🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

CEL Examples


Following are Common Expression Language examples you can use with XDR Connector templates.

Access the usernames from an alert

${alertUsernames(inputs)}

Access the hostnames from an alert

${alertHostnames(inputs)}

Access the source_ip addresses from an alert

${alertSourceIPs(inputs)}

Access the destination_ip address from an alert

${alertDestinationIPs(inputs)}

Return the Alert Timestamp in Human Readable Format

${string(alertCreatedAtSeconds(inputs)).toTimestamp()}

Return true if the alert contains a specific related_entity value (sensorId in this example)

${'sensorId:1234redacted5678' in alertEntities(inputs)}

Create a Default Error Message

${!has(status.code) || status.code != 201 ? (has(body.errorMessages) ? body.errorMessages[0] : 'Unknown error returned by Vendor API') : ''} Access the TargetUserName from the source_event of an alert

${has(inputs.alert.source) && size(inputs.alert.source) > 0 && has(inputs.alert.source[0].source_event) && has(decodeJSON(inputs.alert.source[0].source_event).event_data) && has(decodeJSON(inputs.alert.source[0].source_event).event_data.TargetUserName)? decodeJSON(inputs.alert.source[0].source_event).event_data.TargetUserName : ''} Create a list of user names from the sourceEvent of an alert

join(alert.source.filter(s,has(s, 'sourceEvent.source_user_name')).map(s, s.sourceEvent.source_user_name), ', ') Access the TargetDomainName from the source_event of an alert

${has(inputs.alert.source) && size(inputs.alert.source) > 0 && has(inputs.alert.source[0].source_event) && has(decodeJSON(inputs.alert.source[0].source_event).event_data) && has(decodeJSON(inputs.alert.source[0].source_event).event_data.TargetDomainName)? decodeJSON(inputs.alert.source[0].source_event).event_data.TargetDomainName : ''} Match an alert that is not suppressed Alert triggers now support a suppressed true/false so this trigger filter should not be used.

( has(inputs,'alert.labels_data.labels.suppressionRule.label_name') && inputs.alert.labels_data.labels.suppressionRule.label_name!='suppressed' ) || !has(inputs.alert.labels_data) Match an investigation that is assigned to the customer/tenant

inputs.investigation.assignee_id == '@customer' Negate a property on an alert Note you must wrap the part of the expression you wish to negate in parentheses ()

!(alertTitle(inputs).contains('This is a test'))