Common Expression Language Examples
Following are Common Expression Language examples you can use with Secureworks® Taegis™ XDR Connector templates.
Access Usernames From an Alert ⫘
${alertUsernames(inputs)}
Access Hostnames From an Alert ⫘
${alertHostnames(inputs)}
Access source_ip
Addresses From an Alert ⫘
${alertSourceIPs(inputs)}
Access destination_ip
Address From an Alert ⫘
${alertDestinationIPs(inputs)}
Return the Alert Timestamp in Human Readable Format ⫘
${string(alertCreatedAtSeconds(inputs)).toTimestamp()}
Return true
if Alert Contains a Specific related_entity
Value ⫘
This example returns a value of true if the alert contains a specified sensorId value:
${'sensorId:1234redacted5678' in alertEntities(inputs)}
Create a Default Error Message ⫘
${!has(status.code) || status.code != 201 ? (has(body.errorMessages) ? body.errorMessages[0] : 'Unknown error returned by Vendor API') : ''}
Access the TargetUserName from source_event
of an Alert ⫘
This example accesses TargetUserName from the source_event
of an alert
${alertEntities(inputs).filter(e, e.startsWith('targetUserName'))}
Match an Investigation Assigned to the Tenant ⫘
inputs.investigation.assignee_id == '@customer'
Negate a Property on an Alert ⫘
Note that you must wrap the part you are negating in parentheses (). Use .lowerAscii()
to lower case the title.
!(alertTitle(inputs).lowerAscii().contains('this is a test'))
Map the Investigation Priority to a String ⫘
${inputs.investigation.priority > 3 ? 'Critical' : inputs.investigation.priority > 2 ? 'High' : inputs.investigation.priority > 1 ? 'Medium' : 'Low'}