CEL Examples

Following are Common Expression Language examples you can use with Secureworks® Taegis™ XDR Connector templates.

Access Usernames From an Alert

${alertUsernames(inputs)}

Access Hostnames From an Alert

${alertHostnames(inputs)}

Access source_ip Addresses From an Alert

${alertSourceIPs(inputs)}

Access destination_ip Address From an Alert

${alertDestinationIPs(inputs)}

Return the Alert Timestamp in Human Readable Format

 ${string(alertCreatedAtSeconds(inputs)).toTimestamp()}

Return true if Alert Contains a Specific related_entity Value

This example returns a value of true if the alert contains a specified sensorId value:

${'sensorId:1234redacted5678' in alertEntities(inputs)}

Create a Default Error Message

${!has(status.code) || status.code != 201 ? (has(body.errorMessages) ? body.errorMessages[0] : 'Unknown error returned by Vendor API') : ''}

Access the TargetUserName from source_event of an Alert

This example accesses TargetUserName from the source_event of an alert

${alertEntities(inputs).filter(e, e.startsWith('targetUserName'))}

Match an Investigation Assigned to the Tenant

investigationAssigneeId(inputs) == '@customer'

Negate a Property on an Alert

Note that you must wrap the part you are negating in parentheses (). Use .lowerAscii() to lower case the title.

!(alertTitle(inputs).lowerAscii().contains('this is a test'))

Map the Investigation Priority to a String

${investigationPriority(inputs)}