Filter Operators - Administrator Guide - 6.10 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.10
Creation date
2022-10-13
Last date published
2024-11-20
End_of_Life
EoL
Category
Administrator Guide
Abstract

Use filters to extract relevant data for use elsewhere in Cortex XSOAR.

Filters enable you to extract relevant data for use elsewhere in Cortex XSOAR. For example, if an incident has several files with varying file types and extensions, you can filter the files by file extension or file type, and use the filtered files in a detonation playbook.

Note the following:

  • Filters try to cast the transformed value and arguments to the appropriate type. The task fails if casting fails. For example, “a” Equals {“some”: “object”} => Error

  • If the filter's left-side value expects a single item, but receives a list, the filter passes if at least one item meets the requirements. For example, [“a”, “b”, “c”] Equals “b” => true.

  • If the filter's left-side value expects a list, but receives a single item, it converts it to a list with a single item. For example, “a” Contains “a” => True.

  • Some filters are implemented as automations, meaning custom transformers, automation with the filter tag. You can find examples in the automation description. For more information about creating custom filters, see Create Custom Filter and Transformer Operators.

  • Filters in conditional tasks do not iterate the items of the root. Instead, they fetch the left-side value and the right-side value, and compare between them.

Filter Categories

Filter Categories
  • Boolean: Determines whether a Cortex XSOAR field is true or false, or the string representation is true or false.

  • Date: Determines whether the left-side time value is earlier than, later than, or the same time as the right-side time value.

    Supported time and date formats:

    Format

    Example

    ANSIC

    Tues Jan _2 15:04:05 2019

    UnixDate

    Tues Jan _2 15:04:05 MST 2019

    RubyDate

    Tues Jan 02 15:04:05 -0700 2019

    RFC822

    02 Jan 19 15:04 MST

    RFC822Z

    02 Jan 19 15:04 -0700 // RFC822 with numeric zone

    RFC850

    Tuesday, 02-Jan-19 15:04:05 MST

    RFC1123

    Tues, 02 Jan 2019 15:04:05 MST

    RFC1123Z

    Tues, 02 Jan 2019 15:04:05 -0700 // RFC1123 with numeric zone

    RFC3339

    2019-01-02T15:04:05Z07:00

    RFC3339Nano

    2019-01-02T15:04:05.999999999Z07:00

    Kitchen

    3.04PM

    Stamp

    Jan _2 15:04:05

    StampMilli

    Jan _2 15:04:05.000

    StampMicro

    Jan _2 15:04:05.000000

    StampNano

    Jan _2 15:04:05.000000000

  • General: Includes general filters, such as contains, doesn’t contain, in, empty, etc.

  • String: Determines the relationship between the left-side string value and the right-side string value, such as starts with, includes, in list, and so on. The string filter returns partial matches as True.

  • Number: Determines the relationship between the left-side number value and the right-side number value, such as equals, greater than, less than, etc.

  • Unknown: Miscellaneous filter category.