Pack Contributors:
- Samuel Kamar
- Masahiko Inoue
- Jaden Evanger
- Mandar Naik
- Ryan McVicar
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Frequently used filters and transformers pack.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
| Name | Description |
|---|---|
| IgnoreFieldsFromJson | Removed selected fields from the JSON object. |
| MapRangeValues | This script converts an input value into another value using two lists. The input value or range is searched in the first list (map_from). Example 1: map_from = "1,2,3,4" Output is "2" Example 2: map_from = "1-3,4" Output is "5". |
| RegexExpand | Extract the strings matched to the patterns by doing backslash substitution on the template string. |
| If-Elif | A transformer for if-elif-else logic. |
| BetweenHours | Checks whether the given value is within the specified time (hour) range. |
| ParseJSON | Parse a given JSON string "value" to a representative object. Example: '{"a": "value"}' => {"a": "value"}. |
| ConcatFormat | Returns a string concatenated with given a prefix and suffix which supports DT expressions. |
| IsRFC1918Address | A filter that receives a single IPv4 address string as an input and determines whether it is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network |
| FormatTemplate | Build text from a template that can include DT expressions. |
| ConvertKeysToTableFieldFormat | Convert object keys to match table keys. |
| AppendIfNotEmpty | Append item(s) to the end of the list if they are not empty. |
| RegexExtractAll | Extraction of all matches from a specified regular expression pattern from a provided string. Returns an array of results. This differs from RegexGroups in several ways:
|
| LastArrayElement | Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed. |
| ConvertAllExcept | Convert all chosen values but exceptions. |
| AfterRelativeDate | Checks the given datetime has occured after the provided relative time. |
RegexGroups | Extraction of elements which are contained in all the subgroups of the match to the pattern. |
| EmailDomainWhitelist | Accepts an array of domains as an allow list, and a list of email addresses. The script then filters out any email address whose domain is not in the allow list. The filtered list will be returned as an array. |
| SortBy | This transformer will sort an array of dictionary values by keys in ascending or descending order. |
| BetweenDates | Whether value is within a date range. |
| ExtractEmailTransformer | Extracts email addresses from the given value. |
| Base64Decode | Decodes an input in Base64 format. |
| Cut | Cut a string by delimiter and return specific fields. Exampleinput: "A-B-C-D-E" return: "A-E". |
| GetListContent | Returns the content of the List with the given Name as a string or JSON object, depending on the selected |
| SetIfEmpty | Checks an object for an empty value and returns a pre-set default value. |
| BeforeRelativeDate | Checks the given datetime has occured before the provided relative time. |
| FormattedDateToEpoch | Converts a custom-formatted timestamp to UNIX epoch time. Use it to convert custom time stamps to a XSOAR date field. If you pass formatter argument, we will use it to transform. If not, we will use dateparser.parse for transforming. For more info, see: https://docs.python.org/3.7/library/datetime.html#strftime-and-strptime-behavior |
| GreaterCidrNumAddresses | Check if number of availble addresses in IPv4 or IPv6 CIDR is greater than given number. |
| DateStringToISOFormat | This is a thin wrapper around the |
| LowerCidrNumAddresses | Check if number of availble addresses in IPv4 CIDR is lower than given number. |
| URLDecode | Converts |
| ReverseList | Reverse a list This is an example for entire-list transformer - it operates the argument as a list (note the "entirelist" tag). |
| StringifyArray | Return the string encoded with JSON from the whole array |
| StringToArray | Converts string to array. |
| MapPattern | This transformer will take in a value and transform it based on multiple condition expressions (wildcard, regex, etc) defined in a JSON dictionary structure. The key:value pair of the JSON dictionary should be: "condition expression": "desired outcome" For example: { The transformer will return the value matched to a pattern following to the priority. |
| DedupBy | This transformer will remove elements of the array that contain an identical combination of values for the keys given. |
| StringContainsArray | Checks whether a substring or an array of substrings is within a string array(each item will be checked). Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true. |
| StripChars | Strip set of characters from prefix and/or suffix |
| ParseHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic:
|
| RemoveMatches | Removes items from the given list of values if they match any of the patterns in the provided |
| WhereFieldEquals | Return all items from the list where their given 'field' attribute is equal to 'equalTo' argument E.g. !WhereFieldEquals with the following arguments:
Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2']. |
| AnyMatch | Returns all elements from the left side that have a substring that is equal to an element from the right side. Note: This filter is case-insensitive. |
| jmespath | Performs a JMESPath search on an input JSON format, when using a transformer. |
| JsonToTable | Accepts a json object and returns a markdown. Supports clickable links. |
| TimeComponents | Takes a date or time input and get time components in a specific time zone.
|
| RegexReplace | Format patterns matched with regex. If the regex does not match any pattern, the original value is returned. Example 1: Example 2: |
| ExtractInbetween | Extract a string from an existing string. |
| CIDRBiggerThanPrefix | Checks whether a given CIDR prefix is bigger than the defined maximum prefix. |
| MapValuesTransformer | This script converts the input value into another value using two lists. The input value is searched in the first list (input_values). Example 1: input_values = "1,2,3,4" Output would be "2" Example 2: input_values ="firstkey: datahere,secondkey: datathere" Output would be: The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed. When the input is a dict, str , int, or list, the output is ALWAYS returned as a string. |
| ModifyDateTime | Takes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format. |
| If-Then-Else | A transformer for simple if-then-else logic. |
| MergeDictArray | Each entry in an array is merged into the existing array if the keyed-value matches. |
| ConvertToSingleElementArray | Converts a single string to an array of that string. |
| IsNotInCidrRanges | Checks whether an IPv4 or IPv6 address is not contained in one or more comma-delimited CIDR ranges. |
| PadZeros | Adds zeros (0) to the beginning of the string, until the string reaches the specified length. |
| DT | This automation allows the usage of DT scripts within playbooks transformers. |
| JoinIfSingleElementOnly | Return the single element in case the array has only 1 element in it, otherwise return the whole array. |
| ProductJoin | Returns the product of two lists, joined by a separator, as a list of strings. |
| IsInCidrRanges | Determines whether an IPv4 or IPv6 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4/IPv6 addresses can be passed comma-delimited and each will be tested. A mix of IPv4 and IPv6 addresses will always return false. |
| URLEncode | Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com. |
| GetRange | Gets specified indexes of a list. |
| ArrayAnyMatch | Returns true if an element is shared between two lists. |
| IPv4Blacklist | Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space. |
| IPv4Whitelist | Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space. |
| SumList | Sums a List This is an example for number transformer. |
| EmailDomainBlacklist | Accepts an array of domains as a block list, and a list of email addresses. The script then filters out any email address whose domain is in the block list. The filtered list will be returned as an array. |
| TimeStampToDate | Converts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field e.g. 1525006939 will return '2018-04-29T13:02:19.000Z' |
| GetValuesOfMultipleFields | The script receives a list of fields and a context key base path. For example, Key=Test.result List=username,user gets all of the values from Test.result.username and Test.result.user. |
| MakePair | This transformer will create a list of dictionary by aggregating elements from two arrays. |
| FirstArrayElement | Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed. |
| RemoveEmpty | Remove empty items, entries or nodes from the array. |
| InRange | checks if left side is in range of right side (from,to anotation) |
| CheckIfSubdomain | Checks whether a given domain is a subdomain of one of the listed domains. |
| RemoveNullBytes | Removes null bytes from string. |
| Name | Description |
|---|---|
| AppendIfNotEmpty | Append item(s) to the end of the list if they are not empty. |
| IsNotInCidrRanges | Checks whether an IPv4 or IPv6 address is not contained in one or more comma-delimited CIDR ranges. |
| GetValuesOfMultipleFields | The script receives a list of fields and a context key base path. For example, Key=Test.result List=username,user gets all of the values from Test.result.username and Test.result.user. |
| RegexReplace | Format patterns matched with regex. If the regex does not match any pattern, the original value is returned. Example 1: Example 2: |
| ArrayAnyMatch | Returns true if an element is shared between two lists. |
| JsonToTable | Accepts a json object and returns a markdown. Supports clickable links. |
| TimeStampToDate | Converts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field e.g. 1525006939 will return '2018-04-29T13:02:19.000Z' |
| ExtractEmailTransformer | Extracts email addresses from the given value. |
| RemoveNullBytes | Removes null bytes from string. |
| ModifyDateTime | Takes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format. |
| CIDRBiggerThanPrefix | Checks whether a given CIDR prefix is bigger than the defined maximum prefix. |
| URLEncode | Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com. |
| IsRFC1918Address | A filter that receives a single IPv4 address string as an input and determines whether it is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network |
| DedupBy | This transformer will remove elements of the array that contain an identical combination of values for the keys given. |
| BetweenDates | Whether value is within a date range. |
| GreaterCidrNumAddresses | Check if number of availble addresses in IPv4 or IPv6 CIDR is greater than given number. |
| ExtractInbetween | Extract a string from an existing string. |
| FormatTemplate | Build text from a template that can include DT expressions. |
| IPv4Whitelist | Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space. |
| ReverseList | Reverse a list This is an example for entire-list transformer - it operates the argument as a list (note the "entirelist" tag). |
| If-Then-Else | A transformer for simple if-then-else logic. |
| MapRangeValues | This script converts an input value into another value using two lists. The input value or range is searched in the first list (map_from). Example 1: map_from = "1,2,3,4" Output is "2" Example 2: map_from = "1-3,4" Output is "5". |
| Cut | Cut a string by delimiter and return specific fields. Exampleinput: "A-B-C-D-E" return: "A-E". |
| StripChars | Strip set of characters from prefix and/or suffix |
| RemoveMatches | Removes items from the given list of values if they match any of the patterns in the provided |
| ConcatFormat | Returns a string concatenated with given a prefix and suffix which supports DT expressions. |
| BeforeRelativeDate | Checks the given datetime has occured before the provided relative time. |
| If-Elif | A transformer for if-elif-else logic. |
| CheckIfSubdomain | Checks whether a given domain is a subdomain of one of the listed domains. |
| URLDecode | Converts |
| MapPattern | This transformer will take in a value and transform it based on multiple condition expressions (wildcard, regex, etc) defined in a JSON dictionary structure. The key:value pair of the JSON dictionary should be: "condition expression": "desired outcome" For example: { The transformer will return the value matched to a pattern following to the priority. |
| ConvertKeysToTableFieldFormat | Convert object keys to match table keys. |
| EmailDomainWhitelist | Accepts an array of domains as an allow list, and a list of email addresses. The script then filters out any email address whose domain is not in the allow list. The filtered list will be returned as an array. |
| WhereFieldEquals | Return all items from the list where their given 'field' attribute is equal to 'equalTo' argument E.g. !WhereFieldEquals with the following arguments:
Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2']. |
| FirstArrayElement | Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed. |
| LowerCidrNumAddresses | Check if number of availble addresses in IPv4 CIDR is lower than given number. |
| RegexExpand | Extract the strings matched to the patterns by doing backslash substitution on the template string. |
| StringToArray | Converts string to array. |
| StringifyArray | Return the string encoded with JSON from the whole array |
| ConvertToSingleElementArray | Converts a single string to an array of that string. |
| GetRange | Gets specified indexes of a list. |
| ParseJSON | Parse a given JSON string "value" to a representative object. Example: '{"a": "value"}' => {"a": "value"}. |
| FormattedDateToEpoch | Converts a custom-formatted timestamp to UNIX epoch time. Use it to convert custom time stamps to a XSOAR date field. If you pass formatter argument, we will use it to transform. If not, we will use dateparser.parse for transforming. For more info, see: https://docs.python.org/3.7/library/datetime.html#strftime-and-strptime-behavior |
| IgnoreFieldsFromJson | Removed selected fields from the JSON object. |
| MergeDictArray | Each entry in an array is merged into the existing array if the keyed-value matches. |
| GetListContent | Returns the content of the List with the given Name as a string or JSON object, depending on the selected |
| SortBy | This transformer will sort an array of dictionary values by keys in ascending or descending order. |
| MakePair | This transformer will create a list of dictionary by aggregating elements from two arrays. |
| InRange | checks if left side is in range of right side (from,to anotation) |
RegexGroups | Extraction of elements which are contained in all the subgroups of the match to the pattern. |
| jmespath | Performs a JMESPath search on an input JSON format, when using a transformer. |
| Base64Decode | Decodes an input in Base64 format. |
| SetIfEmpty | Checks an object for an empty value and returns a pre-set default value. |
| ProductJoin | Returns the product of two lists, joined by a separator, as a list of strings. |
| BetweenHours | Checks whether the given value is within the specified time (hour) range. |
| RegexExtractAll | Extraction of all matches from a specified regular expression pattern from a provided string. Returns an array of results. This differs from RegexGroups in several ways:
|
| RemoveEmpty | Remove empty items, entries or nodes from the array. |
| MapValuesTransformer | This script converts the input value into another value using two lists. The input value is searched in the first list (input_values). Example 1: input_values = "1,2,3,4" Output would be "2" Example 2: input_values ="firstkey: datahere,secondkey: datathere" Output would be: The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed. When the input is a dict, str , int, or list, the output is ALWAYS returned as a string. |
| DT | This automation allows the usage of DT scripts within playbooks transformers. |
| LastArrayElement | Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed. |
| TimeComponents | Takes a date or time input and get time components in a specific time zone.
|
| StringContainsArray | Checks whether a substring or an array of substrings is within a string array(each item will be checked). Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true. |
| ParseHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic:
|
| DateStringToISOFormat | This is a thin wrapper around the |
| IsInCidrRanges | Determines whether an IPv4 or IPv6 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4/IPv6 addresses can be passed comma-delimited and each will be tested. A mix of IPv4 and IPv6 addresses will always return false. |
| PadZeros | Adds zeros (0) to the beginning of the string, until the string reaches the specified length. |
| ConvertAllExcept | Convert all chosen values but exceptions. |
| JoinIfSingleElementOnly | Return the single element in case the array has only 1 element in it, otherwise return the whole array. |
| EmailDomainBlacklist | Accepts an array of domains as a block list, and a list of email addresses. The script then filters out any email address whose domain is in the block list. The filtered list will be returned as an array. |
| SumList | Sums a List This is an example for number transformer. |
| AfterRelativeDate | Checks the given datetime has occured after the provided relative time. |
| IPv4Blacklist | Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space. |
| AnyMatch | Returns all elements from the left side that have a substring that is equal to an element from the right side. Note: This filter is case-insensitive. |
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Pack Name | Pack By |
|---|
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | January 4, 2022 | |
| Last Release | July 5, 2026 |