ExtFilter

Filter values with complex conditions.
You can make filters with comlex and combination conditions for the context data at any level of the tree.


Script Data

NameDescription
Script Typepython
Tagstransformer, entirelist, general

Inputs

Argument NameDescription
valueThe value to filter/transform.
operatorThe operation name to filter/transform.
filterThe filter.
ctx_demistoEnable to access the context data
ctx_inputsEnable to access the input parameters to sub playbooks and use ${inputs.}
ctx_listsEnable to access the list data and use ${list.}
ctx_incidentEnable to access the incident context and use ${incident.}

Filter Syntax for expressions, conditions and transformers

primitive-expression ::= <operator> : <value>
dict-expression ::= SET OF primitive-expression
array-expression ::= ARRAY OF ( dict-expression | array-expression | "not" expressions | "or" expressions | "and" expressions )
expressions ::= dict-expression | array-expression
primitive-condition ::= <path> : expressions
condition ::= SET OF primitive-condition
array-condition ::= ARRAY OF condition
conditions ::= condition | array-condition
transformers ::= dict-expression | ARRAY OF dict-expression

dict-expression

and logical operator for each expression.

e.g.

(<value> ends with ".exe") && (<value> starts with "x")

{
"ends with" : ".exe",
"starts with": "x"
}

array-expression

Logical operations for each expression. and by default.

e.g.

(<value> ends with ".exe") && (<value> starts with "x")

[
{"ends with" : ".exe"},
"and",
{"starts with": "x"}
]

or

[
{"ends with" : ".exe"},
{"starts with": "x"}
]

(<value> ends with ".exe") || (<value> starts with "x")

[
{"ends with" : ".exe"},
"or",
{"starts with": "x"}
]

not (<value> ends with ".exe")

[
"not",
{"ends with" : ".exe"}
]

((<value> ends with ".exe") || (<value> ends with ".pdf")) and (<value> starts with "x")

[
[
{"ends with" : ".exe"},
"or",
{"ends with" : ".pdf"}
],
"and",
{"starts with": "x"}
]

condition

Evaluates child nodes of each dictionary element.

e.g.

<value>.Domain ends with ".com"

{
"Domain": {
"ends with" : ".com"
}
}

(<value>.Domain ends with ".com") && (<value>.IP starts with "192.168.")

{
"Domain": {
"ends with" : ".com"
},
"IP": {
"starts with" : "192.168."
}
}

array-condition

Logical operations for each condition. and by default.

e.g.

(<value>.Domain ends with ".com") || (<value>.IP starts with "192.168.")

[
{
"Domain": {
"ends with" : ".com"
}
}
"or",
{
"IP": {
"starts with" : "192.168."
}
}
]

not ((<value>.Domain ends with ".com") || (<value>.IP starts with "192.168."))

[
"not",
[
{
"Domain": {
"ends with" : ".com"
}
}
"or",
{
"IP": {
"starts with" : "192.168."
}
}
]
]

transformers

Run each transformer in order.

e.g.

base64: encode -> digest

[
{"base64: encode": {}},
{"digest": {"algorithm": "sha1"}}
]

base64: encode -> digest (Python 3.7 or above)

{
"base64: encode": {},
"digest": {"algorithm": "sha1"}
}

Note: The order depends on python runtime in a dict-expression. Python 3.6 or less doesn't guarantee dictionary keys order.


DT (Demisto Transform Language)

In filters written in JSON like expressions, conditions, transformers or <value>, you can set values with DT expressions for keys and values. When you use DT, you must set ctx_demisto, ctx_inputs, ctx_lists and ctx_incident of the parameters for the data to which DT accesses.

ParameterData SourceValueDescription
ctx_demistoFrom Previous Tasks.Enable to access the context data
ctx_inputsFrom Previous TasksinputsEnable to access the input parameters to sub playbooks and use ${inputs.}
ctx_listsFrom Previous TaskslistEnable to access the list data and use ${list.}
ctx_incidentFrom Previous TasksincidentEnable to access the incident context and use ${incident.}

NOTE: ${list.} doesn't work in XSOAR 6.0 in transformer.

Also, local prefix (${local.}) can be available for referring to the root value of the target. No parameters set is required for using ${local.}.

Example 1

{
"ends with": "${Extension}"
}

Example 2

{
"${KeyName}": {
"ends with": "${Extension}"
}
}

Example 3

{
"ends with": "${Name}.exe"
}

Example 4

{
"ends with": "${.=val.Extension}"
}

Example 5

{
"ends with": "${incident.name}"
}

Example 6

{
"ends with": "${local.Extension}"
}

Operators

Available operators

  • is transformed with
  • is filtered with
  • value is filtered with
  • keeps
  • doesn't keep
  • is
  • isn't
  • ===
  • !==
  • equals
  • ==
  • doesn't equal
  • !=
  • greater or equal
  • >=
  • greater than
  • >
  • less or equal
  • <=
  • less than
  • in range
  • starts with
  • starts with caseless
  • doesn't start with
  • doesn't start with caseless
  • ends with
  • ends with caseless
  • doesn't end with
  • doesn't end with caseless
  • includes
  • includes caseless
  • doesn't include
  • doesn't include caseless
  • finds
  • finds caseless
  • doesn't find
  • doesn't find caseless
  • matches
  • matches caseless
  • doesn't match
  • doesn't match caseless
  • wildcard: matches
  • wildcard: matches caseless
  • wildcard: doesn't match
  • wildcard: doesn't match caseless
  • regex: matches
  • regex: matches caseless
  • regex: doesn't match
  • regex: doesn't match caseless
  • in list
  • in caseless list
  • not in list
  • not in caseless list
  • contains
  • contains caseless
  • doesn't contain
  • doesn't contain caseless
  • wildcard: contains
  • wildcard: contains caseless
  • wildcard: doesn't contain
  • wildcard: doesn't contain caseless
  • regex: contains
  • regex: contains caseless
  • regex: doesn't contain
  • regex: doesn't contain caseless
  • matches any line of
  • matches any caseless line of
  • doesn't match any line of
  • doesn't match any caseless line of
  • matches any string of
  • matches any caseless string of
  • doesn't match any string of
  • doesn't match any caseless string of
  • wildcard: matches any string of
  • wildcard: matches any caseless string of
  • wildcard: doesn't match any string of
  • wildcard: doesn't match any caseless string of
  • regex: matches any string of
  • regex: matches any caseless string of
  • regex: doesn't match any string of
  • regex: doesn't match any caseless string of
  • contains any line of
  • contains any caseless line of
  • doesn't contain any line of
  • doesn't contain any caseless line of
  • contains any string of
  • contains any caseless line of
  • doesn't contain any string of
  • doesn't contain any caseless line of
  • wildcard: contains any string of
  • wildcard: contains any caseless line of
  • wildcard: doesn't contain any string of
  • wildcard: doesn't contain any caseless line of
  • regex: contains any string of
  • regex: contains any caseless line of
  • regex: doesn't contain any string of
  • regex: doesn't contain any caseless line of
  • matches expressions of
  • matches conditions of
  • value matches expressions of
  • value matches conditions of
  • json: encode array
  • json: encode
  • json: decode
  • base64: encode
  • base64: decode
  • digest
  • is replaced with
  • is updated with
  • appends
  • if-then-else
  • switch-case
  • collects values
  • collects keys
  • flattens with values
  • flattens with keys
  • abort

Operator: is transformed with

Transform each element with `transformers` given in a filter. See `Filter Syntax` for the details of `transformers`.

Filter Format: transformers

Example 1

Input
[
{
"Name": "a.dat",
"Size": 100
},
{
"Name": "b.exe",
"Size": 200
},
{
"Name": "c.txt",
"Size": 300
}
]
Filter

Operator: is transformed with

Path:

Filter:

{
"json: encode": {},
"base64: encode": {}
}
Output
[
"eyJOYW1lIjogImEuZGF0IiwgIlNpemUiOiAxMDB9",
"eyJOYW1lIjogImIuZXhlIiwgIlNpemUiOiAyMDB9",
"eyJOYW1lIjogImMudHh0IiwgIlNpemUiOiAzMDB9"
]

Example 2

Input
{
"File": [
{
"Name": "a.dat",
"Size": 100
},
{
"Name": "b.exe",
"Size": 200
}
],
"IP": [
"1.1.1.1",
"2.2.2.2"
]
}
Filter

Operator: is transformed with

Path: File

Filter:

{
"is filtered with": {
"Name": {
"ends with": ".exe"
},
"json: encode": {},
"base64: encode": {}
}
Output
{
"File": [
"eyJOYW1lIjogImIuZXhlIiwgIlNpemUiOiAyMDB9"
],
"IP": [
"1.1.1.1",
"2.2.2.2"
]
}

Operator: is filtered with

Evaluates each element of an array with given conditions and returns a set of the elements matched. The value is handled as an array which has only one element when its data type is `dictionary`. See `Filter Syntax` for the details of `conditions`.

Filter Format: conditions

Example 1

Input
[
{
"Name": "a.dat",
"Size": 100
},
{
"Name": "b.exe",
"Size": 200
},
{
"Name": "c.txt",
"Size": 300
}
]
Filter

Operator: is filtered with

Path: Name

Filter:

{
"Name": {
"ends with": ".exe"
}
}
Output
[
{
"Name": "b.exe",
"Size": 200
}
]

Operator: value is filtered with

Evaluates each value of dictionary elements or each element for values whose data type is not `dictionary`, and returns a set of the elements matched to expressions given in a filter. See `Filter Syntax` for the details of `expressions`.

Filter Format: expressions

Example 1

Input
[
"192.168.1.1",
"1.1.1.1",
"192.168.1.2"
]
Filter

Operator: value is filtered with

Path:

Filter:

{
"starts with": "192.168."
}
Output
[
"192.168.1.1",
"192.168.1.2"
]

Example 2

Input
{
"Host1": {
"User": "JDOE",
"IP": "192.168.1.1",
"Score": 30
},
"Host2": {
"User": "TYAMADA",
"IP": "192.168.1.2",
"Score": 10
},
"Host3": {
"User": "MBLACK",
"IP": "3.3.3.3",
"Score": 40
}
}
Filter

Operator: value is filtered with

Path: Score

Filter:

{
">=": 20
}
Output
{
"Host1": {
"User": "JDOE",
"IP": "192.168.1.1",
"Score": 30
},
"Host3": {
"User": "MBLACK",
"IP": "3.3.3.3",
"Score": 40
}
}

Operator: keeps

Evaluates each element of an array with keys given and returns a set of the elements which only retains the keys given and corresponding values. The value is handled as an array which has only one element when its data type is `dictionary`.

Filter Format: expressions

Example 1

Input
[
{
"Host": "JDOE",
"IP": "1.1.1.1"
},
{
"User": "John Doe",
"First Name": "John",
"Last Name": "Doe"
},
{
"Host": "YTARO",
"User": "Taro Yamada"
}
]
Filter

Operator: keeps

Path:

Filter:

[
"Host",
"User"
]
Output
[
{
"Host": "JDOE"
},
{
"User": "John Doe"
},
{
"Host": "YTARO",
"User": "Taro Yamada"
}
]

Operator: doesn't keeps

Evaluates each element of an array with keys given and returns a set of the elements which are excluded the keys given. The value is handled as an array which has only one element when its data type is `dictionary`.

Filter Format: expressions

Example 1

Input
[
{
"Host": "JDOE",
"IP": "1.1.1.1"
},
{
"User": "John Doe",
"First Name": "John",
"Last Name": "Doe"
},
{
"Host": "YTARO",
"User": "Taro Yamada"
}
]
Filter

Operator: doesn't keeps

Path:

Filter:

[
"Host",
"User"
]
Output
[
{
"IP": "1.1.1.1"
},
{
"First Name": "John",
"Last Name": "Doe"
},
},
{
}
]

Operator: is

This operator works with a sub operator specified as filter.


Sub Operator: empty

Returns a set of elements which is empty.

Example 1

Input
10
Filter

Operator: is

Path:

Filter:

empty
Output
null

Example 2

Input
[
10,
{
},
null,
"xxx"
]
Filter

Operator: is

Path:

Filter:

empty
Output
[
{
},
null
]

Sub Operator: null

Returns a set of elements which is `null`.

Example 1

Input
10
Filter

Operator: is

Path:

Filter:

null
Output
null

Example 2

Input
[
10,
{
},
null,
"xxx"
]
Filter

Operator: is

Path:

Filter:

null
Output
[
null
]

Sub Operator: string

Returns a set of elements whose data type is `string`.

Example 1

Input
10
Filter

Operator: is

Path:

Filter:

string
Output
null

Example 2

Input
[
10,
{
},
null,
"xxx"
]
Filter

Operator: is

Path:

Filter:

string
Output
[
"xxx"
]

Sub Operator: integer

Returns a set of elements whose data type is `integer`.

Example 1

Input
10
Filter

Operator: is

Path:

Filter:

integer
Output
10

Example 2

Input
[
10,
"123"
]
Filter

Operator: is

Path:

Filter:

integer
Output
[
10
]

Sub Operator: integer string

Returns a set of elements whose data type is `string` and whose value is integer. The value that includes decimal point is evaluated as not integer.

Example 1

Input
[
10,
"123"
]
Filter

Operator: is

Path:

Filter:

integer string
Output
[
"123"
]

Sub Operator: any integer

Returns a set of elements matched with `string` or `integer string` operator.

Example 1

Input
[
10,
"123",
"xxx"
]
Filter

Operator: is

Path:

Filter:

any integer
Output
[
10,
"123"
]

Sub Operator: existing key

Evaluates each dictionary element of an array, then returns a set of the elements which has a key given in `path`.

Example 1

Input
[
{
"Host": "JDOE",
"IP": "1.1.1.1"
},
{
"User": "John Doe",
"Email": "jdoe@domain.com"
}
]
Filter

Operator: is

Path: Host

Filter:

existing key
Output
[
{
"Host": "JDOE",
"IP": "1.1.1.1"
}
]

Example 2

Input
[
{
"Host": {
"IP": "1.1.1.1",
"Score": 50,
"User": "JDOE"
},
"User": {
"ID": 1000,
"Name": "John Doe"
}
},
{
"Host": {
"IP": "2.2.2.2",
"Score": 30
}
}
]
Filter

Operator: is

Path: Host.User

Filter:

existing key
Output
[
{
"Host": {
"IP": "1.1.1.1",
"Score": 50,
"User": "JDOE"
},
"User": {
"ID": 1000,
"Name": "John Doe"
}
}
]

Operator: isn't

This operator works with a sub operator specified as filter.


Sub Operator: empty

Returns a set of elements which is not empty.

Example 1

Input
10
Filter

Operator: isn't

Path:

Filter:

empty
Output
10

Example 2

Input
[
10,
{
},
null,
"xxx"
]
Filter

Operator: isn't

Path:

Filter:

empty
Output
[
10,
"xxx"
]

Sub Operator: null

Returns a set of elements which is not `null`.

Example 1

Input
10
Filter

Operator: isn't

Path:

Filter:

10
Output
null

Example 2

Input
[
10,
{
},
null,
"xxx"
]
Filter

Operator: isn't

Path:

Filter:

null
Output
[
10,
{
},
"xxx"
]

Sub Operator: string

Returns a set of elements whose data type is not `string`.

Example 1

Input
10
Filter

Operator: isn't

Path:

Filter:

string
Output
10

Example 2

Input
[
10,
{
},
null,
"xxx"
]
Filter

Operator: isn't

Path:

Filter:

string
Output
[
10,
{
},
null
]

Sub Operator: integer

Returns a set of elements whose date type is not `integer`.

Example 1

Input
10
Filter

Operator: isn't

Path:

Filter:

integer
Output
null

Example 2

Input
[
10,
"123"
]
Filter

Operator: isn't

Path:

Filter:

integer
Output
[
"123"
]

Sub Operator: integer string

Returns a set of elements whose data type is not `string` or whose value is not integer. The value that includes decimal point is evaluated as not integer.

Example 1

Input
[
10,
"123",
"123.0"
]
Filter

Operator: isn't

Path:

Filter:

integer string
Output
[
10,
"123.0"
]

Sub Operator: any integer

Returns a set of elements which are neither `string` or `integer string`.

Example 1

Input
[
10,
"123",
"xxx"
]
Filter

Operator: isn't

Path:

Filter:

any integer
Output
[
"xxx"
]

Sub Operator: existing key

Evaluates each dictionary element of an array, then returns a set of the elements which doesn't have a key given in `path`.

Example 1

Input
[
{
"Host": "JDOE",
"IP": "1.1.1.1"
},
{
"User": "John Doe",
"Email": "jdoe@domain.com"
}
]
Filter

Operator: isn't

Path: Host

Filter:

existing key
Output
[
{
"User": "John Doe",
"Email": "jdoe@domain.com"
}
]

Example 2

Input
[
{
"Host": {
"IP": "1.1.1.1",
"Score": 50,
"User": "JDOE"
},
"User": {
"ID": 1000,
"Name": "John Doe"
}
},
{
"Host": {
"IP": "2.2.2.2",
"Score": 30
}
}
]
Filter

Operator: isn't

Path: Host.User

Filter:

existing key
Output
[
{
"Host": {
"IP": "2.2.2.2",
"Score": 30
}
}
]

Operator: ===

Returns a set of elements which exactly matches to a value given in a filter. It doesn't match when the data types are different.

Filter Format: <value>

Example 1

Input
[
10,
"10",
123
]
Filter

Operator: ===

Path:

Filter:

10
Output
[
10
]

Example 2

Input
[
10,
"10",
123
]
Filter

Operator: ===

Path:

Filter:

"10"
Output
[
"10"
]

Operator: !==

Returns a set of elements which doesn't match the data type or the value of a value given in a filter.

Filter Format: <value>

Example 1

Input
[
10,
"10",
123
]
Filter

Operator: !==

Path:

Filter:

10
Output
[
"10",
123
]

Operator: equals, ==

Returns a set of elements which is equal to a value given in a filter. The value is implicitly converted from its data type to another in a comparison between different data types. `==` is an alias name for `equals`.

Filter Format: <value>

Example 1

Input
[
10,
"10",
123
]
Filter

Operator: equals

Path:

Filter:

10
Output
[
10,
"10"
]

Operator: doesn't equal, !=

Returns a set of elements which is not equal to a value given in a filter. The value is implicitly converted from its data type to another in a comparison between different data types. `!=` is an alias name for `doesn't equal`.

Filter Format: <value>

Example 1

Input
[
10,
"10",
123
]
Filter

Operator: doesn't equal

Path:

Filter:

10
Output
[
123
]

Operator: greater or equal, >=

Returns a set of elements which is greater or equal to a value given in a filter. The value is implicitly converted from its data type to number in a comparison. This operator evaluates to false for either or both of the data which cannot convert to number. `>=` is an alias name for `greater or equal`.

Filter Format: <value>

Example 1

Input
[
1,
10,
"10",
123
]
Filter

Operator: greater or equal

Path:

Filter:

10
Output
[
10,
"10",
123
]

Operator: greater than, >

Returns a set of elements which is greater than a value given in a filter. The value is implicitly converted from its data type to number in a comparison. This operator evaluates to false for either or both of the data which cannot convert to number. `>` is an alias name for `greater than`.

Filter Format: <value>

Example 1

Input
[
1,
10,
"10",
123
]
Filter

Operator: greater than

Path:

Filter:

10
Output
[
123
]

Operator: less or equal, &lt;=

Returns a set of elements which is less or equal to a value given in a filter. The value is implicitly converted from its data type to number in a comparison. This operator evaluates to false for either or both of the data which cannot convert to number. `<=` is an alias name for `less or equal`.

Filter Format: <value>

Example 1

Input
[
1,
10,
"10",
123
]
Filter

Operator: less or equal

Path:

Filter:

10
Output
[
1,
10,
"10"
]

Operator: less than, <

Returns a set of elements which is less than a value given in a filter. The value is implicitly converted from its data type to number in a comparison. This operator evaluates to false for either or both of the data which cannot convert to number. `<` is an alias name for `less than`.

Filter Format: <value>

Example 1

Input
[
1,
10,
"10",
123
]
Filter

Operator: less than

Path:

Filter:

10
Output
[
1
]

Operator: in range

Returns a set of elements which is greater or equal to `min` and less or equal to `max` given in a range. The value is implicitly converted from its data type to number in a comparison. This operator evaluates to false for either or both of the data which cannot convert to number.

Filter Format: min,max

Example 1

Input
[
1,
10,
"10",
"30",
123
]
Filter

Operator: in range

Path:

Filter:

10,100
Output
[
10,
"10",
"30"
]

Operator: starts with

Returns a set of elements which starts with a string given in a filter.

Filter Format: string

Example 1

Input
[
10,
"xxx.exe",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter

Operator: starts with

Path:

Filter:

xxx
Output
[
"xxx.exe"
]

Operator: starts with caseless

Returns a set of elements which starts with a string given in a filter. It performs case-insensitive matching.

Filter Format: string

Example 1

Input
[
10,
"xxx.exe",
"XXX.EXE",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter

Operator: starts with caseless

Path:

Filter:

xxx
Output
[
"xxx.exe",
"XXX.EXE"
]

Operator: doesn't start with

Returns a set of elements which doesn't start with a string given in a filter.

Filter Format: string

Example 1

Input
[
10,
"xxx.exe",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter

Operator: doesn't start with

Path:

Filter:

xxx
Output
[
10,
"yyy.pdf",
{
"xxx": "x"
}
]

Operator: doesn't start with caseless

Returns a set of elements which doesn't start with a string given in a filter. It performs case-insensitive matching.

Filter Format: string

Example 1

Input
[
10,
"xxx.exe",
"XXX.EXE",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter

Operator: doesn't start with caseless

Path:

Filter:

xxx
Output
[
10,
"yyy.pdf",
{
"xxx": "x"
}
]

Operator: ends with

Returns a set of elements which ends with a string given in a filter.

Filter Format: string

Example 1

Input
[
10,
"xxx.exe",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter

Operator: ends with

Path:

Filter:

.exe
Output
[
"xxx.exe"
]

Operator: ends with caseless

Returns a set of elements which ends with a string given in a filter. It performs case-insensitive matching.

Filter Format: string

Example 1

Input
[
10,
"xxx.exe",
"XXX.EXE",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter

Operator: ends with caseless

Path:

Filter:

.exe
Output
[
"xxx.exe",
"XXX.EXE"
]

Operator: doesn't end with

Returns a set of elements which doesn't end with a string given in a filter.

Filter Format: string

Example 1

Input
[
10,
"xxx.exe",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter

Operator: doesn't end with

Path:

Filter:

.exe
Output
[
10,
"yyy.pdf",
{
"xxx": "x"
}
]

Operator: doesn't end with caseless

Returns a set of elements which doesn't end with a string given in a filter. It performs case-insensitive matching.

Filter Format: string

Example 1

Input
[
10,
"xxx.exe",
"XXX.EXE",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter

Operator: doesn't end with caseless

Path:

Filter:

.exe
Output
[
10,
"yyy.pdf",
{
"xxx": "x"
}
]

Operator: includes

Returns a set of elements of which a string given in a filter is a substring. The searching only works for `string` data types. It evaluates to unmatched for a element that either or both of the data types is not `string`.

Filter Format: string

Example 1

Input
www.paloaltonetworks.com
Filter

Operator: includes

Path:

Filter:

paloaltonetworks
Output
www.paloaltonetworks.com

Example 2

Input
[
10,
"www.paloaltonetworks.com",
"www.paloaltonetworks.co.jp",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter

Operator: includes

Path:

Filter:

paloaltonetworks
Output
[
"www.paloaltonetworks.com",
"www.paloaltonetworks.co.jp"
]

Operator: includes caseless

Returns a set of elements of which a string given in a filter is a substring. It performs case-insensitive seaching, and only works for `string` data types. It evaluates to unmatched for a element that either or both of the data types is not `string`.

Filter Format: string

Example 1

Input
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter

Operator: includes caseless

Path:

Filter:

paloaltonetworks
Output
[
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM"
]

Operator: doesn't include

Returns a set of elements of which a string given in a filter is not a substring. The searching only works for `string` data types. It evaluates to unmatched for a element that either or both of the data types is not `string`.

Filter Format: string

Example 1

Input
[
10,
"www.paloaltonetworks.com",
"www.paloaltonetworks.co.jp",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter

Operator: doesn't include

Path:

Filter:

paloaltonetworks
Output
[
10,
{
"xxx": "xxx.paloaltonetworks.com"
}
]

Operator: doesn't include caseless

Returns a set of elements of which a string given in a filter is not a substring. It performs case-insensitive seaching, and only works for `string` data types. It evaluates to unmatched for a element that either or both of the data types is not `string`.

Filter Format: string

Example 1

Input
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter

Operator: doesn't include caseless

Path:

Filter:

paloaltonetworks
Output
[
10,
{
"xxx": "xxx.paloaltonetworks.com"
}
]

Operator: finds

Returns the entire target value if a string given in a filter is a substring of any of the elements, `null` otherwise. The searching is performed for a single `string` element or each `string` element of an array.

Filter Format: string

Example 1

Input
www.paloaltonetworks.com
Filter

Operator: finds

Path:

Filter:

paloaltonetworks
Output
www.paloaltonetworks.com

Example 2

Input
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter

Operator: finds

Path:

Filter:

paloaltonetworks
Output
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]

Example 3

Input
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter

Operator: finds

Path:

Filter:

xxx.paloaltonetworks.com
Output
null

Operator: finds caseless

Returns the entire target value if a string given in a filter is a substring of any of the elements, `null` otherwise. The searching is performed for a single `string` element or each `string` element of an array with case-insensitive matching.

Filter Format: string

Example 1

Input
WWW.PaloAltoNetworks.COM
Filter

Operator: finds caseless

Path:

Filter:

paloaltonetworks
Output
WWW.PaloAltoNetworks.COM

Example 2

Input
[
10,
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter

Operator: finds caseless

Path:

Filter:

paloaltonetworks
Output
[
10,
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]

Operator: doesn't find

Returns an entire target value if a string given in a filter is not a substring of any of the elements, `null` otherwise. The searching is performed for a single `string` element or each `string` element of an array.

Filter Format: string

Example 1

Input
www.paloaltonetworks.com
Filter

Operator: doesn't find

Path:

Filter:

paloaltonetworks
Output
null

Example 2

Input
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter

Operator: doesn't find

Path:

Filter:

paloaltonetworks
Output
null

Example 3

Input
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter

Operator: doesn't find

Path:

Filter:

xxx.paloaltonetworks
Output
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]

Operator: doesn't find caseless

Returns an entire target value if a string given in a filter is not a substring of any of the elements, `null` otherwise. The searching is performed for a single `string` element or each `string` element of an array with case-insensitive matching.

Filter Format: string

Example 1

Input
WWW.PaloAltoNetworks.COM
Filter

Operator: doesn't find caseless

Path:

Filter:

PaloAltoNetworks
Output
null

Example 2

Input
[
10,
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter

Operator: doesn't find caseless

Path:

Filter:

paloaltonetworks
Output
null

Example 3

Input
[
10,
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter

Operator: doesn't find caseless

Path:

Filter:

xxx.paloaltonetworks
Output
[
10,
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]

Operator: matches

Returns a set of elements which is equal to a string given in a filter. The matching is peformed between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
www.paloaltonetworks.com
Filter

Operator: matches

Path:

Filter:

www.paloaltonetworks.com
Output
www.paloaltonetworks.com

Example 2

Input
www.paloaltonetworks.com
Filter

Operator: matches

Path:

Filter:

paloaltonetworks
Output
null

Example 3

Input
[
"www.demisto.com",
"www.paloaltonetworks.com",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter

Operator: matches

Path:

Filter:

www.paloaltonetworks.com
Output
[
"www.paloaltonetworks.com"
]

Operator: matches caseless

Returns a set of elements which matches a string given in a filter. The matching is peformed case-insensitively and between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
WWW.PaloAltoNetworks.COM
Filter

Operator: matches caseless

Path:

Filter:

www.paloaltonetworks.com
Output
WWW.PaloAltoNetworks.COM

Example 2

Input
WWW.PaloAltoNetworks.COM
Filter

Operator: matches caseless

Path:

Filter:

paloaltonetworks
Output
null

Example 3

Input
[
"www.demisto.com",
"WWW.PaloAltoNetworks.COM",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter

Operator: matches caseless

Path:

Filter:

www.paloaltonetworks.com
Output
[
"WWW.PaloAltoNetworks.COM"
]

Operator: doesn't match

Returns a set of elements which is not equal to a string given in a filter. The matching is peformed between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
www.paloaltonetworks.com
Filter

Operator: doesn't match

Path:

Filter:

www.paloaltonetworks.com
Output
null

Example 2

Input
www.paloaltonetworks.com
Filter

Operator: doesn't match

Path:

Filter:

paloaltonetworks
Output
www.paloaltonetworks.com

Example 3

Input
[
"www.demisto.com",
"www.paloaltonetworks.com",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter

Operator: doesn't match

Path:

Filter:

www.paloaltonetworks.com
Output
[
"www.demisto.com",
{
"Host": "www.paloaltonetworks.com"
}
]

Operator: doesn't match caseless

Returns a set of elements which doesn't match a string given in a filter. The matching is peformed case-insensitively and between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
WWW.PaloAltoNetworks.COM
Filter

Operator: doesn't match caseless

Path:

Filter:

www.paloaltonetworks.com
Output
null

Example 2

Input
WWW.PaloAltoNetworks.COM
Filter

Operator: doesn't match caseless

Path:

Filter:

paloaltonetworks
Output
WWW.PaloAltoNetworks.COM

Example 3

Input
[
"www.demisto.com",
"WWW.PaloAltoNetworks.COM",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter

Operator: doesn't match caseless

Path:

Filter:

www.paloaltonetworks.com
Output
[
"www.demisto.com",
{
"Host": "www.paloaltonetworks.com"
}
]

Operator: wildcard: matches

Returns a set of elements which matches a wildcard pattern given in a filter. The matching is peformed between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
www.paloaltonetworks.com
Filter

Operator: wildcard: matches

Path:

Filter:

???.paloaltonetworks.*
Output
www.paloaltonetworks.com

Example 2

Input
[
"www.demisto.com",
"www.paloaltonetworks.com",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter

Operator: wildcard: matches

Path:

Filter:

???.paloaltonetworks.*
Output
[
"www.paloaltonetworks.com"
]

Operator: wildcard: matches caseless

Returns a set of elements which matches a wildcard pattern given in a filter. The matching is peformed case-insensitively and between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
WWW.PaloAltoNetworks.COM
Filter

Operator: wildcard: matches caseless

Path:

Filter:

???.paloaltonetworks.*
Output
WWW.PaloAltoNetworks.COM

Example 2

Input
[
"www.demisto.com",
"WWW.PaloAltoNetworks.COM",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter

Operator: wildcard: matches caseless

Path:

Filter:

???.paloaltonetworks.*
Output
[
"WWW.PaloAltoNetworks.COM"
]

Operator: wildcard: doesn't match

Returns a set of elements which doesn't match a wildcard pattern given in a filter. The matching is peformed between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
www.paloaltonetworks.com
Filter

Operator: wildcard: doesn't match

Path:

Filter:

???.paloaltonetworks.*
Output
null

Example 2

Input
[
"www.demisto.com",
"www.paloaltonetworks.com",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter

Operator: wildcard: doesn't match

Path:

Filter:

???.paloaltonetworks.*
Output
[
"www.demisto.com",
{
"Host": "www.paloaltonetworks.com"
}
]

Operator: wildcard: doesn't match caseless

Returns a set of elements which doesn't match a wildcard pattern given in a filter. The matching is peformed case-insensitively and between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
WWW.PaloAltoNetworks.COM
Filter

Operator: wildcard: doesn't match caseless

Path:

Filter:

???.paloaltonetworks.*
Output
null

Example 2

Input
[
"www.demisto.com",
"WWW.PaloAltoNetworks.COM",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter

Operator: wildcard: doesn't match caseless

Path:

Filter:

???.paloaltonetworks.*
Output
[
"www.demisto.com",
{
"Host": "www.paloaltonetworks.com"
}
]

Operator: regex: matches

Returns a set of elements which matches a regular expression pattern given in a filter. The matching is peformed between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
www.paloaltonetworks.com
Filter

Operator: regex: matches

Path:

Filter:

.*paloaltonetworks.*
Output
www.paloaltonetworks.com

Example 2

Input
[
"www.demisto.com",
"www.paloaltonetworks.com",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter

Operator: regex: matches

Path:

Filter:

.*paloaltonetworks.*
Output
[
"www.paloaltonetworks.com"
]

Operator: regex: matches caseless

Returns a set of elements which matches a regular expression pattern given in a filter. The matching is peformed case-insensitively and between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
WWW.PaloAltoNetworks.COM
Filter

Operator: regex: matches caseless

Path:

Filter:

.*paloaltonetworks.*
Output
WWW.PaloAltoNetworks.COM

Example 2

Input
[
"www.demisto.com",
"WWW.PaloAltoNetworks.COM",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter

Operator: regex: matches caseless

Path:

Filter:

.*paloaltonetworks.*
Output
[
"WWW.PaloAltoNetworks.COM"
]

Operator: regex: doesn't match

Returns a set of elements which doesn't match a regular expression pattern given in a filter. The matching is peformed between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
www.paloaltonetworks.com
Filter

Operator: regex: doesn't match

Path:

Filter:

.*paloaltonetworks.*
Output
null

Example 2

Input
[
"www.demisto.com",
"www.paloaltonetworks.com",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter

Operator: regex: doesn't match

Path:

Filter:

.*paloaltonetworks.*
Output
[
"www.demisto.com",
{
"Host": "www.paloaltonetworks.com"
}
]

Operator: regex: doesn't match caseless

Returns a set of elements which doesn't match a regular expression pattern given in a filter. The matching is peformed case-insensitively and between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
WWW.PaloAltoNetworks.COM
Filter

Operator: regex: doesn't match caseless

Path:

Filter:

.*paloaltonetworks.*
Output
null

Example 2

Input
[
"www.demisto.com",
"WWW.PaloAltoNetworks.COM",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter

Operator: regex: doesn't match caseless

Path:

Filter:

.*paloaltonetworks.*
Output
[
"www.demisto.com",
{
"Host": "www.paloaltonetworks.com"
}
]

Operator: in list

Returns a set of elements which matches any of strings of a comma separated list. The matching always evaluates to false for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
banana
Filter

Operator: in list

Path:

Filter:

apple,banana,cherry
Output
banana

Example 2

Input
[
"apple",
"melon",
"banana",
{
"fruit": "orange"
}
]
Filter

Operator: in list

Path:

Filter:

apple,banana,cherry
Output
[
"apple",
"banana"
]

Operator: in caseless list

Returns a set of elements which matches any of strings of a comma separated list. The matching is peformed case-insensitively, and always evaluates to false for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
Banana
Filter

Operator: in caseless list

Path:

Filter:

apple,banana,cherry
Output
Banana

Example 2

Input
[
"Apple",
"Melon",
"Banana",
{
"Fruit": "Orange"
}
]
Filter

Operator: in caseless list

Path:

Filter:

apple,banana,cherry
Output
[
"Apple",
"Banana"
]

Operator: not in list

Returns a set of elements which doesn't match any of strings of a comma separated list. The matching always evaluates to false for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
melon
Filter

Operator: not in list

Path:

Filter:

apple,banana,cherry
Output
melon

Example 2

Input
banana
Filter

Operator: not in list

Path:

Filter:

apple,banana,cherry
Output
null

Example 3

Input
[
"apple",
"melon",
"banana",
{
"fruit": "orange"
}
]
Filter

Operator: not in list

Path:

Filter:

apple,banana,cherry
Output
[
"melon",
{
"fruit": "orange"
}
]

Operator: not in caseless list

Returns a set of elements which doesn't match any of strings of a comma separated list. The matching is peformed case-insensitively, and always evaluates to false for a element whose data type is not `string`.

Filter Format: string

Example 1

Input
Melon
Filter

Operator: not in caseless list

Path:

Filter:

apple,banana,cherry
Output
Melon

Example 2

Input
Banana
Filter

Operator: not in caseless list

Path:

Filter:

apple,banana,cherry
Output
null

Example 3

Input
[
"Apple",
"Melon",
"Banana",
{
"Fruit": "Orange"
}
]
Filter

Operator: not in caseless list

Path:

Filter:

apple,banana,cherry
Output
[
"Melon",
{
"Fruit": "Orange"
}
]

Operator: contains

Returns an entire value if any of the elements matches a string given in a filter, `null` otherwise.

Filter Format: string

Example 1

Input
apple
Filter

Operator: contains

Path:

Filter:

apple
Output
apple

Example 2

Input
banana
Filter

Operator: contains

Path:

Filter:

apple
Output
null

Example 3

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: contains

Path:

Filter:

apple
Output
[
"apple",
"banana",
"cherry"
]

Operator: contains caseless

Returns an entire value if any of the elements matches a string given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1

Input
Apple
Filter

Operator: contains caseless

Path:

Filter:

apple
Output
Apple

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: contains caseless

Path:

Filter:

apple
Output
[
"Apple",
"Banana",
"Cherry"
]

Operator: doesn't contain

Returns an entire value if all of the elements doesn't match a string given in a filter, `null` otherwise.

Filter Format: string

Example 1

Input
apple
Filter

Operator: doesn't contain

Path:

Filter:

apple
Output
null

Example 2

Input
banana
Filter

Operator: doesn't contain

Path:

Filter:

apple
Output
banana

Example 3

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: doesn't contain

Path:

Filter:

apple
Output
null

Operator: doesn't contain caseless

Returns an entire value if all of the elements doesn't match a string given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1

Input
Apple
Filter

Operator: doesn't contain caseless

Path:

Filter:

apple
Output
null

Example 2

Input
banana
Filter

Operator: doesn't contain caseless

Path:

Filter:

apple
Output
banana

Example 3

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: doesn't contain caseless

Path:

Filter:

apple
Output
null

Operator: wildcard: contains

Returns an entire value if any of the elements matches a wildcard pattern given in a filter, `null` otherwise.

Filter Format: string

Example 1

Input
apple
Filter

Operator: wildcard: contains

Path:

Filter:

*a*
Output
apple

Example 2

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: wildcard: contains

Path:

Filter:

*a*
Output
[
"apple",
"banana",
"cherry"
]

Operator: wildcard: contains caseless

Returns an entire value if any of the elements matches a wildcard pattern given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1

Input
Apple
Filter

Operator: wildcard: contains caseless

Path:

Filter:

*a*
Output
Apple

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: wildcard: contains caseless

Path:

Filter:

*a*
Output
[
"Apple",
"Banana",
"Cherry"
]

Operator: wildcard: doesn't contain

Returns an entire value if all of the elements doesn't match a wildcard pattern given in a filter, `null` otherwise.

Filter Format: string

Example 1

Input
apple
Filter

Operator: wildcard: doesn't contain

Path:

Filter:

*a*
Output
null

Example 2

Input
cherry
Filter

Operator: wildcard: doesn't contain

Path:

Filter:

*a*
Output
cherry

Example 3

Input
[
"cherry",
"melon"
]
Filter

Operator: wildcard: doesn't contain

Path:

Filter:

*a*
Output
[
"cherry",
"melon"
]

Operator: wildcard: doesn't contain caseless

Returns an entire value if all of the elements doesn't match a wildcard pattern given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1

Input
Apple
Filter

Operator: wildcard: doesn't contain caseless

Path:

Filter:

*a*
Output
null

Example 2

Input
cherry
Filter

Operator: wildcard: doesn't contain caseless

Path:

Filter:

*a*
Output
cherry

Example 3

Input
[
"Cherry",
"Melon"
]
Filter

Operator: wildcard: doesn't contain caseless

Path:

Filter:

*a*
Output
[
"Cherry",
"Melon"
]

Operator: regex: contains

Returns an entire value if any of the elements matches a regular expression given in a filter, `null` otherwise.

Filter Format: string

Example 1

Input
apple
Filter

Operator: regex: contains

Path:

Filter:

.*a.*
Output
apple

Example 2

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: regex: contains

Path:

Filter:

.*a.*
Output
[
"apple",
"banana",
"cherry"
]

Operator: regex: contains caseless

Returns an entire value if any of the elements matches a regular expression given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1

Input
Apple
Filter

Operator: regex: contains caseless

Path:

Filter:

.*a.*
Output
Apple

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: regex: contains caseless

Path:

Filter:

.*a.*
Output
[
"Apple",
"Banana",
"Cherry"
]

Operator: regex: doesn't contain

Returns an entire value if all of the elements doesn't match a regular expression given in a filter, `null` otherwise.

Filter Format: string

Example 1

Input
apple
Filter

Operator: regex: doesn't contain

Path:

Filter:

.*a.*
Output
null

Example 2

Input
cherry
Filter

Operator: regex: doesn't contain

Path:

Filter:

.*a.*
Output
cherry

Example 3

Input
[
"cherry",
"melon"
]
Filter

Operator: regex: doesn't contain

Path:

Filter:

.*a.*
Output
[
"cherry",
"melon"
]

Operator: regex: doesn't contain caseless

Returns an entire value if all of the elements doesn't match a regular expression given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1

Input
Apple
Filter

Operator: regex: doesn't contain caseless

Path:

Filter:

.*a.*
Output
null

Example 2

Input
cherry
Filter

Operator: regex: doesn't contain caseless

Path:

Filter:

.*a.*
Output
cherry

Example 3

Input
[
"Cherry",
"Melon"
]
Filter

Operator: regex: doesn't contain caseless

Path:

Filter:

.*a.*
Output
[
"Cherry",
"Melon"
]

Operator: matches any line of

Returns a set of elements which matches any line of a text given in a filter.

Filter Format: string

Example 1

Input
banana
Filter

Operator: matches any line of

Path:

Filter:

apple
banana
cherry
Output
banana

Example 2

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: matches any line of

Path:

Filter:

orange
banana
apple
Output
[
"apple",
"banana"
]

Example 3

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: matches any line of

Path:

Filter:

melon
lemon
orange
Output
[
]

Operator: matches any caseless line of

Returns a set of elements which matches any line of a text given in a filter. The matching is peformed case-insensitively.

Filter Format: string

Example 1

Input
Banana
Filter

Operator: matches any caseless line of

Path:

Filter:

apple
banana
cherry
Output
Banana

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: matches any caseless line of

Path:

Filter:

orange
banana
apple
Output
[
"Apple",
"Banana"
]

Operator: doesn't match any line of

Returns a set of elements which doesn't match any line of a text given in a filter.

Filter Format: string

Example 1

Input
banana
Filter

Operator: doesn't match any line of

Path:

Filter:

apple
banana
cherry
Output
null

Example 2

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: doesn't match any line of

Path:

Filter:

melon
orange
banana
Output
[
"apple",
"cherry"
]

Operator: doesn't match any caseless line of

Returns a set of elements which doesn't match any line of a text given in a filter. The matching is peformed case-insensitively.

Filter Format: string

Example 1

Input
Banana
Filter

Operator: doesn't match any caseless line of

Path:

Filter:

apple
banana
cherry
Output
null

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: doesn't match any caseless line of

Path:

Filter:

melon
lemon
orange
Output
[
"Apple",
"Banana",
"Cherry"
]

Example 3

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: doesn't match any caseless line of

Path:

Filter:

melon
orange
banana
Output
[
"Apple",
"Cherry"
]

Operator: matches any string of

Returns a set of elements which matches any strings given in a filter.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
banana
Filter

Operator: matches any string of

Path:

Filter:

"banana"
Output
banana

Example 2

Input
banana
Filter

Operator: matches any string of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output
banana

Example 3

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: matches any string of

Path:

Filter:

[
"orange",
"banana",
"apple"
]
Output
[
"apple",
"banana"
]

Example 4

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: matches any string of

Path:

Filter:

[
"melon",
"lemon",
"orange"
]
Output
[
]

Operator: matches any caseless string of

Returns a set of elements which matches any strings given in a filter. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
Banana
Filter

Operator: matches any caseless string of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output
Banana

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: matches any caseless string of

Path:

Filter:

[
"orange",
"banana",
"apple"
]
Output
[
"Apple",
"Banana"
]

Operator: doesn't match any string of

Returns a set of elements which doesn't match any strings given in a filter.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
banana
Filter

Operator: doesn't match any string of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output
null

Example 2

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: doesn't match any string of

Path:

Filter:

[
"melon",
"orange",
"banana"
]
Output
[
"apple",
"cherry"
]

Operator: doesn't match any caseless string of

Returns a set of elements which doesn't match any strings given in a filter. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
Banana
Filter

Operator: doesn't match any caseless string of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output
null

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: doesn't match any caseless string of

Path:

Filter:

[
"melon",
"orange",
"banana"
]
Output
[
"Apple",
"Cherry"
]

Operator: wildcard: matches any string of

Returns a set of elements which matches any wildcard patterns given in a filter.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
banana
Filter

Operator: wildcard: matches any string of

Path:

Filter:

"b?????"
Output
banana

Example 2

Input
banana
Filter

Operator: wildcard: matches any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
banana

Example 3

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: wildcard: matches any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
[
"banana",
"cherry"
]

Example 4

Input
[
"melon",
"lemon",
"orange"
]
Filter

Operator: wildcard: matches any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
[
]

Operator: wildcard: matches any caseless string of

Returns a set of elements which matches any wildcard patterns given in a filter. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
Banana
Filter

Operator: wildcard: matches any caseless string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
Banana

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: wildcard: matches any caseless string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
[
"Banana",
"Cherry"
]

Operator: wildcard: doesn't match any string of

Returns a set of elements which doesn't match any wildcard patterns given in a filter.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
banana
Filter

Operator: wildcard: doesn't match any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
null

Example 2

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: wildcard: doesn't match any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
[
"apple"
]

Operator: wildcard: doesn't match any caseless string of

Returns a set of elements which doesn't match any wildcard patterns given in a filter. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
Banana
Filter

Operator: wildcard: doesn't match any caseless string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
null

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: wildcard: doesn't match any caseless string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
[
"Apple"
]

Operator: regex: matches any string of

Returns a set of elements which matches any regular expression patterns given in a filter.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
banana
Filter

Operator: regex: matches any string of

Path:

Filter:

"b....."
Output
banana

Example 2

Input
banana
Filter

Operator: regex: matches any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
banana

Example 3

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: regex: matches any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
[
"banana",
"cherry"
]

Example 4

Input
[
"melon",
"lemon",
"orange"
]
Filter

Operator: regex: matches any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
[
]

Operator: regex: matches any caseless string of

Returns a set of elements which matches any regular expression patterns given in a filter. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
Banana
Filter

Operator: regex: matches any caseless string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
Banana

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: regex: matches any caseless string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
[
"Banana",
"Cherry"
]

Operator: regex: doesn't match any string of

Returns a set of elements which doesn't match any regular expression patterns given in a filter.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
banana
Filter

Operator: regex: doesn't match any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
null

Example 2

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: regex: doesn't match any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
[
"apple"
]

Operator: regex: doesn't match any caseless string of

Returns a set of elements which doesn't match any regular expression patterns given in a filter. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
Banana
Filter

Operator: regex: doesn't match any caseless string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
null

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: regex: doesn't match any caseless string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
[
"Apple"
]

Operator: contains any line of

Returns an entire value if any of the elements matches any line of a text given in a filter, `null` otherwise.

Filter Format: string

Example 1

Input
banana
Filter

Operator: contains any line of

Path:

Filter:

apple
banana
cherry
Output
banana

Example 2

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: contains any line of

Path:

Filter:

melon
orange
banana
Output
[
"apple",
"banana",
"cherry"
]

Example 3

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: contains any line of

Path:

Filter:

melon
lemon
orange
Output
null

Operator: contains any caseless line of

Returns an entire value if any of the elements matches any line of a text given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1

Input
Banana
Filter

Operator: contains any caseless line of

Path:

Filter:

apple
banana
cherry
Output
Banana

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: contains any caseless line of

Path:

Filter:

melon
orange
banana
Output
[
"Apple",
"Banana",
"Cherry"
]

Operator: doesn't contain any line of

Returns an entire value if all of the elements doesn't match any line of a text given in a filter, `null` otherwise.

Filter Format: string

Example 1

Input
banana
Filter

Operator: doesn't contain any line of

Path:

Filter:

apple
banana
cherry
Output
null

Example 2

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: doesn't contain any line of

Path:

Filter:

melon
lemon
orange
Output
[
"apple",
"banana",
"cherry"
]

Example 3

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: doesn't contain any line of

Path:

Filter:

melon
orange
banana
Output
null

Operator: doesn't contain any caseless line of

Returns an entire value if all of the elements doesn't match any line of a text given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1

Input
Banana
Filter

Operator: doesn't contain any caseless line of

Path:

Filter:

apple
banana
cherry
Output
null

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: doesn't contain any caseless line of

Path:

Filter:

melon
lemon
orange
Output
[
"Apple",
"Banana",
"Cherry"
]

Example 3

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: doesn't contain any caseless line of

Path:

Filter:

melon
orange
banana
Output
null

Operator: contains any string of

Returns an entire value if any of the elements matches any strings given in a filter, `null` otherwise.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
banana
Filter

Operator: contains any string of

Path:

Filter:

"banana"
Output
banana

Example 2

Input
banana
Filter

Operator: contains any string of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output
banana

Example 3

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: contains any string of

Path:

Filter:

[
"melon",
"orange",
"banana"
]
Output
[
"apple",
"banana",
"cherry"
]

Example 4

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: contains any string of

Path:

Filter:

[
"melon",
"lemon",
"orange"
]
Output
null

Operator: contains any caseless line of

Returns an entire value if any of the elements matches any strings given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
Banana
Filter

Operator: contains any caseless line of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output
Banana

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: contains any caseless line of

Path:

Filter:

[
"melon",
"orange",
"banana"
]
Output
[
"Apple",
"Banana",
"Cherry"
]

Operator: doesn't contain any string of

Returns an entire value if all of the elements doesn't match any strings given in a filter, `null` otherwise.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
banana
Filter

Operator: doesn't contain any string of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output
null

Example 2

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: doesn't contain any string of

Path:

Filter:

[
"melon",
"lemon",
"orange"
]
Output
[
"apple",
"banana",
"cherry"
]

Example 3

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: doesn't contain any string of

Path:

Filter:

[
"melon",
"orange",
"banana"
]
Output
null

Operator: doesn't contain any caseless line of

Returns an entire value if all of the elements doesn't match any strings given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
Banana
Filter

Operator: doesn't contain any caseless line of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output
null

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: doesn't contain any caseless line of

Path:

Filter:

[
"melon",
"lemon",
"orange"
]
Output
[
"Apple",
"Banana",
"Cherry"
]

Example 3

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: doesn't contain any caseless line of

Path:

Filter:

[
"melon",
"orange",
"banana"
]
Output
null

Operator: wildcard: contains any string of

Returns an entire value if any of the elements matches any wildcard patterns given in a filter, `null` otherwise.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
banana
Filter

Operator: wildcard: contains any string of

Path:

Filter:

"b?????"
Output
banana

Example 2

Input
banana
Filter

Operator: wildcard: contains any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
banana

Example 3

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: wildcard: contains any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
[
"apple",
"banana",
"cherry"
]

Example 4

Input
[
"melon",
"lemon",
"orange"
]
Filter

Operator: wildcard: contains any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
null

Operator: wildcard: contains any caseless string of

Returns an entire value if any of the elements matches any wildcard patterns given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
Banana
Filter

Operator: wildcard: contains any caseless string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
Banana

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: wildcard: contains any caseless string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
[
"Apple",
"Banana",
"Cherry"
]

Operator: wildcard: doesn't contain any string of

Returns an entire value if all of the elements doesn't match any wildcard patterns given in a filter, `null` otherwise.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
banana
Filter

Operator: wildcard: doesn't contain any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
null

Example 2

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: wildcard: doesn't contain any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
null

Example 3

Input
[
"melon",
"lemon",
"orange"
]
Filter

Operator: wildcard: doesn't contain any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
[
"melon",
"lemon",
"orange"
]

Operator: wildcard: doesn't contain any caseless line of

Returns an entire value if all of the elements doesn't match any wildcard patterns given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
Banana
Filter

Operator: wildcard: doesn't contain any caseless line of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
null

Example 2

Input
[
"Melon",
"Lemon",
"Orange"
]
Filter

Operator: wildcard: doesn't contain any caseless line of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
[
"Melon",
"Lemon",
"Orange"
]

Example 3

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: wildcard: doesn't contain any caseless line of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output
null

Operator: regex: contains any string of

Returns an entire value if any of the elements matches any regular expression patterns given in a filter, `null` otherwise.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
banana
Filter

Operator: regex: contains any string of

Path:

Filter:

"b....."
Output
banana

Example 2

Input
banana
Filter

Operator: regex: contains any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
banana

Example 3

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: regex: contains any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
[
"apple",
"banana",
"cherry"
]

Example 4

Input
[
"melon",
"lemon",
"orange"
]
Filter

Operator: regex: contains any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
null

Operator: regex: contains any caseless string of

Returns an entire value if any of the elements matches any regex patterns given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
Banana
Filter

Operator: regex: contains any caseless string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
Banana

Example 2

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: regex: contains any caseless string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
[
"Apple",
"Banana",
"Cherry"
]

Operator: regex: doesn't contain any string of

Returns an entire value if all of the elements doesn't match any regex patterns given in a filter, `null` otherwise.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
banana
Filter

Operator: regex: doesn't contain any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
null

Example 2

Input
[
"apple",
"banana",
"cherry"
]
Filter

Operator: regex: doesn't contain any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
null

Example 3

Input
[
"melon",
"lemon",
"orange"
]
Filter

Operator: regex: doesn't contain any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
[
"melon",
"lemon",
"orange"
]

Operator: regex: doesn't contain any caseless line of

Returns an entire value if all of the elements doesn't match any regex patterns given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1

Input
Banana
Filter

Operator: regex: doesn't contain any caseless line of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
null

Example 2

Input
[
"Melon",
"Lemon",
"Orange"
]
Filter

Operator: regex: doesn't contain any caseless line of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
[
"Melon",
"Lemon",
"Orange"
]

Example 3

Input
[
"Apple",
"Banana",
"Cherry"
]
Filter

Operator: regex: doesn't contain any caseless line of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output
null

Operator: matches expressions of

Returns the result of a value filtered by `expressions` given. See `Filter Syntax` for the details of `expressions`.

Filter Format: expressions

Example 1

Input
[
"aaa.dat",
"bbb.exe",
"ccc.exe"
]
Filter

Operator: matches expressions of

Path:

Filter:

{
"ends with": ".exe",
"starts with": "c"
}
Output
[
"ccc.exe"
]

Example 2

Input
{
"Domain": [
"www.paloaltonetworks.com",
"www.paloaltonetworks.co.jp",
"www.demisto.com"
],
"IP": [
"1.1.1.1",
"2.2.2.2",
"3.3.3.3"
]
}
Filter

Operator: matches expressions of

Path: Domain

Filter:

[
{"ends with": ".co.jp"},
"or",
{"includes": "demisto"}
]
Output
{
"Domain": [
"www.paloaltonetworks.co.jp",
"www.demisto.com"
],
"IP": [
"1.1.1.1",
"2.2.2.2",
"3.3.3.3"
]
}

Operator: matches conditions of

Returns the result of a value filtered by `conditions` given. See `Filter Syntax` for the details of `conditions`.

Filter Format: conditions

Example 1

Input
{
"TrustedDevices": [
"D000002",
"D000003"
],
"Events": [
{
"Description": "User Logged In - Success",
"DeviceID": "D000001"
},
{
"Description": "File uploaded",
"DeviceID": "D000001"
},
{
"Description": "File downloaded",
"DeviceID": "D000002"
},
{
"Description": "User Logged In - Failed",
"DeviceID": "D000003"
}
]
}
Filter

Operator: matches conditions of

Path: Events

Filter:

[
{
"Description": {
"==": "User Logged In - Failed"
}
},
"or",
[
{
"Description": {
"in list": "File uploaded,File downloaded"
}
},
"and",
"not",
{
"DeviceID": {
"matches any string of": "${local.TrustedDevices}"
}
}
]
]
Output
{
"Events": [
{
"Description": "File uploaded",
"DeviceID": "D000001"
},
{
"Description": "User Logged In - Failed",
"DeviceID": "D000003"
}
],
"TrustedDevices": [
"D000002",
"D000003"
]
}

Example 2

Input
{
"Result": {
"File": [
{
"Name": "a.dat",
"Size": 100
},
{
"Name": "b.exe",
"Size": 200
},
{
"Name": "c.txt",
"Size": 300
}
],
"Host": [
{
"Name": "computer1",
"IP": "1.1.1.1"
},
{
"Name": "server1",
"IP": "2.2.2.2"
}
]
}
}
Filter

Operator: matches conditions of

Path:

Filter:

{
"Result.File": {
"is filtered with" : {
"Name": {
"ends with": ".exe"
}
}
},
"Result.Host": {
"is filtered with" : {
"Name": {
"starts with": "server"
}
}
}
}
Output
{
"Result": {
"File": [
{
"Name": "b.exe",
"Size": 200
}
],
"Host": [
{
"Name": "server1",
"IP": "2.2.2.2"
}
]
}
}

Example 3

Input
{
"Result": {
"File": [
{
"Name": "a.dat",
"Size": 100
},
{
"Name": "b.exe",
"Size": 200
},
{
"Name": "c.txt",
"Size": 300
}
],
"Host": [
{
"Name": "computer1",
"IP": "1.1.1.1"
},
{
"Name": "server1",
"IP": "2.2.2.2"
}
]
}
}
Filter

Operator: matches conditions of

Path:

Filter:

{
"Result": {
"is filtered with" : {
"File": {
"is filtered with": {
"Name": {
"ends with": ".exe"
}
}
},
"Host": {
"is filtered with": {
"Name": {
"starts with": "server"
}
}
}
}
}
}
Output
{
"Result": {
"File": [
{
"Name": "b.exe",
"Size": 200
}
],
"Host": [
{
"Name": "server1",
"IP": "2.2.2.2"
}
]
}
}

Example 4

Input
{
"Result" : {
"Domain" : [
"www.paloaltonetworks.com",
"www.demisto.com",
"paloaltonetowrks.com"
],
"IP" : [
"1.1.1.1",
"2.2.2.2",
"3.3.3.3"
]
}
}
Filter

Operator: matches conditions of

Path:

Filter:

{
"Result.Domain": {
"is filtered with": {
"": {
"starts with": "www."
}
}
}
}
Output
{
"Result" : {
"Domain" : [
"www.paloaltonetworks.com",
"www.demisto.com"
],
"IP" : [
"1.1.1.1",
"2.2.2.2",
"3.3.3.3"
]
}
}

Operator: value matches expressions of

Evaluates each value of dictionary elements or each element for values whose data type is not `dictionary`, and returns a set of the elements matched to expressions given in a filter. See `Filter Syntax` for the details of `expressions`.

Filter Format: expressions

Example 1

Input
[
"1.1.1.1",
"2.2.2.2",
"3.3.3.3"
]
Filter

Operator: value matches expressions of

Path:

Filter:

{
"contains": "1.1.1.1"
}
Output
[
"1.1.1.1"
]

Example 2

Input
{
"Communication": {
"Host1": [
"1.1.1.1",
"2.2.2.2"
],
"Host2": "1.1.1.1",
"Host3": [
"3.3.3.3",
"4.4.4.4"
]
}
}
Filter

Operator: value matches expressions of

Path: Communication

Filter:

{
"contains": "1.1.1.1"
}
Output
{
"Communication": {
"Host1": [
"1.1.1.1",
"2.2.2.2"
],
"Host2": "1.1.1.1"
}
}

Operator: value matches conditions of

Evaluates each value of dictionary elements, and returns a set of the elements matched to conditions given in a filter. See `Filter Syntax` for the details of `conditions`.

Filter Format: conditions

Example 1

Input
{
"Host1": {
"User": "JDOE",
"IP": "192.168.1.1",
"Score": 30
},
"Host2": {
"User": "TYAMADA",
"IP": "192.168.1.2",
"Score": 10
},
"Host3": {
"User": "MBLACK",
"IP": "3.3.3.3",
"Score": 40
}
}
Filter

Operator: value matches conditions of

Path:

Filter:

{
"Score": {
">=": 20
}
}
Output
{
"Host1": {
"User": "JDOE",
"IP": "192.168.1.1",
"Score": 30
},
"Host3": {
"User": "MBLACK",
"IP": "3.3.3.3",
"Score": 40
}
}

Example 2

Input
{
"Host1": {
"User": "JDOE",
"IP": "192.168.1.1",
"Score": 30,
"File": {
"Risk": [
"xxx.exe",
"yyy.pdf"
]
}
},
"Host2": {
"User": "TYAMADA",
"IP": "192.168.1.2",
"Score": 10
},
"Host3": {
"User": "MBLACK",
"IP": "3.3.3.3",
"Score": 40,
"File": {
"Risk": [
"aaa.pdf",
"bbb.exe"
]
}
}
}
Filter

Operator: value matches conditions of

Path:

Filter:

{
"Score": {
">=": 20
},
"File.Risk": {
"is filtered with": {
"": {
"ends with": ".exe"
}
}
}
}
Output
{
"Host1": {
"User": "JDOE",
"IP": "192.168.1.1",
"Score": 30,
"File": {
"Risk": [
"xxx.exe"
]
}
},
"Host3": {
"User": "MBLACK",
"IP": "3.3.3.3",
"Score": 40,
"File": {
"Risk": [
"bbb.exe"
]
}
}
}

Operator: json: encode array

Returns an string in JSON which is encoded the entire value.

Filter Format: dict[str,Any]

ParameterData TypeDescription
indentintThe number of spaces per indent (Default: None)

Example 1

Input
[
10,
20
]
Filter

Operator: json: encode array

Path:

Filter:

{
}
Output
"[10,20]"

Example 2

Input
[
10,
20
]
Filter

Operator: json: encode array

Path:

Filter:

{
"indent": 4
}
Output
[
"1.1.1.1",
"2.2.2.2"
]

Operator: json: encode

Encodes each element and returns a set of JSON-encoded string.

Filter Format: dict[str,Any]

ParameterData TypeDescription
indentintThe number of spaces per indent (Default: None)

Example 1

Input
[
{
"xxx": 10
},
20
]
Filter

Operator: json: encode

Path:

Filter:

{
}
Output
[
{"xxx":10},
20
]

Example 2

Input
[
{
"xxx": 10
},
20
]
Filter

Operator: json: encode

Path:

Filter:

{
"indent": 4
}
Output
[
{
"xxx": 10
},
20
]

Operator: json: decode

Returns a set of JSON decoded-values from the each element.

Filter Format: dict[str,Any]

ParameterData TypeDescription

(