Create a Filter (Advanced) Example - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-09-18
Last date published
2024-10-31
Category
Administrator Guide
Solution
Cloud
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation
Abstract

Advanced example of how to create a filter in Cortex XSOAR.

In this example, we want to see the LastResolved time only from the demisto.com host name.

This is part of the data where we want to filter:

{
    "IP": [
       {
        "Address": "192.168.10.96",
        "AutoFocus": {
            "Resolutions": [
                {
                    "Hostname": "79463wwfqq,dattolocal.net",
                    "LastResolved": "2022-08-02 04:01:02"
                },
                {
                    "Hostname": "demisto.com",
                    "LastResolved": "2022-09-10 09:47:17"
                },
                {
                    "Hostname": "securesense.call4pchelp.com",
                    "LastResolved": "2022-04-22 11:49:06"
                }
            ]
        }
       },
       {
        "Address":"192.168.10.96",
        "AutoFocus": {
            "Resolutions":[
                {
                    "Hostname":"79463wwfqq,dattolocal.net",
                    "LastResolved":"2022-08-02 04:01:02"
                },
                {
                    "Hostname":"demisto.com",
                    "LastResolved":"2022-09-10 09:47:17"
                },
                {
                    "Hostname":"securesense.call4pchelp.com",
                    "LastResolved":"2022-04-22 11:49:06"
                }
            ]
        }
       }
    ]
}
  1. From the Filters & transformers window, in the Get field, type IP.AutoFocus.Resolutions.LastResolve.

    playbook-filter-auto.png
  2. In the Filter section, click Add filter.

    Cortex XSOAR automatically calculates that the context root to filter is IP.AutoFocus.Resolutions.

    playbook-filter-autores.png
  3. In the left-hand side, add Hostname to the filter.

  4. Select Equals (String) → Ends with

  5. In the right-hand side add demisto.com.

  6. Click the checkbox to save.

    playbook-filter-autofilter.png
  7. Click Test.

    playbook-filter-autotest.png