Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Common Expression Language Examples

Following are Common Expression Language examples you can use with Taegis™ XDR Connector templates.

Access Usernames From an Alert


Access Hostnames From an Alert


Access source_ip Addresses From an Alert


Access destination_ip Address From an Alert


Return the Alert Timestamp in Human Readable Format


This example returns a value of true if the alert contains a specified sensorId value:

${'sensorId:1234redacted5678' in alertEntities(inputs)}

Create a Default Error Message

${!has(status.code) || status.code != 201 ? (has(body.errorMessages) ? body.errorMessages[0] : 'Unknown error returned by Vendor API') : ''}

Access the TargetUserName from source_event of an Alert

This example accesses TargetUserName from the source_event of an alert

${alertEntities(inputs).filter(e, e.startsWith('targetUserName'))}

Match an Investigation Assigned to the Tenant

inputs.investigation.assignee_id == '@customer'

Negate a Property on an Alert

Note that you must wrap the part you are negating in parentheses (). Use .lowerAscii() to lower case the title.

!(alertTitle(inputs).lowerAscii().contains('this is a test'))

Map the Investigation Priority to a String

${inputs.investigation.priority > 3 ? 'Critical' : inputs.investigation.priority > 2 ? 'High' : inputs.investigation.priority > 1 ? 'Medium' : 'Low'}


On this page: