Filter expressions

Whether building a template manually or by using the Case Mapping Tool, you must define the mapping expressions by using the Jinja2 template language. The Jinja2 filters transform the QRadar® offense data into a format that can be used by SOAR.
Jinja filter expressions format or modify a value before the value is copied into the case. When you build a filter expression, the filter is separated from the offense field name by a pipe ( | ) symbol, as shown in the following example.
{{ offense.<offense_field>|<filter_name> }}

The following table shows examples of the filters that you can use when you build the SOAR mapping template. To learn more about using Jinja, see the JINJA 3.1.x documentation (

Table 1. Jinja2 filter expressions
Filter name Description Sample usage


Converts epoch milliseconds timestamp value to a string representation of the time, in milliseconds, that has elapsed.

{{ offense.start_time|ago }}


Converts a list of values to a comma-separated string.

{{ offense.categories|csv }}


Converts the display name to an email address, if the email address exists in the SOAR organization.

If the email does not exist, it returns the default SOAR email address that is specified in the app.config file.

{{ offense.assigned_to|res_email }}


HTML-escaped version of value.


Converts epoch milliseconds timestamp value to an ISO8601 datetime value.

{{ offense.start_time|iso8601 }}


Same as the json filter but strips the surrounding quotation marks from the result.

{{ offense.description|js }}


JSON-friendly version of the value.

{{ offense.description|js }}


Removes all entries that are on the Local Destination IP ignore list from a list of values.

{{ offense.local_destination_addresses|local_dest_ip_whitelist }}


Maps a numeric QRadar severity to a SOAR severity:
  • 8-10 = High
  • 4-7 = Medium
  • 1-3 = Low
{{ offense.severity|severity }}


Removes all entries that are on the Source IP ignore list from a list of values.

{{ offense.source_addresses|src_ip_whitelist }}


Removes duplicate entries from a list of values.

The template is rendered as a .json document. The document is posted to SOAR to create a new case, or it is converted to a URL with key value parameters in the SOAR web URL format. For more information about the web URL format, see Web URL Integration Guide.