Filter considerations, categories, and built-in filters - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Filters in playbook tasks are defined built-in according to categories.

You can use built-in filters to define your filter, they are grouped by category. Before defining a filter, consider the following.

Filter considerations
  • Filters try to cast the transformed value and arguments to the appropriate type. The task fails if casting fails. For example, “a” Equals {“some”: “object”} => Error

  • If the filter's left-side value expects a single item but receives a list, the filter passes if at least one item meets the requirements. For example, [“a”, “b”, “c”] Equals “b” => true.

  • If the filter's left-side value expects a list but receives a single item, it converts it to a list with a single item. For example, “a” Contains “a” => True.

  • Some custom filters are implemented as scripts with the filter tag. You can find examples in the playbook automation task description.

  • Filters in conditional tasks do not iterate the items of the root. Instead, they fetch the left-side value and the right-side value and compare them.

Filter categories and built-in filters

When adding a filter, clicking the default Equals (String) field opens a search window showing the available built-in filters. They are defined by category as follows:

General filters such as Contains, Doesn’t Contain, In, and Is empty.

Filter

Description

Contains

Tests whether the value on the left is contained in the value on the right. Can be used for any kind of object (not limited to a string).

Doesn't Contain

Tests whether the value on the left is NOT contained in the value on the right. Can be used for any kind of object (not limited to a string).

Has length of

Tests whether a list specified on the left has the number of items specified on the right.

In

Tests whether the value on the left is contained in the object on the right.

Is defined

Tests whether a key on the left exists in context.

Note

Is defined considers false and empty strings and lists to be defined values. If you don't want those to be included as defined, use Is not empty.

Is empty

Tests whether the value of a key is empty.

Is not empty

Tests whether the value of a key is NOT empty.

Not defined

Tests whether a key on the left does NOT exist in context.

Note

Not defined considers false and empty strings and lists to be defined values. If you don't want those to be included as defined, use Is empty.

Not in

Tests whether the value on the left is NOT contained in the object on the right.

Determines the relationship between the left-side string value and the right-side string value, such as starts with, includes, and in the list. The string filter returns partial matches as True.

Filter

Description

Doesn't end with

Tests whether the string on the left is NOT the end of the string on the right.

Doesn't equal

Tests whether the strings are NOT the same.

Doesn't include

Tests whether the string on the right is NOT a substring of the string on the left.

Doesn't start with

Tests whether the string on the right is NOT the beginning of the string on the left.

Ends with

Tests whether the string on the left is the end of the string on the right.

Equals

Tests whether the strings are the same.

Has length

Tests whether the two strings have the same length.

In list

Tests whether the string on the left is in the list on the right.

Includes

Tests whether the string on the right is a substring of the string on the left.

Matches - regex

Tests whether the string on the left matches the regex on the right. Uses Go-style regex.

Not in list

Tests whether the string on the left is NOT a substring of the string on the right.

Starts with

Tests whether the string on the right is the beginning of the string on the left.

StringContainsArray

Tests whether a substring or an array of substrings on the left is within a string array on the right. Supports single strings as well. For example, for substrings ['a', 'b', 'c'] in string 'a' the script returns true.

Determines the relationship between the left-side number value and the right-side number value, such as Equals, Greater than, and Less than.

Filter

Description

Doesn't equal

Tests whether the number on the left does NOT equal the number on the right.

Equals

Tests whether the number on the left equals the number on the right.

Greater or equal

Tests whether the number on the left is greater than or equal to the number on the right.

Greater than

Tests whether the number on the left is greater than the number on the right.

InRange

Tests whether the number on the left is within a range specified on the right. For example, if the left value is 4, and the range on the right is 1,8, the condition is true.

Less or equal

Tests whether the number on the left is less than or equal to the number on the right.

Less than

Tests whether the number on the left is less than the number on the right.

Determines whether the left-side time value is earlier than, later than, or the same time as the right-side time value.

Filter

Description

After

Tests whether the date on the left is after the date on the right.

AfterRelativeDate

Tests whether the date on the left occurred after the provided relative time (such as '6 months ago') on the right. Returns True or False.

Before

Tests whether the date on the left is before the date on the right.

Same as

Tests whether the two dates are the same.

Determines whether a field is true or false, or the string representation is true or false.

Filter

Description

Is false

Tests whether the value on the left evaluates to false.

Is true

Tests whether the value on the left evaluates to true.

Miscellaneous filters, including CheckIfSubdomain and IsInCidrRanges.

Filter

Description

CheckIfSubdomain

Tests whether the value on the left is a subdomain of the value on the right.

CIDRBiggerThanPrefix

Tests whether the CIDR prefix on the left is bigger than the defined maximum prefix on the right.

GreaterCidrNumAddresses

Tests whether the number of available addresses in IPv4 or IPv6 CIDR on the right is greater than the input given on the left.

IsInCidrRanges

Tests whether the IPv4 address on the left is contained in at least one of the comma-delimited CIDR ranges on the right. Multiple IPv4 addresses can be passed in a comma-delimited list and each address is tested.

IsNotInCidrRanges

Tests whether the IPv4 address on the left is NOT contained in at least one of the comma-delimited CIDR ranges on the right. Multiple IPv4 addresses can be passed in a comma-delimited list and each address is tested.

IsRFC1918Address

Tests whether an IPv4 address on the left is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) on the right.

LowerCidrNumAddresses

Tests whether the number of available addresses in IPv4 or IPv6 CIDR on the right is less than the input given on the left.