Common Expression Language Examples

Following are Common Expression Language examples you can use with Secureworks® Taegis™ XDR Connector templates.

Access Usernames From an Alert ⫘

${alertUsernames(inputs)}

Access Hostnames From an Alert ⫘

${alertHostnames(inputs)}

Access source_ip Addresses From an Alert ⫘

${alertSourceIPs(inputs)}

Access destination_ip Address From an Alert ⫘

${alertDestinationIPs(inputs)}

Return the Alert Timestamp in Human Readable Format ⫘

 ${string(alertCreatedAtSeconds(inputs)).toTimestamp()}

Return true if Alert Contains a Specific related_entity Value ⫘

This example returns a value of true if the alert contains a specified sensorId value:

${'sensorId:1234redacted5678' in alertEntities(inputs)}

Create a Default Error Message ⫘

${!has(status.code) || status.code != 201 ? (has(body.errorMessages) ? body.errorMessages[0] : 'Unknown error returned by Vendor API') : ''}

Access the TargetUserName from source_event of an Alert ⫘

This example accesses TargetUserName from the source_event of an alert

${alertEntities(inputs).filter(e, e.startsWith('targetUserName'))}

Match an Investigation Assigned to the Tenant ⫘

inputs.investigation.assignee_id == '@customer'

Negate a Property on an Alert ⫘

Note that you must wrap the part you are negating in parentheses (). Use .lowerAscii() to lower case the title.

!(alertTitle(inputs).lowerAscii().contains('this is a test'))

Map the Investigation Priority to a String ⫘

${inputs.investigation.priority > 3 ? 'Critical' : inputs.investigation.priority > 2 ? 'High' : inputs.investigation.priority > 1 ? 'Medium' : 'Low'}