Checks whether the given value is within the specified time (hour) range.

This is a thin wrapper around the dateutil.parser.parse function. It will parse a string containing a date/time stamp and return it in ISO 8601 format.

Extract the strings matched to the patterns by doing backslash substitution on the template string.
This transformer allow to input multiple regex patterns and multiple match targets, and those can be given in the input value and the argument parameters.

Converts a custom-formatted timestamp to UNIX epoch time. Use it to convert custom time stamps to a XSOAR date field. If you pass formatter argument, we will use it to transform. If not, we will use dateparser.parse for transforming. For more info, see: https://docs.python.org/3.7/library/datetime.html#strftime-and-strptime-behavior

Remove empty items, entries or nodes from the array.

Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com.

Return the single element in case the array has only 1 element in it, otherwise return the whole array.

Extracts email addresses from the given value.

A filter that receives a single IPv4 address string as an input and determines whether it is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network

Checks whether a given domain is a subdomain of one of the listed domains.

Extraction of all matches from a specified regular expression pattern from a provided string. Returns an array of results. This differs from RegexGroups in several ways:

• It returns all matches of the specified pattern, not just specific groups. This is useful for extracting things using a pattern where the content of the source string is indeterminate, such as extracting all email addresses.
• Some "convenience" arguments have been added to enhance usability: multi-line, ignore_case, period_matches_newline
• Added a new argument, "error_if_no_match". The script will not ordinarily throw an error if a match is not found but if not using as a transformer within a playbook, it may, in certain limited circumstances, be desirable to throw an error if the expression doesn't match.
• It uses the 'regex' library, which supports more some more advanced regex functionality than the standard 're' library. For more info, see https://pypi.org/project/regex/.

A transformer for if-elif-else logic.

Build text from a template that can include DT expressions.

Checks an object for an empty value and returns a pre-set default value.

Checks the given datetime has occured after the provided relative time.

Checks whether an IPv4 or IPv6 address is not contained in one or more comma-delimited CIDR ranges.

Returns the product of two lists, joined by a separator, as a list of strings.

This automation allows the usage of DT scripts within playbooks transformers.

Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space.

Decodes an input in Base64 format.

Cut a string by delimiter and return specific fields.

Example

input: "A-B-C-D-E"
delimiter: "-"
fields: "1,5"

return: "A-E".

Returns true if an element is shared between two lists.

This transformer will remove elements of the array that contain an identical combination of values for the keys given.

Sums a List
e.g. ["25", "10", "25"] => "60"

This is an example for number transformer.

Checks whether a given CIDR prefix is bigger than the defined maximum prefix.

This transformer will sort an array of dictionary values by keys in ascending or descending order.

This script converts the input value into another value using two lists. The input value is searched in the first list (input_values).
If it exists, the value from the second list (mapped_values) at the same index is retutrned. If there is no match, the original value is returned.
If the original input is a dictionary, then the script will look for a "stringified" version of the key/:/value pair in the input_values and then map the result in the output_values into the original "value".

Example 1:

input_values = "1,2,3,4"
mapper_values = "4,3,2,1"
value = 3

Output would be "2"

Example 2:

input_values ="firstkey: datahere,secondkey: datathere"
mapper_values = "datathere,datahere"
value(dict)= {
"firstkey": "datahere"
}

Output would be:
{
"firstkey": "datathere"
}

The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed.

When the input is a dict, str , int, or list, the output is ALWAYS returned as a string.

Convert all chosen values but exceptions.

Accepts an array of domains as an allow list, and a list of email addresses. The script then filters out any email address whose domain is not in the allow list. The filtered list will be returned as an array.

Returns all elements from the left side that have a substring that is equal to an element from the right side. Note: This filter is case-insensitive.
E.g -AnyMatch left=baby right=A will return baby. For more examples see the filter's Readme.

Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed.

checks if left side is in range of right side (from,to anotation)
e.g. - InRange left=4right=1,8 will return true.

Format patterns matched with regex. If the regex does not match any pattern, the original value is returned.

Example 1:
value: user=john
regex: user=(.*)
output_format: name=\1
-> output value: name=john

Example 2:
value: xxx=yyy
regex: user=(.*)
output_format: name=\1
-> output value: xxx=yyy.

Determines whether an IPv4 or IPv6 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4/IPv6 addresses can be passed comma-delimited and each will be tested. A mix of IPv4 and IPv6 addresses will always return false.

Reverse a list
e.g. ["Mars", "Jupiter", "Saturn"] => ["Saturn", "Jupiter", "Mars"]

This is an example for entire-list transformer - it operates the argument as a list (note the "entirelist" tag).

Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed.

Adds zeros (0) to the beginning of the string, until the string reaches the specified length.

Return all items from the list where their given 'field' attribute is equal to 'equalTo' argument

E.g. !WhereFieldEquals with the following arguments:

• value=[{ "name": "192.1,0.82", "type": "IP" }, { "name": "myFile.txt", "type": "File" }, { "name": "172.0.0.2", "type": "IP" }]
• field='type'
• equalTo='IP'
• getField='name'

Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2'].

Whether value is within a date range.

Converts string to array.
For example: http://example.com/?score:1,4,time:55 will be transformed to ["http://example.com/?score:1,4,time:55"].

Gets specified indexes of a list.

Extraction of elements which are contained in all the subgroups of the match to the pattern.
For example, extracting from the string "The quick brown fox" the object {"article":"The","noun":quick"}
(See arguments descriptions for more details).

Each entry in an array is merged into the existing array if the keyed-value matches.

Returns the content of the List with the given Name as a string or JSON object, depending on the selected type.

Extract a string from an existing string.

Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space.

The script receives a list of fields and a context key base path. For example, Key=Test.result List=username,user gets all of the values from Test.result.username and Test.result.user.
The Get field of the task must have the value ${.=[]}.

Converts a single string to an array of that string.

Check if number of availble addresses in IPv4 or IPv6 CIDR is greater than given number.

Append item(s) to the end of the list if they are not empty.

Takes a date or time input and get time components in a specific time zone.
Returns a dictionary with the following components.

• year
• year_4_digit
• month
• month_3_letter
• month_full_name
• month_2_digit
• day
• day_2_digit
• day_of_week (Sun:0, Sat:6)
• day_of_week_3_letter
• day_of_week_full_name
• day_of_year
• day_of_year_3_digit
• hour
• hour_12_clock
• hour_2_digit_24_clock
• hour_2_digit_12_clock
• hour_of_day
• minute
• minute_2_digit
• minute_of_day
• second
• second_2_digit
• second_of_day
• millisecond
• period_12_clock
• time_zone_hhmm
• time_zone_offset
• time_zone_abbreviations
• unix_epoch_time
• iso_8601
• y-m-d
• yyyy-mm-dd
• hⓂ️s
• HⓂ️s
• hh:mm:ss
• HH:mm:ss.

Removed selected fields from the JSON object.

Accepts an array of domains as a block list, and a list of email addresses. The script then filters out any email address whose domain is in the block list. The filtered list will be returned as an array.

Performs a JMESPath search on an input JSON format, when using a transformer.

Strip set of characters from prefix and/or suffix
e.g. StripChar value=~!!~www.mydomain.com~!~!~ chars=!~ will return www.mydomain.com

Checks the given datetime has occured before the provided relative time.

This transformer will create a list of dictionary by aggregating elements from two arrays.
The one is given by value (with array1_key), another is given by array2 (with array2_key).

This script converts an input value into another value using two lists. The input value or range is searched in the first list (map_from).
If it exists, the value at the same index from the second list (map_to) is returned. If there is no match, the original value is returned.
This script supports mapping from either ranges of float numbers or text strings.

Example 1:

map_from = "1,2,3,4"
map_to = "4,3,2,1"
value = 3

Output is "2"

Example 2:

map_from = "1-3,4"
map_to = "5,1"
value = 3

Output is "5".

Removes items from the given list of values if they match any of the patterns in the provided filters.
If the match_exact argument is 'yes', direct string compare is used, otherwise the comparison is done using regex.

Returns a string concatenated with given a prefix and suffix which supports DT expressions.

Parse a given JSON string "value" to a representative object. Example: '{"a": "value"}' => {"a": "value"}.

Return the string encoded with JSON from the whole array

Takes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format.

This transformer will take in a value and transform it based on multiple condition expressions (wildcard, regex, etc) defined in a JSON dictionary structure. The key:value pair of the JSON dictionary should be:

"condition expression": "desired outcome"

For example:

{
".match 1.": "Dest Val1",
".match 2.": "Dest Val2",
".match 3(.)": "\1",
"match 4": {
"algorithm": "wildcard",
"output": "Dest Val4"
}
}

The transformer will return the value matched to a pattern following to the priority.
When unmatched or the input value is structured (dict or list), it will simply return the input value.

Convert object keys to match table keys.
Use when mapping object/collection to table (grid) field.
(Array of objects/collections is also supported).
Example:
Input: { "Engine": "val1", "Max Results": 13892378, "Key_With^Special (characters)": true }
Output: { "engine": "val1", "maxresults": 13892378, "keywithspecialcharacters": true }

Converts
https:%2F%2Fexample.com
into
https://example.com

Accepts a json object and returns a markdown. Supports clickable links.

Checks whether a substring or an array of substrings is within a string array(each item will be checked). Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true.

A transformer for simple if-then-else logic.

Removes null bytes from string.

Check if number of availble addresses in IPv4 CIDR is lower than given number.

Find tables inside HTML and extract the contents into objects using the following logic:

• If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value
• If table has a header row, create a table of objects where attribute names are the headers
• If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3…

Converts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field

e.g. 1525006939 will return '2018-04-29T13:02:19.000Z'

Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space.

Checks whether the given value is within the specified time (hour) range.

Checks whether an IPv4 or IPv6 address is not contained in one or more comma-delimited CIDR ranges.

Returns all elements from the left side that have a substring that is equal to an element from the right side. Note: This filter is case-insensitive.
E.g -AnyMatch left=baby right=A will return baby. For more examples see the filter's Readme.

Removed selected fields from the JSON object.

Return the single element in case the array has only 1 element in it, otherwise return the whole array.

A filter that receives a single IPv4 address string as an input and determines whether it is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network

Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com.

Cut a string by delimiter and return specific fields.

Example

input: "A-B-C-D-E"
delimiter: "-"
fields: "1,5"

return: "A-E".

Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed.

Checks whether a given CIDR prefix is bigger than the defined maximum prefix.

Strip set of characters from prefix and/or suffix
e.g. StripChar value=~!!~www.mydomain.com~!~!~ chars=!~ will return www.mydomain.com

Decodes an input in Base64 format.

The script receives a list of fields and a context key base path. For example, Key=Test.result List=username,user gets all of the values from Test.result.username and Test.result.user.
The Get field of the task must have the value ${.=[]}.

Each entry in an array is merged into the existing array if the keyed-value matches.

Converts a custom-formatted timestamp to UNIX epoch time. Use it to convert custom time stamps to a XSOAR date field. If you pass formatter argument, we will use it to transform. If not, we will use dateparser.parse for transforming. For more info, see: https://docs.python.org/3.7/library/datetime.html#strftime-and-strptime-behavior

Accepts an array of domains as an allow list, and a list of email addresses. The script then filters out any email address whose domain is not in the allow list. The filtered list will be returned as an array.

Convert object keys to match table keys.
Use when mapping object/collection to table (grid) field.
(Array of objects/collections is also supported).
Example:
Input: { "Engine": "val1", "Max Results": 13892378, "Key_With^Special (characters)": true }
Output: { "engine": "val1", "maxresults": 13892378, "keywithspecialcharacters": true }

Extraction of all matches from a specified regular expression pattern from a provided string. Returns an array of results. This differs from RegexGroups in several ways:

• It returns all matches of the specified pattern, not just specific groups. This is useful for extracting things using a pattern where the content of the source string is indeterminate, such as extracting all email addresses.
• Some "convenience" arguments have been added to enhance usability: multi-line, ignore_case, period_matches_newline
• Added a new argument, "error_if_no_match". The script will not ordinarily throw an error if a match is not found but if not using as a transformer within a playbook, it may, in certain limited circumstances, be desirable to throw an error if the expression doesn't match.
• It uses the 'regex' library, which supports more some more advanced regex functionality than the standard 're' library. For more info, see https://pypi.org/project/regex/.

Find tables inside HTML and extract the contents into objects using the following logic:

• If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value
• If table has a header row, create a table of objects where attribute names are the headers
• If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3…

A transformer for simple if-then-else logic.

Append item(s) to the end of the list if they are not empty.

Returns true if an element is shared between two lists.

checks if left side is in range of right side (from,to anotation)
e.g. - InRange left=4right=1,8 will return true.

This transformer will remove elements of the array that contain an identical combination of values for the keys given.

Accepts an array of domains as a block list, and a list of email addresses. The script then filters out any email address whose domain is in the block list. The filtered list will be returned as an array.

This script converts an input value into another value using two lists. The input value or range is searched in the first list (map_from).
If it exists, the value at the same index from the second list (map_to) is returned. If there is no match, the original value is returned.
This script supports mapping from either ranges of float numbers or text strings.

Example 1:

map_from = "1,2,3,4"
map_to = "4,3,2,1"
value = 3

Output is "2"

Example 2:

map_from = "1-3,4"
map_to = "5,1"
value = 3

Output is "5".

Sums a List
e.g. ["25", "10", "25"] => "60"

This is an example for number transformer.

Adds zeros (0) to the beginning of the string, until the string reaches the specified length.

Extracts email addresses from the given value.

Extract the strings matched to the patterns by doing backslash substitution on the template string.
This transformer allow to input multiple regex patterns and multiple match targets, and those can be given in the input value and the argument parameters.

Return the string encoded with JSON from the whole array

Converts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field

e.g. 1525006939 will return '2018-04-29T13:02:19.000Z'

This transformer will take in a value and transform it based on multiple condition expressions (wildcard, regex, etc) defined in a JSON dictionary structure. The key:value pair of the JSON dictionary should be:

"condition expression": "desired outcome"

For example:

{
".match 1.": "Dest Val1",
".match 2.": "Dest Val2",
".match 3(.)": "\1",
"match 4": {
"algorithm": "wildcard",
"output": "Dest Val4"
}
}

The transformer will return the value matched to a pattern following to the priority.
When unmatched or the input value is structured (dict or list), it will simply return the input value.

Checks whether a substring or an array of substrings is within a string array(each item will be checked). Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true.

Accepts a json object and returns a markdown. Supports clickable links.

Checks whether a given domain is a subdomain of one of the listed domains.

Performs a JMESPath search on an input JSON format, when using a transformer.

This script converts the input value into another value using two lists. The input value is searched in the first list (input_values).
If it exists, the value from the second list (mapped_values) at the same index is retutrned. If there is no match, the original value is returned.
If the original input is a dictionary, then the script will look for a "stringified" version of the key/:/value pair in the input_values and then map the result in the output_values into the original "value".

Example 1:

input_values = "1,2,3,4"
mapper_values = "4,3,2,1"
value = 3

Output would be "2"

Example 2:

input_values ="firstkey: datahere,secondkey: datathere"
mapper_values = "datathere,datahere"
value(dict)= {
"firstkey": "datahere"
}

Output would be:
{
"firstkey": "datathere"
}

The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed.

When the input is a dict, str , int, or list, the output is ALWAYS returned as a string.

Takes a date or time input and get time components in a specific time zone.
Returns a dictionary with the following components.

• year
• year_4_digit
• month
• month_3_letter
• month_full_name
• month_2_digit
• day
• day_2_digit
• day_of_week (Sun:0, Sat:6)
• day_of_week_3_letter
• day_of_week_full_name
• day_of_year
• day_of_year_3_digit
• hour
• hour_12_clock
• hour_2_digit_24_clock
• hour_2_digit_12_clock
• hour_of_day
• minute
• minute_2_digit
• minute_of_day
• second
• second_2_digit
• second_of_day
• millisecond
• period_12_clock
• time_zone_hhmm
• time_zone_offset
• time_zone_abbreviations
• unix_epoch_time
• iso_8601
• y-m-d
• yyyy-mm-dd
• hⓂ️s
• HⓂ️s
• hh:mm:ss
• HH:mm:ss.

Determines whether an IPv4 or IPv6 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4/IPv6 addresses can be passed comma-delimited and each will be tested. A mix of IPv4 and IPv6 addresses will always return false.

Checks the given datetime has occured after the provided relative time.

Returns a string concatenated with given a prefix and suffix which supports DT expressions.

Reverse a list
e.g. ["Mars", "Jupiter", "Saturn"] => ["Saturn", "Jupiter", "Mars"]

This is an example for entire-list transformer - it operates the argument as a list (note the "entirelist" tag).

This automation allows the usage of DT scripts within playbooks transformers.

Whether value is within a date range.

Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed.

Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space.

Parse a given JSON string "value" to a representative object. Example: '{"a": "value"}' => {"a": "value"}.

Gets specified indexes of a list.

Returns the content of the List with the given Name as a string or JSON object, depending on the selected type.

Extract a string from an existing string.

Removes items from the given list of values if they match any of the patterns in the provided filters.
If the match_exact argument is 'yes', direct string compare is used, otherwise the comparison is done using regex.

Return all items from the list where their given 'field' attribute is equal to 'equalTo' argument

E.g. !WhereFieldEquals with the following arguments:

• value=[{ "name": "192.1,0.82", "type": "IP" }, { "name": "myFile.txt", "type": "File" }, { "name": "172.0.0.2", "type": "IP" }]
• field='type'
• equalTo='IP'
• getField='name'

Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2'].

Check if number of availble addresses in IPv4 or IPv6 CIDR is greater than given number.

Extraction of elements which are contained in all the subgroups of the match to the pattern.
For example, extracting from the string "The quick brown fox" the object {"article":"The","noun":quick"}
(See arguments descriptions for more details).

Checks the given datetime has occured before the provided relative time.

This is a thin wrapper around the dateutil.parser.parse function. It will parse a string containing a date/time stamp and return it in ISO 8601 format.

Checks an object for an empty value and returns a pre-set default value.

This transformer will sort an array of dictionary values by keys in ascending or descending order.

Check if number of availble addresses in IPv4 CIDR is lower than given number.

Removes null bytes from string.

Remove empty items, entries or nodes from the array.

A transformer for if-elif-else logic.

Build text from a template that can include DT expressions.

Format patterns matched with regex. If the regex does not match any pattern, the original value is returned.

Example 1:
value: user=john
regex: user=(.*)
output_format: name=\1
-> output value: name=john

Example 2:
value: xxx=yyy
regex: user=(.*)
output_format: name=\1
-> output value: xxx=yyy.

Returns the product of two lists, joined by a separator, as a list of strings.

Converts
https:%2F%2Fexample.com
into
https://example.com

Converts a single string to an array of that string.

Takes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format.

Convert all chosen values but exceptions.

Converts string to array.
For example: http://example.com/?score:1,4,time:55 will be transformed to ["http://example.com/?score:1,4,time:55"].

This transformer will create a list of dictionary by aggregating elements from two arrays.
The one is given by value (with array1_key), another is given by array2 (with array2_key).