Filter expressions
{{ offense.<offense_field>|<filter_name> }}
The following table shows examples of the filters that you can use when you build the SOAR mapping template. To learn more about using Jinja, see the JINJA 3.1.x documentation (https://jinja.palletsprojects.com/en/3.1.x/).
Filter name | Description | Sample usage |
---|---|---|
|
Converts epoch milliseconds timestamp value to a string representation of the time, in milliseconds, that has elapsed. |
{{ offense.start_time|ago }} |
|
Converts a list of values to a comma-separated string. |
{{ offense.categories|csv }} |
|
Converts the display name to an email address, if the email address exists in the SOAR organization. If the email does not exist, it returns the default SOAR email address that is specified in the app.config file. |
{{ offense.assigned_to|res_email }} |
|
HTML-escaped version of value. |
|
|
Converts epoch milliseconds timestamp value to an ISO8601 datetime value. |
{{ offense.start_time|iso8601 }} |
|
Same as the |
{{ offense.description|js }} |
|
JSON-friendly version of the value. |
{{ offense.description|js }} |
|
Removes all entries that are on the Local Destination IP ignore list from a list of values. |
{{ offense.local_destination_addresses|local_dest_ip_whitelist }} |
|
Maps a numeric QRadar
severity to a SOAR severity:
|
{{ offense.severity|severity }} |
|
Removes all entries that are on the Source IP ignore list from a list of values. |
{{ offense.source_addresses|src_ip_whitelist }} |
|
Removes duplicate entries from a list of values. |
|
The template is rendered as a .json document. The document is posted to SOAR to create a new case, or it is converted to a URL with key value parameters in the SOAR web URL format. For more information about the web URL format, see Web URL Integration Guide.