Filter expressions

Whether building a template manually or by using the Case Mapping Tool, you must define the mapping expressions by using the Jinja2 template language. The Jinja2 filters transform the QRadar® offense data into a format that can be used by SOAR.
Jinja filter expressions format or modify a value before the value is copied into the case. When you build a filter expression, the filter is separated from the offense field name by a pipe ( | ) symbol, as shown in the following example.
{{ offense.<offense_field>|<filter_name> }}

The following table shows examples of the filters that you can use when you build the SOAR mapping template. To learn more about using Jinja, see the JINJA 3.1.x documentation (https://jinja.palletsprojects.com/en/3.1.x/).

Table 1. Jinja2 filter expressions
Filter name Description Sample usage

ago

Converts epoch milliseconds timestamp value to a string representation of the time, in milliseconds, that has elapsed.

{{ offense.start_time|ago }}

csv

Converts a list of values to a comma-separated string.

{{ offense.categories|csv }}

res_email

Converts the display name to an email address, if the email address exists in the SOAR organization.

If the email does not exist, it returns the default SOAR email address that is specified in the app.config file.

{{ offense.assigned_to|res_email }}

html

HTML-escaped version of value.

iso8601

Converts epoch milliseconds timestamp value to an ISO8601 datetime value.

{{ offense.start_time|iso8601 }}

js

Same as the json filter but strips the surrounding quotation marks from the result.

{{ offense.description|js }}

json

JSON-friendly version of the value.

{{ offense.description|js }}

local_dest_ip_whitelist

Removes all entries that are on the Local Destination IP ignore list from a list of values.

{{ offense.local_destination_addresses|local_dest_ip_whitelist }}

severity

Maps a numeric QRadar severity to a SOAR severity:
  • 8-10 = High
  • 4-7 = Medium
  • 1-3 = Low
{{ offense.severity|severity }}

src_ip_whitelist

Removes all entries that are on the Source IP ignore list from a list of values.

{{ offense.source_addresses|src_ip_whitelist }}

uniq

Removes duplicate entries from a list of values.

The template is rendered as a .json document. The document is posted to SOAR to create a new case, or it is converted to a URL with key value parameters in the SOAR web URL format. For more information about the web URL format, see Web URL Integration Guide.