CEL Explorerπ
XDR supports the use of Googleβs Common Expression Language (CEL) in multiple areas:
- To enable embedding logic and data manipulation within Automations connectors, playbook inputs, playbook triggers, and templates
- To refine Auto Investigation templates and rules
CEL Explorer lets you test CEL expressions against a specific type of input so that you can see the outcome of the expression. The following input types are supported:
- Alerts
- Assets (Endpoints)
- Entities
- Investigations
- Playbook Executions
By providing a share link to an instance of one of the supported input types, the data for that object can be viewed and used for testing as the CEL statement is built.
Accessing CEL Explorerπ
Access CEL Explorer in multiple ways:
- From the Taegis Menu, select Tools β CEL Explorer.
-
From the details page of an alert, endpoint, entity, investigation, or playbook execution, select the Actions menu and choose View in CEL Explorer.
CEL Explorer
Tip
Accessing CEL Explorer from a details page automatically sets the Resource Type and ID to the associated input.
Using CEL Explorerπ
To evaluate the outcome of a CEL expression, follow these steps:
- Select the desired Resource Type from the dropdown menu.
-
Paste the share link to the instance of the input you would like to test your expression against in the Resource ID field.
Tip
Accessing CEL Explorer from a details page automatically sets the Resource Type and ID to the associated input. Find a share link from the details page of the desired alert, endpoint, investigation, or playbook execution. Entities do not include a share link; select View in CEL Explorer from the Actions menu of an entity instead.
-
Paste or enter the CEL expression you would like to test in the CEL Expression field. See Additional Resources for help with CEL, supported macros, and examples.
- Select Run to evaluate your CEL expression against the input.