CEL Examples

Note

The terms Alerts and Investigations have recently been changed to Detections and Cases in Taegis XDR. You may still see references to the old terms while we continue to work towards platform convergence of Sophos and Taegis technologies. For more information, see Taegis Terminology Updates.

Following are Common Expression Language examples you can use with Secureworks® Taegis™ XDR Connector templates.

Access Usernames From an Alert

${alertUsernames(inputs)}

Access Hostnames From an Alert

${alertHostnames(inputs)}

Access source_ip Addresses From an Alert

${alertSourceIPs(inputs)}

Access destination_ip Address From an Alert

${alertDestinationIPs(inputs)}

Return the Alert Timestamp in Human Readable Format

 ${string(alertCreatedAtSeconds(inputs)).toTimestamp()}

Return true if Alert Contains a Specific related_entity Value

This example returns a value of true if the alert contains a specified sensorId value:

${'sensorId:1234redacted5678' in alertEntities(inputs)}

Create a Default Error Message

${!has(status.code) || status.code != 201 ? (has(body.errorMessages) ? body.errorMessages[0] : 'Unknown error returned by Vendor API') : ''}

Access the TargetUserName from source_event of an Alert

This example accesses TargetUserName from the source_event of an alert

${alertEntities(inputs).filter(e, e.startsWith('targetUserName'))}

Match an Investigation Assigned to the Tenant

investigationAssigneeId(inputs) == '@customer'

Negate a Property on an Alert

Note that you must wrap the part you are negating in parentheses (). Use .lowerAscii() to lower case the title.

!(alertTitle(inputs).lowerAscii().contains('this is a test'))

Map the Investigation Priority to a String

${investigationPriority(inputs)}