CEL Examples
Following are Common Expression Language examples you can use with XDR Connector templates.
Access the usernames from an alert
${alertUsernames(inputs)}
Access the hostnames from an alert
${alertHostnames(inputs)}
Access the source_ip addresses from an alert
${alertSourceIPs(inputs)}
Access the destination_ip address from an alert
${alertDestinationIPs(inputs)}
Return the Alert Timestamp in Human Readable Format
${string(alertCreatedAtSeconds(inputs)).toTimestamp()}
Return true if the alert contains a specific related_entity value (sensorId in this example)
${'sensorId:1234redacted5678' in alertEntities(inputs)}
Create a Default Error Message
${!has(status.code) || status.code != 201 ? (has(body.errorMessages) ? body.errorMessages[0] : 'Unknown error returned by Vendor API') : ''} Access the TargetUserName from the source_event of an alert
${has(inputs.alert.source) && size(inputs.alert.source) > 0 && has(inputs.alert.source[0].source_event) && has(decodeJSON(inputs.alert.source[0].source_event).event_data) && has(decodeJSON(inputs.alert.source[0].source_event).event_data.TargetUserName)? decodeJSON(inputs.alert.source[0].source_event).event_data.TargetUserName : ''} Create a list of user names from the sourceEvent of an alert
join(alert.source.filter(s,has(s, 'sourceEvent.source_user_name')).map(s, s.sourceEvent.source_user_name), ', ') Access the TargetDomainName from the source_event of an alert
${has(inputs.alert.source) && size(inputs.alert.source) > 0 && has(inputs.alert.source[0].source_event) && has(decodeJSON(inputs.alert.source[0].source_event).event_data) && has(decodeJSON(inputs.alert.source[0].source_event).event_data.TargetDomainName)? decodeJSON(inputs.alert.source[0].source_event).event_data.TargetDomainName : ''} Match an alert that is not suppressed Alert triggers now support a suppressed true/false so this trigger filter should not be used.
( has(inputs,'alert.labels_data.labels.suppressionRule.label_name') && inputs.alert.labels_data.labels.suppressionRule.label_name!='suppressed' ) || !has(inputs.alert.labels_data) Match an investigation that is assigned to the customer/tenant
inputs.investigation.assignee_id == '@customer' Negate a property on an alert Note you must wrap the part of the expression you wish to negate in parentheses ()
!(alertTitle(inputs).contains('This is a test'))