transformer operators.
Click the tick box to save.
(Optional) To test the filter or transformation click Test and select the investigation or add it manually.
If you require a filter or transformer that is not provided out-of-the-box, you can create your own by creating a script and then adding to the operators window.
Select
→ → → .Type a meaningful name for the script, and click Save.
To create a filter operator script, do the following:
In the Tags field, add the
filter
tag.If you want a custom transformer that operates on an entire array rather than on each individual item, you need to add the
entirelist
tag.In the Arguments section, add the following arguments:
Argument
Description
left
Mark as mandatory. This argument defines the left-side value of the transformer operation. In this example, this is the value being checked if it falls within the range specified in the right-side value.
right
Mark as mandatory. This argument defines the right-side value of the transformer operation. In this example, this is the range to check if the left-side value is in.
Add the script syntax and save.
To create a transformer operator script do the following:
In the Tags field, add the
transformer
tag.In the Arguments section, add the following arguments:
Argument
Description
value
Mark as mandatory. The value to transform. In this example, this is the UNIX epoch timestamp to convert to ISO format.
Add the script syntax and save.
Go to the filters and transformers window and select the operator.