Filter and transform data - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-09-17
Category
Administrator Guide
Solution
On-prem
Abstract

Use filters and transformers to manipulate data. Use filters and transformers in playbook tasks or when mapping an instance.

In Cortex XSOAR, data is extracted and collected from various sources, such as playbook tasks, command results, and fetched incidents, and presented in JSON format. The data can be manipulated by using filters and transformers.

Filters

Filters enable you to extract relevant data which you can use elsewhere in Cortex XSOAR. For example, if an incident has several files with varying file types and extensions, you can filter the files by file extension or file type, and use the filtered files in a detonation playbook. You can filter as many objects as required. Cortex XSOAR automatically calculates the context root to which to filter. You can change the context root as necessary.

Caution

You can change the context data root to filter, but it is not recommended to select a different root, as it affects the filter results. The drop-down list displays the filter root for backward compatibility.

Transformers

Transformers modify or format data to make it suitable for further processing or presentation. For example, you can convert a date in non-Unix format to Unix format. Another example is applying the count transformer, which renders the number of elements. When you have more than one transformer, they apply in the order that they appear. You can reorder them using click-and-drag.

Add filters and transformers in a playbook task
  1. Create or edit a playbook task.

  2. In the field you want to add a filter or transformer (for example, inputs or outputs), click the curly brackets and then select Filters and Transformers.

  3. In the Get field, type or select data you want to filter or transform. For example, EWS.Items.Name.

  4. (Optional) To filter the data, do the following.

    1. In the Filter section, click Add filter.

      When adding a filter, the context root to filter is automatically populated.

    2. Select the data you want to filter.

    3. Select the filter operators.

    4. Add the value.

    5. Click the checkbox to save the filter.

  5. (Optional) To apply transformers to the field, click Add transformer.

    1. Click the transformer and select the relevant transformer.

      By default, the transformer is set to To upper case(String). Click it to pick a different transformer, for example to change the date format for when incidents occurred.

    2. Select the transformer operators.

    3. Click the tick box to save.

  6. (Optional) To test the filter or transformation click Test and select the investigation or add it manually.

Create custom filters and transformers

If you require a filter or transformer that is not provided out-of-the-box, you can create your own by creating a script and then adding to the operators window.

  1. Select Incident ResponseAutomationScripts New Automation.

  2. Type a meaningful name for the script, and click Save.

  3. To create a filter operator script, do the following:

    1. In the Tags field, add the filter tag.

      If you want a custom transformer that operates on an entire array rather than on each individual item, you need to add the entirelist tag.

    2. In the Arguments section, add the following arguments:

      Argument

      Description

      left

      Mark as mandatory. This argument defines the left-side value of the transformer operation. In this example, this is the value being checked if it falls within the range specified in the right-side value.

      right

      Mark as mandatory. This argument defines the right-side value of the transformer operation. In this example, this is the range to check if the left-side value is in.

    3. Add the script syntax and save.

  4. To create a transformer operator script do the following:

    1. In the Tags field, add the transformer tag.

    2. In the Arguments section, add the following arguments:

      Argument

      Description

      value

      Mark as mandatory. The value to transform. In this example, this is the UNIX epoch timestamp to convert to ISO format.

    3. Add the script syntax and save.

  5. Go to the filters and transformers window and select the operator.