Checks an object for an empty value and returns a pre-set default value.
Filters And Transformers
- Details
- Content
- Dependencies
- Version History
Frequently used filters and transformers pack.
Name | Description |
---|---|
SetIfEmpty | |
AfterRelativeDate | Checks the given datetime has occured after the provided relative time. |
IsNotInCidrRanges | Checks whether an IPv4 address is not contained in one or more comma-delimited CIDR ranges. |
MergeDictArray | Each entry in an array is merged into the existing array if the keyed-value matches. |
StringToArray | Converts string to array. |
BetweenHours | Checks whether the given value is within the specified time (hour) range. |
StripChars | Strip set of characters from prefix and/or suffix |
RegexGroups | Extraction of elements which are contained in all the subgroups of the match to the pattern. |
RegexExtractAll | Extraction of all matches from a specified regular expression pattern from a provided string. Returns an array of results. This differs from RegexGroups in several ways:
|
URLEncode | Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com. |
EmailDomainBlacklist | Accepts an array of domains as a block list, and a list of email addresses. The script then filters out any email address whose domain is in the block list. The filtered list will be returned as an array. |
InRange | checks if left side is in range of right side (from,to anotation) |
CIDRBiggerThanPrefix | Checks whether a given CIDR prefix is bigger than the defined maximum prefix. |
MapPattern | This transformer will take in a value and transform it based on multiple condition expressions (wildcard, regex, etc) defined in a JSON dictionary structure. The key:value pair of the JSON dictionary should be: "condition expression": "desired outcome" For example: { The transformer will return the value matched to a pattern following to the priority. |
MapRangeValues | This script converts an input value into another value using two lists. The input value or range is searched in the first list (map_from). Example 1: map_from = "1,2,3,4" Output is "2" Example 2: map_from = "1-3,4" Output is "5" |
RemoveEmpty | Remove empty items, entries or nodes from the array. |
GreaterCidrNumAddresses | Check if number of availble addresses in IPv4 or IPv6 CIDR is greater than given number. |
AppendIfNotEmpty | Append item(s) to the end of the list if they are not empty. |
IsRFC1918Address | A filter that determines whether an IPv4 address is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network |
DateStringToISOFormat | This is a thin wrapper around the |
PadZeros | Adds zeros (0) to the beginning of the string, until the string reaches the specified length. |
If-Then-Else | A transformer for simple if-then-else logic. |
jmespath | Performs a JMESPath search on an input JSON format, when using a transformer. |
GetRange | Gets specified indexes of a list. |
Cut | Cut a string by delimiter and return specific fields. Exampleinput: "A-B-C-D-E" return: "A-E" |
SumList | Sums a List This is an example for number transformer. |
ConvertKeysToTableFieldFormat | Convert object keys to match table keys. |
IgnoreFieldsFromJson | Removed selected fields from the JSON object. |
RegexExpand | Extract the strings matched to the patterns by doing backslash substitution on the template string. |
BetweenDates | Whether value is within a date range. |
MapValuesTransformer | This script converts the input value into another value using two lists. The input value is searched in the first list (input_values). Example 1: input_values = "1,2,3,4" Output would be "2" Example 2: input_values ="firstkey: datahere,secondkey: datathere" Output would be: The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed. When the input is a dict, str , int, or list, the output is ALWAYS returned as a string. |
ParseJSON | Parse a given JSON string "value" to a representative object. Example: '{"a": "value"}' => {"a": "value"}. |
ReverseList | Reverse a list This is an example for entire-list transformer - it operates the argument as a list (note the "entirelist" tag) |
CheckIfSubdomain | Checks whether a given domain is a subdomain of one of the listed domains. |
IPv4Blacklist | Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space. |
StringifyArray | Return the string encoded with JSON from the whole array |
FormatTemplate | Build text from a template that can include DT expressions. |
LastArrayElement | Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed. |
ExtractInbetween | Extract a string from an existing string. |
TimeComponents | Takes a date or time input and get time components in a specific time zone.
|
IPv4Whitelist | Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space. |
ConvertToSingleElementArray | Converts a single string to an array of that string. |
FormattedDateToEpoch | Converts a custom-formatted timestamp to UNIX epoch time. Use it to convert custom time stamps to a XSOAR date field. If you pass formatter argument, we will use it to transform. If not, we will use dateparser.parse for transforming. For more info, see: https://docs.python.org/3.7/library/datetime.html#strftime-and-strptime-behavior |
ConcatFormat | Returns a string concatenated with given a prefix and suffix which supports DT expressions. |
Base64Decode | Decodes an input in Base64 format. |
EmailDomainWhitelist | Accepts an array of domains as an allow list, and a list of email addresses. The script then filters out any email address whose domain is not in the allow list. The filtered list will be returned as an array. |
TimeStampToDate | Converts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field e.g. 1525006939 will return '2018-04-29T13:02:19.000Z' |
ParseHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic:
|
StringContainsArray | Checks whether a substring or an array of substrings is within a string array(each item will be checked). Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true. |
IsInCidrRanges | Determines whether an IPv4 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4 addresses can be passed comma-delimited and each will be tested. |
FirstArrayElement | Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed. |
ConvertAllExcept | Convert all chosen values but exceptions. |
ModifyDateTime | Takes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format. |
ExtractEmailTransformer | Extracts email addresses from the given value. |
URLDecode | Converts |
RegexReplace | Format patterns matched with regex. If the regex does not match any pattern, the original value is returned. Example 1: Example 2: |
JsonToTable | Accepts a json object and returns a markdown. |
DT | This automation allows the usage of DT scripts within playbooks transformers |
WhereFieldEquals | Return all items from the list where their given 'field' attribute is equal to 'equalTo' argument E.g. !WhereFieldEquals with the following arguments:
Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2'] |
GetValuesOfMultipleFields | The script receives a list of fields and a context key base path. For example, Key=Test.result List=username,user and will get all of the values from Test.result.username and Test.result.user. |
JoinIfSingleElementOnly | Return the single element in case the array has only 1 element in it, otherwise return the whole array |
LowerCidrNumAddresses | Check if number of availble addresses in IPv4 CIDR is lower than given number. |
ProductJoin | Returns the product of two lists, joined by a separator, as a list of strings. |
Name | Description |
---|---|
SetIfEmpty | Checks an object for an empty value and returns a pre-set default value. |
AfterRelativeDate | Checks the given datetime has occured after the provided relative time. |
IsNotInCidrRanges | Checks whether an IPv4 address is not contained in one or more comma-delimited CIDR ranges. |
MergeDictArray | Each entry in an array is merged into the existing array if the keyed-value matches. |
StringToArray | Converts string to array. |
BetweenHours | Checks whether the given value is within the specified time (hour) range. |
StripChars | Strip set of characters from prefix and/or suffix |
RegexGroups | Extraction of elements which are contained in all the subgroups of the match to the pattern. |
RegexExtractAll | Extraction of all matches from a specified regular expression pattern from a provided string. Returns an array of results. This differs from RegexGroups in several ways:
|
URLEncode | Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com. |
EmailDomainBlacklist | Accepts an array of domains as a block list, and a list of email addresses. The script then filters out any email address whose domain is in the block list. The filtered list will be returned as an array. |
InRange | checks if left side is in range of right side (from,to anotation) |
CIDRBiggerThanPrefix | Checks whether a given CIDR prefix is bigger than the defined maximum prefix. |
MapPattern | This transformer will take in a value and transform it based on multiple condition expressions (wildcard, regex, etc) defined in a JSON dictionary structure. The key:value pair of the JSON dictionary should be: "condition expression": "desired outcome" For example: { The transformer will return the value matched to a pattern following to the priority. |
MapRangeValues | This script converts an input value into another value using two lists. The input value or range is searched in the first list (map_from). Example 1: map_from = "1,2,3,4" Output is "2" Example 2: map_from = "1-3,4" Output is "5" |
RemoveEmpty | Remove empty items, entries or nodes from the array. |
GreaterCidrNumAddresses | Check if number of availble addresses in IPv4 or IPv6 CIDR is greater than given number. |
AppendIfNotEmpty | Append item(s) to the end of the list if they are not empty. |
IsRFC1918Address | A filter that determines whether an IPv4 address is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network |
DateStringToISOFormat | This is a thin wrapper around the |
PadZeros | Adds zeros (0) to the beginning of the string, until the string reaches the specified length. |
If-Then-Else | A transformer for simple if-then-else logic. |
jmespath | Performs a JMESPath search on an input JSON format, when using a transformer. |
GetRange | Gets specified indexes of a list. |
Cut | Cut a string by delimiter and return specific fields. Exampleinput: "A-B-C-D-E" return: "A-E" |
SumList | Sums a List This is an example for number transformer. |
ConvertKeysToTableFieldFormat | Convert object keys to match table keys. |
IgnoreFieldsFromJson | Removed selected fields from the JSON object. |
RegexExpand | Extract the strings matched to the patterns by doing backslash substitution on the template string. |
BetweenDates | Whether value is within a date range. |
MapValuesTransformer | This script converts the input value into another value using two lists. The input value is searched in the first list (input_values). Example 1: input_values = "1,2,3,4" Output would be "2" Example 2: input_values ="firstkey: datahere,secondkey: datathere" Output would be: The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed. When the input is a dict, str , int, or list, the output is ALWAYS returned as a string. |
ParseJSON | Parse a given JSON string "value" to a representative object. Example: '{"a": "value"}' => {"a": "value"}. |
ReverseList | Reverse a list This is an example for entire-list transformer - it operates the argument as a list (note the "entirelist" tag) |
CheckIfSubdomain | Checks whether a given domain is a subdomain of one of the listed domains. |
IPv4Blacklist | Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space. |
StringifyArray | Return the string encoded with JSON from the whole array |
FormatTemplate | Build text from a template that can include DT expressions. |
LastArrayElement | Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed. |
ExtractInbetween | Extract a string from an existing string. |
TimeComponents | Takes a date or time input and get time components in a specific time zone.
|
IPv4Whitelist | Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space. |
ConvertToSingleElementArray | Converts a single string to an array of that string. |
FormattedDateToEpoch | Converts a custom-formatted timestamp to UNIX epoch time. Use it to convert custom time stamps to a XSOAR date field. If you pass formatter argument, we will use it to transform. If not, we will use dateparser.parse for transforming. For more info, see: https://docs.python.org/3.7/library/datetime.html#strftime-and-strptime-behavior |
ConcatFormat | Returns a string concatenated with given a prefix and suffix which supports DT expressions. |
Base64Decode | Decodes an input in Base64 format. |
EmailDomainWhitelist | Accepts an array of domains as an allow list, and a list of email addresses. The script then filters out any email address whose domain is not in the allow list. The filtered list will be returned as an array. |
TimeStampToDate | Converts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field e.g. 1525006939 will return '2018-04-29T13:02:19.000Z' |
ParseHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic:
|
StringContainsArray | Checks whether a substring or an array of substrings is within a string array(each item will be checked). Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true. |
IsInCidrRanges | Determines whether an IPv4 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4 addresses can be passed comma-delimited and each will be tested. |
FirstArrayElement | Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed. |
ConvertAllExcept | Convert all chosen values but exceptions. |
ModifyDateTime | Takes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format. |
ExtractEmailTransformer | Extracts email addresses from the given value. |
URLDecode | Converts |
RegexReplace | Format patterns matched with regex. If the regex does not match any pattern, the original value is returned. Example 1: Example 2: |
JsonToTable | Accepts a json object and returns a markdown. |
DT | This automation allows the usage of DT scripts within playbooks transformers |
WhereFieldEquals | Return all items from the list where their given 'field' attribute is equal to 'equalTo' argument E.g. !WhereFieldEquals with the following arguments:
Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2'] |
GetValuesOfMultipleFields | The script receives a list of fields and a context key base path. For example, Key=Test.result List=username,user and will get all of the values from Test.result.username and Test.result.user. |
JoinIfSingleElementOnly | Return the single element in case the array has only 1 element in it, otherwise return the whole array |
LowerCidrNumAddresses | Check if number of availble addresses in IPv4 CIDR is lower than given number. |
ProductJoin | Returns the product of two lists, joined by a separator, as a list of strings. |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Pack Name | Pack By |
---|
Pack Name | Pack By |
---|
Scripts
IgnoreFieldsFromJson
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.8.39276.
GetRange
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.1.25933.
GetValuesOfMultipleFields
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.9.42476.
If-Then-Else
- Moved from CommonScripts.
ModifyDateTime
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.7.24076.
ProductJoin
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.7.24076.
PadZeros
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.9.42476.
MapValuesTransformer
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.7.24076.
ParseJSON
- Moved from CommonScripts.
LastArrayElement
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.8.24399.
IPv4Blacklist
- Moved from CommonScripts.
- Updated the Docker image to: demisto/netutils:1.0.0.24101.
IPv4Whitelist
- Moved from CommonScripts.
- Updated the Docker image to: demisto/netutils:1.0.0.24101.
JoinIfSingleElementOnly
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.6.33415.
jmespath
- Moved from CommonScripts.
- Updated the Docker image to: demisto/py3-tools:0.0.1.30715.
JsonToTable
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.4.29342.
SetIfEmpty
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.7.33922.
StringToArray
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.7.24076.
StripChars
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.7.24076.
ReverseList
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.7.24076.
RegexGroups
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.7.24076.
RegexExtractAll
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.7.24076.
- 23486
Download
Scripts
FormattedDateToEpoch
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.9.42476.
EmailDomainBlacklist
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.8.24399.
EmailDomainWhitelist
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.8.24399.
FirstArrayElement
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.8.24399.
ExtractInbetween
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.4.27798.
- 23480
Download
Scripts
WhereFieldEquals
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.7.24076.
SumList
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.7.24076.
URLEncode
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.7.24076.
URLDecode
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.7.24076.
TimeStampToDate
- Moved from CommonScripts.
- 23695
Download
Scripts
Cut
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.9.42476.
ConvertKeysToTableFieldFormat
- Moved from CommonScripts.
ConvertToSingleElementArray
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.9.42476.
DT
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.8.24399.
DateStringToISOFormat
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.9.42476.
- 23477
Download
Scripts
BetweenDates
- Note: Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.7.33922.
Base64Decode
- Note: Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.7.35188.
ConvertAllExcept
- Note: Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.8.24399.
BetweenHours
- Note: Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.9.40422.
- 23468
Download
Scripts
CIDRBiggerThanPrefix
- Updated the Docker image to: demisto/python3:3.10.4.28442.
- Moved from CommonScripts.
CheckIfSubdomain
- Updated the Docker image to: demisto/python3:3.10.4.28442.
- Moved from CommonScripts.
GreaterCidrNumAddresses
- Updated the Docker image to: demisto/python3:3.9.8.24399.
- Moved from CommonScripts.
InRange
- Updated the Docker image to: demisto/python3:3.9.8.24399.
- Moved from CommonScripts.
AfterRelativeDate
- Updated the Docker image to: demisto/python3:3.9.8.24399.
- Moved from CommonScripts.
IsRFC1918Address
- Moved from CommonScripts.
- Updated the Docker image to: demisto/netutils:1.0.0.24101.
IsInCidrRanges
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.10.4.28442.
StringContainsArray
- Moved from CommonScripts.
LowerCidrNumAddresses
- Moved from CommonScripts.
- Updated the Docker image to: demisto/python3:3.9.7.24076.
IsNotInCidrRanges
- Moved from CommonScripts.
- Updated the Docker image to: demisto/netutils:1.0.0.24101.
- 23445
Download
Scripts
New: MapPattern
- This transformer will take in a value and transform it based on multiple condition expressions (wildcard, regex, etc) defined in a JSON dictionary structure. The key:value pair of the JSON dictionary should be:
"condition expression": "desired outcome"
For example:
{
".match 1.": "Dest Val1",
".match 2.": "Dest Val2",
".match 3(.)": "\1",
"match 4": {
"algorithm": "wildcard",
"output": "Dest Val4"
}
}
The transformer will return the value matched to a pattern following to the priority.
When unmatched or the input value is structured (dict or list), it will simply return the input value. (Available from Cortex XSOAR 6.5.0).
New: AppendIfNotEmpty
- Append item(s) to the end of the list if they are not empty. (Available from Cortex XSOAR 6.0.0).
New: RegexExpand
- Extract the strings matched to the patterns by doing backslash substitution on the template string.
This transformer allow to input multiple regex patterns and multiple match targets, and those can be given in the input value and the argument parameters. (Available from Cortex XSOAR 6.5.0).
StringifyArray
- Return the string encoded with JSON from the whole array
RemoveEmpty
- Remove empty items, entries or nodes from the array.
New: RegexReplace
- Format patterns matched with regex. If the regex does not match any pattern, the original value is returned.
Example 1:
value: user=john
regex: user=(.) output_format: name=\1 -> output value: name=john Example 2: value: xxx=yyy regex: user=(.)
output_format: name=\1
-> output value: xxx=yyy (Available from Cortex XSOAR 6.5.0).
New: ParseHTMLTables
- Find tables inside HTML and extract the contents into objects using the following logic:
- If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value
- If table has a header row, create a table of objects where attribute names are the headers
- If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3… (Available from Cortex XSOAR 6.5.0).
New: MergeDictArray
- Each entry in an array is merged into the existing array if the keyed-value matches. (Available from Cortex XSOAR 6.0.0).
- 23111
- 22952
Download
Scripts
New: FormatTemplate
Builds text from a template that can include DT expressions. (Available from Cortex XSOAR 6.5.0).
New: ConcatFormat
Returns a string concatenated with a given prefix and suffix that supports DT expressions. (Available from Cortex XSOAR 6.5.0).
- 22654
- 21497
Download
Scripts
ExtractEmailTransformer
- Fixed the script's tags to include 'transformer' instead of 'Transformer'.
- Updated the Docker image to: demisto/python3:3.10.4.29342.
PUBLISHER
Cortex
PLATFORMS
INFO
Certification | Certified | Read more |
Supported By | Cortex | |
Created | January 4, 2022 | |
Last Release | February 7, 2023 |