Create Filters and Transformers in a Playbook - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-04-11
Category
Administrator Guide
Solution
Cloud
Abstract

Create filters and transformers in playbooks.

You can create filters and transformers when adding or editing a task in a playbook or when mapping an instance.

You can filter as many nested objects as required. Cortex XSOAR automatically calculates the context root to which to filter. For example, if you want to extract all Item names in EWS, Cortex XSOAR calculates that the context root is EWS.items.

playbook-ews-1.png

Warning

You can change the context data root to which to filter, but it is not recommended to select a different root, as it affects the filter results. The dropdown list displays the filter root for backward compatibility.

  1. Create or edit a playbook task.

  2. In the field you want to add a filter or transformer to, click playbook-brackets.png and then select Filters and Transformers.

  3. In the Get field, type or select data you want to filter or transform. For example, EWS.Items.Name.

  4. (Optional) To filter the data, do the following.

    1. In the Filter section, click Add filter.

      When adding a filter, Cortex XSOAR automatically populates the context root to which to filter.

    2. Select the data you want to filter.

    3. Select the Filter Operators.

    4. Add the value.

    5. Click the checkbox to save the filter.

    For examples, see Create a Filter Example and Create a Filter (Advanced) Example.

  5. (Optional) To apply transformers to the field, click Add transformer.

    1. Click the transformer and select the relevant transformer.

      For example, you may want to change the date format for when incidents occurred.

    2. Select the Transformers Operators.

    3. Click the checkbox to save.

  6. (Optional) To test the filter or transformation click Test and select the investigation or add it manually.