ExtFilter

Filter values with complex conditions.
You can make filters with comlex and combination conditions for the context data at any level of the tree.


Script Data#

NameDescription
Script Typepython
Tagstransformer, entirelist, general

Inputs#

Argument NameDescription
valueThe value to filter/transform.
operatorThe operation name to filter/transform.
filterThe filter.
ctx_demistoEnable to access the context data
ctx_inputsEnable to access the input parameters to sub playbooks and use ${inputs.}
ctx_listsEnable to access the list data and use ${list.}
ctx_incidentEnable to access the incident context and use ${incident.}

Filter Syntax for expressions, conditions and transformers#

primitive-expression ::= <operator> : <value>
dict-expression ::= SET OF primitive-expression
array-expression ::= ARRAY OF ( dict-expression | array-expression | "not" expressions | "or" expressions | "and" expressions )
expressions ::= dict-expression | array-expression
primitive-condition ::= <path> : expressions
condition ::= SET OF primitive-condition
array-condition ::= ARRAY OF condition
conditions ::= condition | array-condition
transformers ::= dict-expression | ARRAY OF dict-expression

dict-expression#

and logical operator for each expression.

e.g.

(<value> ends with ".exe") && (<value> starts with "x")

{
"ends with" : ".exe",
"starts with": "x"
}

array-expression#

Logical operations for each expression. and by default.

e.g.

(<value> ends with ".exe") && (<value> starts with "x")

[
{"ends with" : ".exe"},
"and",
{"starts with": "x"}
]

or

[
{"ends with" : ".exe"},
{"starts with": "x"}
]

(<value> ends with ".exe") || (<value> starts with "x")

[
{"ends with" : ".exe"},
"or",
{"starts with": "x"}
]

not (<value> ends with ".exe")

[
"not",
{"ends with" : ".exe"}
]

((<value> ends with ".exe") || (<value> ends with ".pdf")) and (<value> starts with "x")

[
[
{"ends with" : ".exe"},
"or",
{"ends with" : ".pdf"}
],
"and",
{"starts with": "x"}
]

condition#

Evaluates child nodes of each dictionary element.

e.g.

<value>.Domain ends with ".com"

{
"Domain": {
"ends with" : ".com"
}
}

(<value>.Domain ends with ".com") && (<value>.IP starts with "192.168.")

{
"Domain": {
"ends with" : ".com"
},
"IP": {
"starts with" : "192.168."
}
}

array-condition#

Logical operations for each condition. and by default.

e.g.

(<value>.Domain ends with ".com") || (<value>.IP starts with "192.168.")

[
{
"Domain": {
"ends with" : ".com"
}
}
"or",
{
"IP": {
"starts with" : "192.168."
}
}
]

not ((<value>.Domain ends with ".com") || (<value>.IP starts with "192.168."))

[
"not",
[
{
"Domain": {
"ends with" : ".com"
}
}
"or",
{
"IP": {
"starts with" : "192.168."
}
}
]
]

transformers#

Run each transformer in order.

e.g.

base64: encode -> digest

[
{"base64: encode": {}},
{"digest": {"algorithm": "sha1"}}
]

base64: encode -> digest (Python 3.7 or above)

{
"base64: encode": {},
"digest": {"algorithm": "sha1"}
}

Note: The order depends on python runtime in a dict-expression. Python 3.6 or less doesn't guarantee dictionary keys order.


DT (Demisto Transform Language)#

In filters written in JSON like expressions, conditions, transformers or <value>, you can set values with DT expressions for keys and values. When you use DT, you must set ctx_demisto, ctx_inputs, ctx_lists and ctx_incident of the parameters for the data to which DT accesses.

ParameterData SourceValueDescription
ctx_demistoFrom Previous Tasks.Enable to access the context data
ctx_inputsFrom Previous TasksinputsEnable to access the input parameters to sub playbooks and use ${inputs.}
ctx_listsFrom Previous TaskslistEnable to access the list data and use ${list.}
ctx_incidentFrom Previous TasksincidentEnable to access the incident context and use ${incident.}

NOTE: ${list.} doesn't work in XSOAR 6.0 in transformer.

Also, local prefix (${local.}) can be available for referring to the root value of the target. No parameters set is required for using ${local.}.

Example 1#

{
"ends with": "${Extension}"
}

Example 2#

{
"${KeyName}": {
"ends with": "${Extension}"
}
}

Example 3#

{
"ends with": "${Name}.exe"
}

Example 4#

{
"ends with": "${.=val.Extension}"
}

Example 5#

{
"ends with": "${incident.name}"
}

Example 6#

{
"ends with": "${local.Extension}"
}

Operators#

Available operators

  • is transformed with
  • is filtered with
  • value is filtered with
  • keeps
  • doesn't keep
  • is
  • isn't
  • ===
  • !==
  • equals
  • ==
  • doesn't equal
  • !=
  • greater or equal
  • >=
  • greater than
  • >
  • less or equal
  • <=
  • less than
  • in range
  • starts with
  • starts with caseless
  • doesn't start with
  • doesn't start with caseless
  • ends with
  • ends with caseless
  • doesn't end with
  • doesn't end with caseless
  • includes
  • includes caseless
  • doesn't include
  • doesn't include caseless
  • finds
  • finds caseless
  • doesn't find
  • doesn't find caseless
  • matches
  • matches caseless
  • doesn't match
  • doesn't match caseless
  • wildcard: matches
  • wildcard: matches caseless
  • wildcard: doesn't match
  • wildcard: doesn't match caseless
  • regex: matches
  • regex: matches caseless
  • regex: doesn't match
  • regex: doesn't match caseless
  • in list
  • in caseless list
  • not in list
  • not in caseless list
  • contains
  • contains caseless
  • doesn't contain
  • doesn't contain caseless
  • wildcard: contains
  • wildcard: contains caseless
  • wildcard: doesn't contain
  • wildcard: doesn't contain caseless
  • regex: contains
  • regex: contains caseless
  • regex: doesn't contain
  • regex: doesn't contain caseless
  • matches any line of
  • matches any caseless line of
  • doesn't match any line of
  • doesn't match any caseless line of
  • matches any string of
  • matches any caseless string of
  • doesn't match any string of
  • doesn't match any caseless string of
  • wildcard: matches any string of
  • wildcard: matches any caseless string of
  • wildcard: doesn't match any string of
  • wildcard: doesn't match any caseless string of
  • regex: matches any string of
  • regex: matches any caseless string of
  • regex: doesn't match any string of
  • regex: doesn't match any caseless string of
  • contains any line of
  • contains any caseless line of
  • doesn't contain any line of
  • doesn't contain any caseless line of
  • contains any string of
  • contains any caseless line of
  • doesn't contain any string of
  • doesn't contain any caseless line of
  • wildcard: contains any string of
  • wildcard: contains any caseless line of
  • wildcard: doesn't contain any string of
  • wildcard: doesn't contain any caseless line of
  • regex: contains any string of
  • regex: contains any caseless line of
  • regex: doesn't contain any string of
  • regex: doesn't contain any caseless line of
  • matches expressions of
  • matches conditions of
  • value matches expressions of
  • value matches conditions of
  • json: encode array
  • json: encode
  • json: decode
  • base64: encode
  • base64: decode
  • digest
  • is replaced with
  • is updated with
  • appends
  • if-then-else
  • switch-case
  • collects values
  • collects keys
  • flattens with values
  • flattens with keys
  • abort

Operator: is transformed with#

Transform each element with `transformers` given in a filter. See `Filter Syntax` for the details of `transformers`.

Filter Format: transformers

Example 1#

Input#
[
{
"Name": "a.dat",
"Size": 100
},
{
"Name": "b.exe",
"Size": 200
},
{
"Name": "c.txt",
"Size": 300
}
]
Filter#

Operator: is transformed with

Path:

Filter:

{
"json: encode": {},
"base64: encode": {}
}
Output#
[
"eyJOYW1lIjogImEuZGF0IiwgIlNpemUiOiAxMDB9",
"eyJOYW1lIjogImIuZXhlIiwgIlNpemUiOiAyMDB9",
"eyJOYW1lIjogImMudHh0IiwgIlNpemUiOiAzMDB9"
]

Example 2#

Input#
{
"File": [
{
"Name": "a.dat",
"Size": 100
},
{
"Name": "b.exe",
"Size": 200
}
],
"IP": [
"1.1.1.1",
"2.2.2.2"
]
}
Filter#

Operator: is transformed with

Path: File

Filter:

{
"is filtered with": {
"Name": {
"ends with": ".exe"
},
"json: encode": {},
"base64: encode": {}
}
Output#
{
"File": [
"eyJOYW1lIjogImIuZXhlIiwgIlNpemUiOiAyMDB9"
],
"IP": [
"1.1.1.1",
"2.2.2.2"
]
}

Operator: is filtered with#

Evaluates each element of an array with given conditions and returns a set of the elements matched. The value is handled as an array which has only one element when its data type is `dictionary`. See `Filter Syntax` for the details of `conditions`.

Filter Format: conditions

Example 1#

Input#
[
{
"Name": "a.dat",
"Size": 100
},
{
"Name": "b.exe",
"Size": 200
},
{
"Name": "c.txt",
"Size": 300
}
]
Filter#

Operator: is filtered with

Path: Name

Filter:

{
"Name": {
"ends with": ".exe"
}
}
Output#
[
{
"Name": "b.exe",
"Size": 200
}
]

Operator: value is filtered with#

Evaluates each value of dictionary elements or each element for values whose data type is not `dictionary`, and returns a set of the elements matched to expressions given in a filter. See `Filter Syntax` for the details of `expressions`.

Filter Format: expressions

Example 1#

Input#
[
"192.168.1.1",
"1.1.1.1",
"192.168.1.2"
]
Filter#

Operator: value is filtered with

Path:

Filter:

{
"starts with": "192.168."
}
Output#
[
"192.168.1.1",
"192.168.1.2"
]

Example 2#

Input#
{
"Host1": {
"User": "JDOE",
"IP": "192.168.1.1",
"Score": 30
},
"Host2": {
"User": "TYAMADA",
"IP": "192.168.1.2",
"Score": 10
},
"Host3": {
"User": "MBLACK",
"IP": "3.3.3.3",
"Score": 40
}
}
Filter#

Operator: value is filtered with

Path: Score

Filter:

{
">=": 20
}
Output#
{
"Host1": {
"User": "JDOE",
"IP": "192.168.1.1",
"Score": 30
},
"Host3": {
"User": "MBLACK",
"IP": "3.3.3.3",
"Score": 40
}
}

Operator: keeps#

Evaluates each element of an array with keys given and returns a set of the elements which only retains the keys given and corresponding values. The value is handled as an array which has only one element when its data type is `dictionary`.

Filter Format: expressions

Example 1#

Input#
[
{
"Host": "JDOE",
"IP": "1.1.1.1"
},
{
"User": "John Doe",
"First Name": "John",
"Last Name": "Doe"
},
{
"Host": "YTARO",
"User": "Taro Yamada"
}
]
Filter#

Operator: keeps

Path:

Filter:

[
"Host",
"User"
]
Output#
[
{
"Host": "JDOE"
},
{
"User": "John Doe"
},
{
"Host": "YTARO",
"User": "Taro Yamada"
}
]

Operator: doesn't keeps#

Evaluates each element of an array with keys given and returns a set of the elements which are excluded the keys given. The value is handled as an array which has only one element when its data type is `dictionary`.

Filter Format: expressions

Example 1#

Input#
[
{
"Host": "JDOE",
"IP": "1.1.1.1"
},
{
"User": "John Doe",
"First Name": "John",
"Last Name": "Doe"
},
{
"Host": "YTARO",
"User": "Taro Yamada"
}
]
Filter#

Operator: doesn't keeps

Path:

Filter:

[
"Host",
"User"
]
Output#
[
{
"IP": "1.1.1.1"
},
{
"First Name": "John",
"Last Name": "Doe"
},
},
{
}
]

Operator: is#

This operator works with a sub operator specified as filter.


Sub Operator: empty#

Returns a set of elements which is empty.

Example 1#

Input#
10
Filter#

Operator: is

Path:

Filter:

empty
Output#
null

Example 2#

Input#
[
10,
{
},
null,
"xxx"
]
Filter#

Operator: is

Path:

Filter:

empty
Output#
[
{
},
null
]

Sub Operator: null#

Returns a set of elements which is `null`.

Example 1#

Input#
10
Filter#

Operator: is

Path:

Filter:

null
Output#
null

Example 2#

Input#
[
10,
{
},
null,
"xxx"
]
Filter#

Operator: is

Path:

Filter:

null
Output#
[
null
]

Sub Operator: string#

Returns a set of elements whose data type is `string`.

Example 1#

Input#
10
Filter#

Operator: is

Path:

Filter:

string
Output#
null

Example 2#

Input#
[
10,
{
},
null,
"xxx"
]
Filter#

Operator: is

Path:

Filter:

string
Output#
[
"xxx"
]

Sub Operator: integer#

Returns a set of elements whose data type is `integer`.

Example 1#

Input#
10
Filter#

Operator: is

Path:

Filter:

integer
Output#
10

Example 2#

Input#
[
10,
"123"
]
Filter#

Operator: is

Path:

Filter:

integer
Output#
[
10
]

Sub Operator: integer string#

Returns a set of elements whose data type is `string` and whose value is integer. The value that includes decimal point is evaluated as not integer.

Example 1#

Input#
[
10,
"123"
]
Filter#

Operator: is

Path:

Filter:

integer string
Output#
[
"123"
]

Sub Operator: any integer#

Returns a set of elements matched with `string` or `integer string` operator.

Example 1#

Input#
[
10,
"123",
"xxx"
]
Filter#

Operator: is

Path:

Filter:

any integer
Output#
[
10,
"123"
]

Sub Operator: existing key#

Evaluates each dictionary element of an array, then returns a set of the elements which has a key given in `path`.

Example 1#

Input#
[
{
"Host": "JDOE",
"IP": "1.1.1.1"
},
{
"User": "John Doe",
"Email": "jdoe@domain.com"
}
]
Filter#

Operator: is

Path: Host

Filter:

existing key
Output#
[
{
"Host": "JDOE",
"IP": "1.1.1.1"
}
]

Example 2#

Input#
[
{
"Host": {
"IP": "1.1.1.1",
"Score": 50,
"User": "JDOE"
},
"User": {
"ID": 1000,
"Name": "John Doe"
}
},
{
"Host": {
"IP": "2.2.2.2",
"Score": 30
}
}
]
Filter#

Operator: is

Path: Host.User

Filter:

existing key
Output#
[
{
"Host": {
"IP": "1.1.1.1",
"Score": 50,
"User": "JDOE"
},
"User": {
"ID": 1000,
"Name": "John Doe"
}
}
]

Operator: isn't#

This operator works with a sub operator specified as filter.


Sub Operator: empty#

Returns a set of elements which is not empty.

Example 1#

Input#
10
Filter#

Operator: isn't

Path:

Filter:

empty
Output#
10

Example 2#

Input#
[
10,
{
},
null,
"xxx"
]
Filter#

Operator: isn't

Path:

Filter:

empty
Output#
[
10,
"xxx"
]

Sub Operator: null#

Returns a set of elements which is not `null`.

Example 1#

Input#
10
Filter#

Operator: isn't

Path:

Filter:

10
Output#
null

Example 2#

Input#
[
10,
{
},
null,
"xxx"
]
Filter#

Operator: isn't

Path:

Filter:

null
Output#
[
10,
{
},
"xxx"
]

Sub Operator: string#

Returns a set of elements whose data type is not `string`.

Example 1#

Input#
10
Filter#

Operator: isn't

Path:

Filter:

string
Output#
10

Example 2#

Input#
[
10,
{
},
null,
"xxx"
]
Filter#

Operator: isn't

Path:

Filter:

string
Output#
[
10,
{
},
null
]

Sub Operator: integer#

Returns a set of elements whose date type is not `integer`.

Example 1#

Input#
10
Filter#

Operator: isn't

Path:

Filter:

integer
Output#
null

Example 2#

Input#
[
10,
"123"
]
Filter#

Operator: isn't

Path:

Filter:

integer
Output#
[
"123"
]

Sub Operator: integer string#

Returns a set of elements whose data type is not `string` or whose value is not integer. The value that includes decimal point is evaluated as not integer.

Example 1#

Input#
[
10,
"123",
"123.0"
]
Filter#

Operator: isn't

Path:

Filter:

integer string
Output#
[
10,
"123.0"
]

Sub Operator: any integer#

Returns a set of elements which are neither `string` or `integer string`.

Example 1#

Input#
[
10,
"123",
"xxx"
]
Filter#

Operator: isn't

Path:

Filter:

any integer
Output#
[
"xxx"
]

Sub Operator: existing key#

Evaluates each dictionary element of an array, then returns a set of the elements which doesn't have a key given in `path`.

Example 1#

Input#
[
{
"Host": "JDOE",
"IP": "1.1.1.1"
},
{
"User": "John Doe",
"Email": "jdoe@domain.com"
}
]
Filter#

Operator: isn't

Path: Host

Filter:

existing key
Output#
[
{
"User": "John Doe",
"Email": "jdoe@domain.com"
}
]

Example 2#

Input#
[
{
"Host": {
"IP": "1.1.1.1",
"Score": 50,
"User": "JDOE"
},
"User": {
"ID": 1000,
"Name": "John Doe"
}
},
{
"Host": {
"IP": "2.2.2.2",
"Score": 30
}
}
]
Filter#

Operator: isn't

Path: Host.User

Filter:

existing key
Output#
[
{
"Host": {
"IP": "2.2.2.2",
"Score": 30
}
}
]

Operator: ===#

Returns a set of elements which exactly matches to a value given in a filter. It doesn't match when the data types are different.

Filter Format: <value>

Example 1#

Input#
[
10,
"10",
123
]
Filter#

Operator: ===

Path:

Filter:

10
Output#
[
10
]

Example 2#

Input#
[
10,
"10",
123
]
Filter#

Operator: ===

Path:

Filter:

"10"
Output#
[
"10"
]

Operator: !==#

Returns a set of elements which doesn't match the data type or the value of a value given in a filter.

Filter Format: <value>

Example 1#

Input#
[
10,
"10",
123
]
Filter#

Operator: !==

Path:

Filter:

10
Output#
[
"10",
123
]

Operator: equals, ==#

Returns a set of elements which is equal to a value given in a filter. The value is implicitly converted from its data type to another in a comparison between different data types. `==` is an alias name for `equals`.

Filter Format: <value>

Example 1#

Input#
[
10,
"10",
123
]
Filter#

Operator: equals

Path:

Filter:

10
Output#
[
10,
"10"
]

Operator: doesn't equal, !=#

Returns a set of elements which is not equal to a value given in a filter. The value is implicitly converted from its data type to another in a comparison between different data types. `!=` is an alias name for `doesn't equal`.

Filter Format: <value>

Example 1#

Input#
[
10,
"10",
123
]
Filter#

Operator: doesn't equal

Path:

Filter:

10
Output#
[
123
]

Operator: greater or equal, >=#

Returns a set of elements which is greater or equal to a value given in a filter. The value is implicitly converted from its data type to number in a comparison. This operator evaluates to false for either or both of the data which cannot convert to number. `>=` is an alias name for `greater or equal`.

Filter Format: <value>

Example 1#

Input#
[
1,
10,
"10",
123
]
Filter#

Operator: greater or equal

Path:

Filter:

10
Output#
[
10,
"10",
123
]

Operator: greater than, >#

Returns a set of elements which is greater than a value given in a filter. The value is implicitly converted from its data type to number in a comparison. This operator evaluates to false for either or both of the data which cannot convert to number. `>` is an alias name for `greater than`.

Filter Format: <value>

Example 1#

Input#
[
1,
10,
"10",
123
]
Filter#

Operator: greater than

Path:

Filter:

10
Output#
[
123
]

Operator: less or equal, &lt;=#

Returns a set of elements which is less or equal to a value given in a filter. The value is implicitly converted from its data type to number in a comparison. This operator evaluates to false for either or both of the data which cannot convert to number. `<=` is an alias name for `less or equal`.

Filter Format: <value>

Example 1#

Input#
[
1,
10,
"10",
123
]
Filter#

Operator: less or equal

Path:

Filter:

10
Output#
[
1,
10,
"10"
]

Operator: less than, <#

Returns a set of elements which is less than a value given in a filter. The value is implicitly converted from its data type to number in a comparison. This operator evaluates to false for either or both of the data which cannot convert to number. `<` is an alias name for `less than`.

Filter Format: <value>

Example 1#

Input#
[
1,
10,
"10",
123
]
Filter#

Operator: less than

Path:

Filter:

10
Output#
[
1
]

Operator: in range#

Returns a set of elements which is greater or equal to `min` and less or equal to `max` given in a range. The value is implicitly converted from its data type to number in a comparison. This operator evaluates to false for either or both of the data which cannot convert to number.

Filter Format: min,max

Example 1#

Input#
[
1,
10,
"10",
"30",
123
]
Filter#

Operator: in range

Path:

Filter:

10,100
Output#
[
10,
"10",
"30"
]

Operator: starts with#

Returns a set of elements which starts with a string given in a filter.

Filter Format: string

Example 1#

Input#
[
10,
"xxx.exe",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter#

Operator: starts with

Path:

Filter:

xxx
Output#
[
"xxx.exe"
]

Operator: starts with caseless#

Returns a set of elements which starts with a string given in a filter. It performs case-insensitive matching.

Filter Format: string

Example 1#

Input#
[
10,
"xxx.exe",
"XXX.EXE",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter#

Operator: starts with caseless

Path:

Filter:

xxx
Output#
[
"xxx.exe",
"XXX.EXE"
]

Operator: doesn't start with#

Returns a set of elements which doesn't start with a string given in a filter.

Filter Format: string

Example 1#

Input#
[
10,
"xxx.exe",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter#

Operator: doesn't start with

Path:

Filter:

xxx
Output#
[
10,
"yyy.pdf",
{
"xxx": "x"
}
]

Operator: doesn't start with caseless#

Returns a set of elements which doesn't start with a string given in a filter. It performs case-insensitive matching.

Filter Format: string

Example 1#

Input#
[
10,
"xxx.exe",
"XXX.EXE",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter#

Operator: doesn't start with caseless

Path:

Filter:

xxx
Output#
[
10,
"yyy.pdf",
{
"xxx": "x"
}
]

Operator: ends with#

Returns a set of elements which ends with a string given in a filter.

Filter Format: string

Example 1#

Input#
[
10,
"xxx.exe",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter#

Operator: ends with

Path:

Filter:

.exe
Output#
[
"xxx.exe"
]

Operator: ends with caseless#

Returns a set of elements which ends with a string given in a filter. It performs case-insensitive matching.

Filter Format: string

Example 1#

Input#
[
10,
"xxx.exe",
"XXX.EXE",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter#

Operator: ends with caseless

Path:

Filter:

.exe
Output#
[
"xxx.exe",
"XXX.EXE"
]

Operator: doesn't end with#

Returns a set of elements which doesn't end with a string given in a filter.

Filter Format: string

Example 1#

Input#
[
10,
"xxx.exe",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter#

Operator: doesn't end with

Path:

Filter:

.exe
Output#
[
10,
"yyy.pdf",
{
"xxx": "x"
}
]

Operator: doesn't end with caseless#

Returns a set of elements which doesn't end with a string given in a filter. It performs case-insensitive matching.

Filter Format: string

Example 1#

Input#
[
10,
"xxx.exe",
"XXX.EXE",
"yyy.pdf",
{
"xxx": "x"
}
]
Filter#

Operator: doesn't end with caseless

Path:

Filter:

.exe
Output#
[
10,
"yyy.pdf",
{
"xxx": "x"
}
]

Operator: includes#

Returns a set of elements of which a string given in a filter is a substring. The searching only works for `string` data types. It evaluates to unmatched for a element that either or both of the data types is not `string`.

Filter Format: string

Example 1#

Input#
www.paloaltonetworks.com
Filter#

Operator: includes

Path:

Filter:

paloaltonetworks
Output#
www.paloaltonetworks.com

Example 2#

Input#
[
10,
"www.paloaltonetworks.com",
"www.paloaltonetworks.co.jp",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter#

Operator: includes

Path:

Filter:

paloaltonetworks
Output#
[
"www.paloaltonetworks.com",
"www.paloaltonetworks.co.jp"
]

Operator: includes caseless#

Returns a set of elements of which a string given in a filter is a substring. It performs case-insensitive seaching, and only works for `string` data types. It evaluates to unmatched for a element that either or both of the data types is not `string`.

Filter Format: string

Example 1#

Input#
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter#

Operator: includes caseless

Path:

Filter:

paloaltonetworks
Output#
[
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM"
]

Operator: doesn't include#

Returns a set of elements of which a string given in a filter is not a substring. The searching only works for `string` data types. It evaluates to unmatched for a element that either or both of the data types is not `string`.

Filter Format: string

Example 1#

Input#
[
10,
"www.paloaltonetworks.com",
"www.paloaltonetworks.co.jp",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter#

Operator: doesn't include

Path:

Filter:

paloaltonetworks
Output#
[
10,
{
"xxx": "xxx.paloaltonetworks.com"
}
]

Operator: doesn't include caseless#

Returns a set of elements of which a string given in a filter is not a substring. It performs case-insensitive seaching, and only works for `string` data types. It evaluates to unmatched for a element that either or both of the data types is not `string`.

Filter Format: string

Example 1#

Input#
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter#

Operator: doesn't include caseless

Path:

Filter:

paloaltonetworks
Output#
[
10,
{
"xxx": "xxx.paloaltonetworks.com"
}
]

Operator: finds#

Returns the entire target value if a string given in a filter is a substring of any of the elements, `null` otherwise. The searching is performed for a single `string` element or each `string` element of an array.

Filter Format: string

Example 1#

Input#
www.paloaltonetworks.com
Filter#

Operator: finds

Path:

Filter:

paloaltonetworks
Output#
www.paloaltonetworks.com

Example 2#

Input#
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter#

Operator: finds

Path:

Filter:

paloaltonetworks
Output#
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]

Example 3#

Input#
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter#

Operator: finds

Path:

Filter:

xxx.paloaltonetworks.com
Output#
null

Operator: finds caseless#

Returns the entire target value if a string given in a filter is a substring of any of the elements, `null` otherwise. The searching is performed for a single `string` element or each `string` element of an array with case-insensitive matching.

Filter Format: string

Example 1#

Input#
WWW.PaloAltoNetworks.COM
Filter#

Operator: finds caseless

Path:

Filter:

paloaltonetworks
Output#
WWW.PaloAltoNetworks.COM

Example 2#

Input#
[
10,
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter#

Operator: finds caseless

Path:

Filter:

paloaltonetworks
Output#
[
10,
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]

Operator: doesn't find#

Returns an entire target value if a string given in a filter is not a substring of any of the elements, `null` otherwise. The searching is performed for a single `string` element or each `string` element of an array.

Filter Format: string

Example 1#

Input#
www.paloaltonetworks.com
Filter#

Operator: doesn't find

Path:

Filter:

paloaltonetworks
Output#
null

Example 2#

Input#
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter#

Operator: doesn't find

Path:

Filter:

paloaltonetworks
Output#
null

Example 3#

Input#
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter#

Operator: doesn't find

Path:

Filter:

xxx.paloaltonetworks
Output#
[
10,
"www.paloaltonetworks.com",
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]

Operator: doesn't find caseless#

Returns an entire target value if a string given in a filter is not a substring of any of the elements, `null` otherwise. The searching is performed for a single `string` element or each `string` element of an array with case-insensitive matching.

Filter Format: string

Example 1#

Input#
WWW.PaloAltoNetworks.COM
Filter#

Operator: doesn't find caseless

Path:

Filter:

PaloAltoNetworks
Output#
null

Example 2#

Input#
[
10,
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter#

Operator: doesn't find caseless

Path:

Filter:

paloaltonetworks
Output#
null

Example 3#

Input#
[
10,
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]
Filter#

Operator: doesn't find caseless

Path:

Filter:

xxx.paloaltonetworks
Output#
[
10,
"WWW.PaloAltoNetworks.COM",
{
"xxx": "xxx.paloaltonetworks.com"
}
]

Operator: matches#

Returns a set of elements which is equal to a string given in a filter. The matching is peformed between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
www.paloaltonetworks.com
Filter#

Operator: matches

Path:

Filter:

www.paloaltonetworks.com
Output#
www.paloaltonetworks.com

Example 2#

Input#
www.paloaltonetworks.com
Filter#

Operator: matches

Path:

Filter:

paloaltonetworks
Output#
null

Example 3#

Input#
[
"www.demisto.com",
"www.paloaltonetworks.com",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter#

Operator: matches

Path:

Filter:

www.paloaltonetworks.com
Output#
[
"www.paloaltonetworks.com"
]

Operator: matches caseless#

Returns a set of elements which matches a string given in a filter. The matching is peformed case-insensitively and between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
WWW.PaloAltoNetworks.COM
Filter#

Operator: matches caseless

Path:

Filter:

www.paloaltonetworks.com
Output#
WWW.PaloAltoNetworks.COM

Example 2#

Input#
WWW.PaloAltoNetworks.COM
Filter#

Operator: matches caseless

Path:

Filter:

paloaltonetworks
Output#
null

Example 3#

Input#
[
"www.demisto.com",
"WWW.PaloAltoNetworks.COM",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter#

Operator: matches caseless

Path:

Filter:

www.paloaltonetworks.com
Output#
[
"WWW.PaloAltoNetworks.COM"
]

Operator: doesn't match#

Returns a set of elements which is not equal to a string given in a filter. The matching is peformed between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
www.paloaltonetworks.com
Filter#

Operator: doesn't match

Path:

Filter:

www.paloaltonetworks.com
Output#
null

Example 2#

Input#
www.paloaltonetworks.com
Filter#

Operator: doesn't match

Path:

Filter:

paloaltonetworks
Output#
www.paloaltonetworks.com

Example 3#

Input#
[
"www.demisto.com",
"www.paloaltonetworks.com",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter#

Operator: doesn't match

Path:

Filter:

www.paloaltonetworks.com
Output#
[
"www.demisto.com",
{
"Host": "www.paloaltonetworks.com"
}
]

Operator: doesn't match caseless#

Returns a set of elements which doesn't match a string given in a filter. The matching is peformed case-insensitively and between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
WWW.PaloAltoNetworks.COM
Filter#

Operator: doesn't match caseless

Path:

Filter:

www.paloaltonetworks.com
Output#
null

Example 2#

Input#
WWW.PaloAltoNetworks.COM
Filter#

Operator: doesn't match caseless

Path:

Filter:

paloaltonetworks
Output#
WWW.PaloAltoNetworks.COM

Example 3#

Input#
[
"www.demisto.com",
"WWW.PaloAltoNetworks.COM",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter#

Operator: doesn't match caseless

Path:

Filter:

www.paloaltonetworks.com
Output#
[
"www.demisto.com",
{
"Host": "www.paloaltonetworks.com"
}
]

Operator: wildcard: matches#

Returns a set of elements which matches a wildcard pattern given in a filter. The matching is peformed between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
www.paloaltonetworks.com
Filter#

Operator: wildcard: matches

Path:

Filter:

???.paloaltonetworks.*
Output#
www.paloaltonetworks.com

Example 2#

Input#
[
"www.demisto.com",
"www.paloaltonetworks.com",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter#

Operator: wildcard: matches

Path:

Filter:

???.paloaltonetworks.*
Output#
[
"www.paloaltonetworks.com"
]

Operator: wildcard: matches caseless#

Returns a set of elements which matches a wildcard pattern given in a filter. The matching is peformed case-insensitively and between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
WWW.PaloAltoNetworks.COM
Filter#

Operator: wildcard: matches caseless

Path:

Filter:

???.paloaltonetworks.*
Output#
WWW.PaloAltoNetworks.COM

Example 2#

Input#
[
"www.demisto.com",
"WWW.PaloAltoNetworks.COM",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter#

Operator: wildcard: matches caseless

Path:

Filter:

???.paloaltonetworks.*
Output#
[
"WWW.PaloAltoNetworks.COM"
]

Operator: wildcard: doesn't match#

Returns a set of elements which doesn't match a wildcard pattern given in a filter. The matching is peformed between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
www.paloaltonetworks.com
Filter#

Operator: wildcard: doesn't match

Path:

Filter:

???.paloaltonetworks.*
Output#
null

Example 2#

Input#
[
"www.demisto.com",
"www.paloaltonetworks.com",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter#

Operator: wildcard: doesn't match

Path:

Filter:

???.paloaltonetworks.*
Output#
[
"www.demisto.com",
{
"Host": "www.paloaltonetworks.com"
}
]

Operator: wildcard: doesn't match caseless#

Returns a set of elements which doesn't match a wildcard pattern given in a filter. The matching is peformed case-insensitively and between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
WWW.PaloAltoNetworks.COM
Filter#

Operator: wildcard: doesn't match caseless

Path:

Filter:

???.paloaltonetworks.*
Output#
null

Example 2#

Input#
[
"www.demisto.com",
"WWW.PaloAltoNetworks.COM",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter#

Operator: wildcard: doesn't match caseless

Path:

Filter:

???.paloaltonetworks.*
Output#
[
"www.demisto.com",
{
"Host": "www.paloaltonetworks.com"
}
]

Operator: regex: matches#

Returns a set of elements which matches a regular expression pattern given in a filter. The matching is peformed between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
www.paloaltonetworks.com
Filter#

Operator: regex: matches

Path:

Filter:

.*paloaltonetworks.*
Output#
www.paloaltonetworks.com

Example 2#

Input#
[
"www.demisto.com",
"www.paloaltonetworks.com",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter#

Operator: regex: matches

Path:

Filter:

.*paloaltonetworks.*
Output#
[
"www.paloaltonetworks.com"
]

Operator: regex: matches caseless#

Returns a set of elements which matches a regular expression pattern given in a filter. The matching is peformed case-insensitively and between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
WWW.PaloAltoNetworks.COM
Filter#

Operator: regex: matches caseless

Path:

Filter:

.*paloaltonetworks.*
Output#
WWW.PaloAltoNetworks.COM

Example 2#

Input#
[
"www.demisto.com",
"WWW.PaloAltoNetworks.COM",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter#

Operator: regex: matches caseless

Path:

Filter:

.*paloaltonetworks.*
Output#
[
"WWW.PaloAltoNetworks.COM"
]

Operator: regex: doesn't match#

Returns a set of elements which doesn't match a regular expression pattern given in a filter. The matching is peformed between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
www.paloaltonetworks.com
Filter#

Operator: regex: doesn't match

Path:

Filter:

.*paloaltonetworks.*
Output#
null

Example 2#

Input#
[
"www.demisto.com",
"www.paloaltonetworks.com",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter#

Operator: regex: doesn't match

Path:

Filter:

.*paloaltonetworks.*
Output#
[
"www.demisto.com",
{
"Host": "www.paloaltonetworks.com"
}
]

Operator: regex: doesn't match caseless#

Returns a set of elements which doesn't match a regular expression pattern given in a filter. The matching is peformed case-insensitively and between `string` data types. It doesn't match for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
WWW.PaloAltoNetworks.COM
Filter#

Operator: regex: doesn't match caseless

Path:

Filter:

.*paloaltonetworks.*
Output#
null

Example 2#

Input#
[
"www.demisto.com",
"WWW.PaloAltoNetworks.COM",
{
"Host": "www.paloaltonetworks.com"
}
]
Filter#

Operator: regex: doesn't match caseless

Path:

Filter:

.*paloaltonetworks.*
Output#
[
"www.demisto.com",
{
"Host": "www.paloaltonetworks.com"
}
]

Operator: in list#

Returns a set of elements which matches any of strings of a comma separated list. The matching always evaluates to false for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
banana
Filter#

Operator: in list

Path:

Filter:

apple,banana,cherry
Output#
banana

Example 2#

Input#
[
"apple",
"melon",
"banana",
{
"fruit": "orange"
}
]
Filter#

Operator: in list

Path:

Filter:

apple,banana,cherry
Output#
[
"apple",
"banana"
]

Operator: in caseless list#

Returns a set of elements which matches any of strings of a comma separated list. The matching is peformed case-insensitively, and always evaluates to false for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
Banana
Filter#

Operator: in caseless list

Path:

Filter:

apple,banana,cherry
Output#
Banana

Example 2#

Input#
[
"Apple",
"Melon",
"Banana",
{
"Fruit": "Orange"
}
]
Filter#

Operator: in caseless list

Path:

Filter:

apple,banana,cherry
Output#
[
"Apple",
"Banana"
]

Operator: not in list#

Returns a set of elements which doesn't match any of strings of a comma separated list. The matching always evaluates to false for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
melon
Filter#

Operator: not in list

Path:

Filter:

apple,banana,cherry
Output#
melon

Example 2#

Input#
banana
Filter#

Operator: not in list

Path:

Filter:

apple,banana,cherry
Output#
null

Example 3#

Input#
[
"apple",
"melon",
"banana",
{
"fruit": "orange"
}
]
Filter#

Operator: not in list

Path:

Filter:

apple,banana,cherry
Output#
[
"melon",
{
"fruit": "orange"
}
]

Operator: not in caseless list#

Returns a set of elements which doesn't match any of strings of a comma separated list. The matching is peformed case-insensitively, and always evaluates to false for a element whose data type is not `string`.

Filter Format: string

Example 1#

Input#
Melon
Filter#

Operator: not in caseless list

Path:

Filter:

apple,banana,cherry
Output#
Melon

Example 2#

Input#
Banana
Filter#

Operator: not in caseless list

Path:

Filter:

apple,banana,cherry
Output#
null

Example 3#

Input#
[
"Apple",
"Melon",
"Banana",
{
"Fruit": "Orange"
}
]
Filter#

Operator: not in caseless list

Path:

Filter:

apple,banana,cherry
Output#
[
"Melon",
{
"Fruit": "Orange"
}
]

Operator: contains#

Returns an entire value if any of the elements matches a string given in a filter, `null` otherwise.

Filter Format: string

Example 1#

Input#
apple
Filter#

Operator: contains

Path:

Filter:

apple
Output#
apple

Example 2#

Input#
banana
Filter#

Operator: contains

Path:

Filter:

apple
Output#
null

Example 3#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: contains

Path:

Filter:

apple
Output#
[
"apple",
"banana",
"cherry"
]

Operator: contains caseless#

Returns an entire value if any of the elements matches a string given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1#

Input#
Apple
Filter#

Operator: contains caseless

Path:

Filter:

apple
Output#
Apple

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: contains caseless

Path:

Filter:

apple
Output#
[
"Apple",
"Banana",
"Cherry"
]

Operator: doesn't contain#

Returns an entire value if all of the elements doesn't match a string given in a filter, `null` otherwise.

Filter Format: string

Example 1#

Input#
apple
Filter#

Operator: doesn't contain

Path:

Filter:

apple
Output#
null

Example 2#

Input#
banana
Filter#

Operator: doesn't contain

Path:

Filter:

apple
Output#
banana

Example 3#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: doesn't contain

Path:

Filter:

apple
Output#
null

Operator: doesn't contain caseless#

Returns an entire value if all of the elements doesn't match a string given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1#

Input#
Apple
Filter#

Operator: doesn't contain caseless

Path:

Filter:

apple
Output#
null

Example 2#

Input#
banana
Filter#

Operator: doesn't contain caseless

Path:

Filter:

apple
Output#
banana

Example 3#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: doesn't contain caseless

Path:

Filter:

apple
Output#
null

Operator: wildcard: contains#

Returns an entire value if any of the elements matches a wildcard pattern given in a filter, `null` otherwise.

Filter Format: string

Example 1#

Input#
apple
Filter#

Operator: wildcard: contains

Path:

Filter:

*a*
Output#
apple

Example 2#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: wildcard: contains

Path:

Filter:

*a*
Output#
[
"apple",
"banana",
"cherry"
]

Operator: wildcard: contains caseless#

Returns an entire value if any of the elements matches a wildcard pattern given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1#

Input#
Apple
Filter#

Operator: wildcard: contains caseless

Path:

Filter:

*a*
Output#
Apple

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: wildcard: contains caseless

Path:

Filter:

*a*
Output#
[
"Apple",
"Banana",
"Cherry"
]

Operator: wildcard: doesn't contain#

Returns an entire value if all of the elements doesn't match a wildcard pattern given in a filter, `null` otherwise.

Filter Format: string

Example 1#

Input#
apple
Filter#

Operator: wildcard: doesn't contain

Path:

Filter:

*a*
Output#
null

Example 2#

Input#
cherry
Filter#

Operator: wildcard: doesn't contain

Path:

Filter:

*a*
Output#
cherry

Example 3#

Input#
[
"cherry",
"melon"
]
Filter#

Operator: wildcard: doesn't contain

Path:

Filter:

*a*
Output#
[
"cherry",
"melon"
]

Operator: wildcard: doesn't contain caseless#

Returns an entire value if all of the elements doesn't match a wildcard pattern given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1#

Input#
Apple
Filter#

Operator: wildcard: doesn't contain caseless

Path:

Filter:

*a*
Output#
null

Example 2#

Input#
cherry
Filter#

Operator: wildcard: doesn't contain caseless

Path:

Filter:

*a*
Output#
cherry

Example 3#

Input#
[
"Cherry",
"Melon"
]
Filter#

Operator: wildcard: doesn't contain caseless

Path:

Filter:

*a*
Output#
[
"Cherry",
"Melon"
]

Operator: regex: contains#

Returns an entire value if any of the elements matches a regular expression given in a filter, `null` otherwise.

Filter Format: string

Example 1#

Input#
apple
Filter#

Operator: regex: contains

Path:

Filter:

.*a.*
Output#
apple

Example 2#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: regex: contains

Path:

Filter:

.*a.*
Output#
[
"apple",
"banana",
"cherry"
]

Operator: regex: contains caseless#

Returns an entire value if any of the elements matches a regular expression given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1#

Input#
Apple
Filter#

Operator: regex: contains caseless

Path:

Filter:

.*a.*
Output#
Apple

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: regex: contains caseless

Path:

Filter:

.*a.*
Output#
[
"Apple",
"Banana",
"Cherry"
]

Operator: regex: doesn't contain#

Returns an entire value if all of the elements doesn't match a regular expression given in a filter, `null` otherwise.

Filter Format: string

Example 1#

Input#
apple
Filter#

Operator: regex: doesn't contain

Path:

Filter:

.*a.*
Output#
null

Example 2#

Input#
cherry
Filter#

Operator: regex: doesn't contain

Path:

Filter:

.*a.*
Output#
cherry

Example 3#

Input#
[
"cherry",
"melon"
]
Filter#

Operator: regex: doesn't contain

Path:

Filter:

.*a.*
Output#
[
"cherry",
"melon"
]

Operator: regex: doesn't contain caseless#

Returns an entire value if all of the elements doesn't match a regular expression given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1#

Input#
Apple
Filter#

Operator: regex: doesn't contain caseless

Path:

Filter:

.*a.*
Output#
null

Example 2#

Input#
cherry
Filter#

Operator: regex: doesn't contain caseless

Path:

Filter:

.*a.*
Output#
cherry

Example 3#

Input#
[
"Cherry",
"Melon"
]
Filter#

Operator: regex: doesn't contain caseless

Path:

Filter:

.*a.*
Output#
[
"Cherry",
"Melon"
]

Operator: matches any line of#

Returns a set of elements which matches any line of a text given in a filter.

Filter Format: string

Example 1#

Input#
banana
Filter#

Operator: matches any line of

Path:

Filter:

apple
banana
cherry
Output#
banana

Example 2#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: matches any line of

Path:

Filter:

orange
banana
apple
Output#
[
"apple",
"banana"
]

Example 3#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: matches any line of

Path:

Filter:

melon
lemon
orange
Output#
[
]

Operator: matches any caseless line of#

Returns a set of elements which matches any line of a text given in a filter. The matching is peformed case-insensitively.

Filter Format: string

Example 1#

Input#
Banana
Filter#

Operator: matches any caseless line of

Path:

Filter:

apple
banana
cherry
Output#
Banana

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: matches any caseless line of

Path:

Filter:

orange
banana
apple
Output#
[
"Apple",
"Banana"
]

Operator: doesn't match any line of#

Returns a set of elements which doesn't match any line of a text given in a filter.

Filter Format: string

Example 1#

Input#
banana
Filter#

Operator: doesn't match any line of

Path:

Filter:

apple
banana
cherry
Output#
null

Example 2#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: doesn't match any line of

Path:

Filter:

melon
orange
banana
Output#
[
"apple",
"cherry"
]

Operator: doesn't match any caseless line of#

Returns a set of elements which doesn't match any line of a text given in a filter. The matching is peformed case-insensitively.

Filter Format: string

Example 1#

Input#
Banana
Filter#

Operator: doesn't match any caseless line of

Path:

Filter:

apple
banana
cherry
Output#
null

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: doesn't match any caseless line of

Path:

Filter:

melon
lemon
orange
Output#
[
"Apple",
"Banana",
"Cherry"
]

Example 3#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: doesn't match any caseless line of

Path:

Filter:

melon
orange
banana
Output#
[
"Apple",
"Cherry"
]

Operator: matches any string of#

Returns a set of elements which matches any strings given in a filter.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
banana
Filter#

Operator: matches any string of

Path:

Filter:

"banana"
Output#
banana

Example 2#

Input#
banana
Filter#

Operator: matches any string of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output#
banana

Example 3#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: matches any string of

Path:

Filter:

[
"orange",
"banana",
"apple"
]
Output#
[
"apple",
"banana"
]

Example 4#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: matches any string of

Path:

Filter:

[
"melon",
"lemon",
"orange"
]
Output#
[
]

Operator: matches any caseless string of#

Returns a set of elements which matches any strings given in a filter. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
Banana
Filter#

Operator: matches any caseless string of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output#
Banana

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: matches any caseless string of

Path:

Filter:

[
"orange",
"banana",
"apple"
]
Output#
[
"Apple",
"Banana"
]

Operator: doesn't match any string of#

Returns a set of elements which doesn't match any strings given in a filter.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
banana
Filter#

Operator: doesn't match any string of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output#
null

Example 2#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: doesn't match any string of

Path:

Filter:

[
"melon",
"orange",
"banana"
]
Output#
[
"apple",
"cherry"
]

Operator: doesn't match any caseless string of#

Returns a set of elements which doesn't match any strings given in a filter. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
Banana
Filter#

Operator: doesn't match any caseless string of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output#
null

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: doesn't match any caseless string of

Path:

Filter:

[
"melon",
"orange",
"banana"
]
Output#
[
"Apple",
"Cherry"
]

Operator: wildcard: matches any string of#

Returns a set of elements which matches any wildcard patterns given in a filter.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
banana
Filter#

Operator: wildcard: matches any string of

Path:

Filter:

"b?????"
Output#
banana

Example 2#

Input#
banana
Filter#

Operator: wildcard: matches any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
banana

Example 3#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: wildcard: matches any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
[
"banana",
"cherry"
]

Example 4#

Input#
[
"melon",
"lemon",
"orange"
]
Filter#

Operator: wildcard: matches any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
[
]

Operator: wildcard: matches any caseless string of#

Returns a set of elements which matches any wildcard patterns given in a filter. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
Banana
Filter#

Operator: wildcard: matches any caseless string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
Banana

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: wildcard: matches any caseless string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
[
"Banana",
"Cherry"
]

Operator: wildcard: doesn't match any string of#

Returns a set of elements which doesn't match any wildcard patterns given in a filter.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
banana
Filter#

Operator: wildcard: doesn't match any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
null

Example 2#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: wildcard: doesn't match any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
[
"apple"
]

Operator: wildcard: doesn't match any caseless string of#

Returns a set of elements which doesn't match any wildcard patterns given in a filter. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
Banana
Filter#

Operator: wildcard: doesn't match any caseless string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
null

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: wildcard: doesn't match any caseless string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
[
"Apple"
]

Operator: regex: matches any string of#

Returns a set of elements which matches any regular expression patterns given in a filter.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
banana
Filter#

Operator: regex: matches any string of

Path:

Filter:

"b....."
Output#
banana

Example 2#

Input#
banana
Filter#

Operator: regex: matches any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
banana

Example 3#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: regex: matches any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
[
"banana",
"cherry"
]

Example 4#

Input#
[
"melon",
"lemon",
"orange"
]
Filter#

Operator: regex: matches any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
[
]

Operator: regex: matches any caseless string of#

Returns a set of elements which matches any regular expression patterns given in a filter. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
Banana
Filter#

Operator: regex: matches any caseless string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
Banana

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: regex: matches any caseless string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
[
"Banana",
"Cherry"
]

Operator: regex: doesn't match any string of#

Returns a set of elements which doesn't match any regular expression patterns given in a filter.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
banana
Filter#

Operator: regex: doesn't match any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
null

Example 2#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: regex: doesn't match any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
[
"apple"
]

Operator: regex: doesn't match any caseless string of#

Returns a set of elements which doesn't match any regular expression patterns given in a filter. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
Banana
Filter#

Operator: regex: doesn't match any caseless string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
null

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: regex: doesn't match any caseless string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
[
"Apple"
]

Operator: contains any line of#

Returns an entire value if any of the elements matches any line of a text given in a filter, `null` otherwise.

Filter Format: string

Example 1#

Input#
banana
Filter#

Operator: contains any line of

Path:

Filter:

apple
banana
cherry
Output#
banana

Example 2#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: contains any line of

Path:

Filter:

melon
orange
banana
Output#
[
"apple",
"banana",
"cherry"
]

Example 3#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: contains any line of

Path:

Filter:

melon
lemon
orange
Output#
null

Operator: contains any caseless line of#

Returns an entire value if any of the elements matches any line of a text given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1#

Input#
Banana
Filter#

Operator: contains any caseless line of

Path:

Filter:

apple
banana
cherry
Output#
Banana

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: contains any caseless line of

Path:

Filter:

melon
orange
banana
Output#
[
"Apple",
"Banana",
"Cherry"
]

Operator: doesn't contain any line of#

Returns an entire value if all of the elements doesn't match any line of a text given in a filter, `null` otherwise.

Filter Format: string

Example 1#

Input#
banana
Filter#

Operator: doesn't contain any line of

Path:

Filter:

apple
banana
cherry
Output#
null

Example 2#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: doesn't contain any line of

Path:

Filter:

melon
lemon
orange
Output#
[
"apple",
"banana",
"cherry"
]

Example 3#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: doesn't contain any line of

Path:

Filter:

melon
orange
banana
Output#
null

Operator: doesn't contain any caseless line of#

Returns an entire value if all of the elements doesn't match any line of a text given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: string

Example 1#

Input#
Banana
Filter#

Operator: doesn't contain any caseless line of

Path:

Filter:

apple
banana
cherry
Output#
null

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: doesn't contain any caseless line of

Path:

Filter:

melon
lemon
orange
Output#
[
"Apple",
"Banana",
"Cherry"
]

Example 3#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: doesn't contain any caseless line of

Path:

Filter:

melon
orange
banana
Output#
null

Operator: contains any string of#

Returns an entire value if any of the elements matches any strings given in a filter, `null` otherwise.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
banana
Filter#

Operator: contains any string of

Path:

Filter:

"banana"
Output#
banana

Example 2#

Input#
banana
Filter#

Operator: contains any string of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output#
banana

Example 3#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: contains any string of

Path:

Filter:

[
"melon",
"orange",
"banana"
]
Output#
[
"apple",
"banana",
"cherry"
]

Example 4#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: contains any string of

Path:

Filter:

[
"melon",
"lemon",
"orange"
]
Output#
null

Operator: contains any caseless line of#

Returns an entire value if any of the elements matches any strings given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
Banana
Filter#

Operator: contains any caseless line of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output#
Banana

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: contains any caseless line of

Path:

Filter:

[
"melon",
"orange",
"banana"
]
Output#
[
"Apple",
"Banana",
"Cherry"
]

Operator: doesn't contain any string of#

Returns an entire value if all of the elements doesn't match any strings given in a filter, `null` otherwise.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
banana
Filter#

Operator: doesn't contain any string of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output#
null

Example 2#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: doesn't contain any string of

Path:

Filter:

[
"melon",
"lemon",
"orange"
]
Output#
[
"apple",
"banana",
"cherry"
]

Example 3#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: doesn't contain any string of

Path:

Filter:

[
"melon",
"orange",
"banana"
]
Output#
null

Operator: doesn't contain any caseless line of#

Returns an entire value if all of the elements doesn't match any strings given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
Banana
Filter#

Operator: doesn't contain any caseless line of

Path:

Filter:

[
"apple",
"banana",
"cherry"
]
Output#
null

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: doesn't contain any caseless line of

Path:

Filter:

[
"melon",
"lemon",
"orange"
]
Output#
[
"Apple",
"Banana",
"Cherry"
]

Example 3#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: doesn't contain any caseless line of

Path:

Filter:

[
"melon",
"orange",
"banana"
]
Output#
null

Operator: wildcard: contains any string of#

Returns an entire value if any of the elements matches any wildcard patterns given in a filter, `null` otherwise.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
banana
Filter#

Operator: wildcard: contains any string of

Path:

Filter:

"b?????"
Output#
banana

Example 2#

Input#
banana
Filter#

Operator: wildcard: contains any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
banana

Example 3#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: wildcard: contains any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
[
"apple",
"banana",
"cherry"
]

Example 4#

Input#
[
"melon",
"lemon",
"orange"
]
Filter#

Operator: wildcard: contains any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
null

Operator: wildcard: contains any caseless string of#

Returns an entire value if any of the elements matches any wildcard patterns given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
Banana
Filter#

Operator: wildcard: contains any caseless string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
Banana

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: wildcard: contains any caseless string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
[
"Apple",
"Banana",
"Cherry"
]

Operator: wildcard: doesn't contain any string of#

Returns an entire value if all of the elements doesn't match any wildcard patterns given in a filter, `null` otherwise.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
banana
Filter#

Operator: wildcard: doesn't contain any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
null

Example 2#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: wildcard: doesn't contain any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
null

Example 3#

Input#
[
"melon",
"lemon",
"orange"
]
Filter#

Operator: wildcard: doesn't contain any string of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
[
"melon",
"lemon",
"orange"
]

Operator: wildcard: doesn't contain any caseless line of#

Returns an entire value if all of the elements doesn't match any wildcard patterns given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
Banana
Filter#

Operator: wildcard: doesn't contain any caseless line of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
null

Example 2#

Input#
[
"Melon",
"Lemon",
"Orange"
]
Filter#

Operator: wildcard: doesn't contain any caseless line of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
[
"Melon",
"Lemon",
"Orange"
]

Example 3#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: wildcard: doesn't contain any caseless line of

Path:

Filter:

[
"b?????",
"*c*",
"*d*"
]
Output#
null

Operator: regex: contains any string of#

Returns an entire value if any of the elements matches any regular expression patterns given in a filter, `null` otherwise.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
banana
Filter#

Operator: regex: contains any string of

Path:

Filter:

"b....."
Output#
banana

Example 2#

Input#
banana
Filter#

Operator: regex: contains any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
banana

Example 3#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: regex: contains any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
[
"apple",
"banana",
"cherry"
]

Example 4#

Input#
[
"melon",
"lemon",
"orange"
]
Filter#

Operator: regex: contains any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
null

Operator: regex: contains any caseless string of#

Returns an entire value if any of the elements matches any regex patterns given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
Banana
Filter#

Operator: regex: contains any caseless string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
Banana

Example 2#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: regex: contains any caseless string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
[
"Apple",
"Banana",
"Cherry"
]

Operator: regex: doesn't contain any string of#

Returns an entire value if all of the elements doesn't match any regex patterns given in a filter, `null` otherwise.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
banana
Filter#

Operator: regex: doesn't contain any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
null

Example 2#

Input#
[
"apple",
"banana",
"cherry"
]
Filter#

Operator: regex: doesn't contain any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
null

Example 3#

Input#
[
"melon",
"lemon",
"orange"
]
Filter#

Operator: regex: doesn't contain any string of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
[
"melon",
"lemon",
"orange"
]

Operator: regex: doesn't contain any caseless line of#

Returns an entire value if all of the elements doesn't match any regex patterns given in a filter, `null` otherwise. The matching is peformed case-insensitively.

Filter Format: <JSON string> or <JSON array of string>

Example 1#

Input#
Banana
Filter#

Operator: regex: doesn't contain any caseless line of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
null

Example 2#

Input#
[
"Melon",
"Lemon",
"Orange"
]
Filter#

Operator: regex: doesn't contain any caseless line of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
[
"Melon",
"Lemon",
"Orange"
]

Example 3#

Input#
[
"Apple",
"Banana",
"Cherry"
]
Filter#

Operator: regex: doesn't contain any caseless line of

Path:

Filter:

[
"b.....",
".*c.*",
".*d.*"
]
Output#
null

Operator: matches expressions of#

Returns the result of a value filtered by `expressions` given. See `Filter Syntax` for the details of `expressions`.

Filter Format: expressions

Example 1#

Input#
[
"aaa.dat",
"bbb.exe",
"ccc.exe"
]
Filter#

Operator: matches expressions of

Path:

Filter:

{
"ends with": ".exe",
"starts with": "c"
}
Output#
[
"ccc.exe"
]

Example 2#

Input#
{
"Domain": [
"www.paloaltonetworks.com",
"www.paloaltonetworks.co.jp",
"www.demisto.com"
],
"IP": [
"1.1.1.1",
"2.2.2.2",
"3.3.3.3"
]
}
Filter#

Operator: matches expressions of

Path: Domain

Filter:

[
{"ends with": ".co.jp"},
"or",
{"includes": "demisto"}
]
Output#
{
"Domain": [
"www.paloaltonetworks.co.jp",
"www.demisto.com"
],
"IP": [
"1.1.1.1",
"2.2.2.2",
"3.3.3.3"
]
}

Operator: matches conditions of#

Returns the result of a value filtered by `conditions` given. See `Filter Syntax` for the details of `conditions`.

Filter Format: conditions

Example 1#

Input#
{
"TrustedDevices": [
"D000002",
"D000003"
],
"Events": [
{
"Description": "User Logged In - Success",
"DeviceID": "D000001"
},
{
"Description": "File uploaded",
"DeviceID": "D000001"
},
{
"Description": "File downloaded",
"DeviceID": "D000002"
},
{
"Description": "User Logged In - Failed",
"DeviceID": "D000003"
}
]
}
Filter#

Operator: matches conditions of

Path: Events

Filter:

[
{
"Description": {
"==": "User Logged In - Failed"
}
},
"or",
[
{
"Description": {
"in list": "File uploaded,File downloaded"
}
},
"and",
"not",
{
"DeviceID": {
"matches any string of": "${local.TrustedDevices}"
}
}
]
]
Output#
{
"Events": [
{
"Description": "File uploaded",
"DeviceID": "D000001"
},
{
"Description": "User Logged In - Failed",
"DeviceID": "D000003"
}
],
"TrustedDevices": [
"D000002",
"D000003"
]
}

Example 2#

Input#
{
"Result": {
"File": [
{
"Name": "a.dat",
"Size": 100
},
{
"Name": "b.exe",
"Size": 200
},
{
"Name": "c.txt",
"Size": 300
}
],
"Host": [
{
"Name": "computer1",
"IP": "1.1.1.1"
},
{
"Name": "server1",
"IP": "2.2.2.2"
}
]
}
}
Filter#

Operator: matches conditions of

Path:

Filter:

{
"Result.File": {
"is filtered with" : {
"Name": {
"ends with": ".exe"
}
}
},
"Result.Host": {
"is filtered with" : {
"Name": {
"starts with": "server"
}
}
}
}
Output#
{
"Result": {
"File": [
{
"Name": "b.exe",
"Size": 200
}
],
"Host": [
{
"Name": "server1",
"IP": "2.2.2.2"
}
]
}
}

Example 3#

Input#
{
"Result": {
"File": [
{
"Name": "a.dat",
"Size": 100
},
{
"Name": "b.exe",
"Size": 200
},
{
"Name": "c.txt",
"Size": 300
}
],
"Host": [
{
"Name": "computer1",
"IP": "1.1.1.1"
},
{
"Name": "server1",
"IP": "2.2.2.2"
}
]
}
}
Filter#

Operator: matches conditions of

Path:

Filter:

{
"Result": {
"is filtered with" : {
"File": {
"is filtered with": {
"Name": {
"ends with": ".exe"
}
}
},
"Host": {
"is filtered with": {
"Name": {
"starts with": "server"
}
}
}
}
}
}
Output#
{
"Result": {
"File": [
{
"Name": "b.exe",
"Size": 200
}
],
"Host": [
{
"Name": "server1",
"IP": "2.2.2.2"
}
]
}
}

Example 4#

Input#
{
"Result" : {
"Domain" : [
"www.paloaltonetworks.com",
"www.demisto.com",
"paloaltonetowrks.com"
],
"IP" : [
"1.1.1.1",
"2.2.2.2",
"3.3.3.3"
]
}
}
Filter#

Operator: matches conditions of

Path:

Filter:

{
"Result.Domain": {
"is filtered with": {
"": {
"starts with": "www."
}
}
}
}
Output#
{
"Result" : {
"Domain" : [
"www.paloaltonetworks.com",
"www.demisto.com"
],
"IP" : [
"1.1.1.1",
"2.2.2.2",
"3.3.3.3"
]
}
}

Operator: value matches expressions of#

Evaluates each value of dictionary elements or each element for values whose data type is not `dictionary`, and returns a set of the elements matched to expressions given in a filter. See `Filter Syntax` for the details of `expressions`.

Filter Format: expressions

Example 1#

Input#
[
"1.1.1.1",
"2.2.2.2",
"3.3.3.3"
]
Filter#

Operator: value matches expressions of

Path:

Filter:

{
"contains": "1.1.1.1"
}
Output#
[
"1.1.1.1"
]

Example 2#

Input#
{
"Communication": {
"Host1": [
"1.1.1.1",
"2.2.2.2"
],
"Host2": "1.1.1.1",
"Host3": [
"3.3.3.3",
"4.4.4.4"
]
}
}
Filter#

Operator: value matches expressions of

Path: Communication

Filter:

{
"contains": "1.1.1.1"
}
Output#
{
"Communication": {
"Host1": [
"1.1.1.1",
"2.2.2.2"
],
"Host2": "1.1.1.1"
}
}

Operator: value matches conditions of#

Evaluates each value of dictionary elements, and returns a set of the elements matched to conditions given in a filter. See `Filter Syntax` for the details of `conditions`.

Filter Format: conditions

Example 1#

Input#
{
"Host1": {
"User": "JDOE",
"IP": "192.168.1.1",
"Score": 30
},
"Host2": {
"User": "TYAMADA",
"IP": "192.168.1.2",
"Score": 10
},
"Host3": {
"User": "MBLACK",
"IP": "3.3.3.3",
"Score": 40
}
}
Filter#

Operator: value matches conditions of

Path:

Filter:

{
"Score": {
">=": 20
}
}
Output#
{
"Host1": {
"User": "JDOE",
"IP": "192.168.1.1",
"Score": 30
},
"Host3": {
"User": "MBLACK",
"IP": "3.3.3.3",
"Score": 40
}
}

Example 2#

Input#
{
"Host1": {
"User": "JDOE",
"IP": "192.168.1.1",
"Score": 30,
"File": {
"Risk": [
"xxx.exe",
"yyy.pdf"
]
}
},
"Host2": {
"User": "TYAMADA",
"IP": "192.168.1.2",
"Score": 10
},
"Host3": {
"User": "MBLACK",
"IP": "3.3.3.3",
"Score": 40,
"File": {
"Risk": [
"aaa.pdf",
"bbb.exe"
]
}
}
}
Filter#

Operator: value matches conditions of

Path:

Filter:

<