CEL Explorer

Note

The terms Alerts and Investigations have recently been changed to Detections and Cases in Taegis XDR. You may still see references to the old terms while we continue to work towards platform convergence of Sophos and Taegis technologies. For more information, see Taegis Terminology Updates.

XDR supports the use of Google’s Common Expression Language (CEL) in multiple areas:

• To enable embedding logic and data manipulation within Automations connectors, playbook inputs, playbook triggers, and templates
• To refine Auto Case templates and rules

CEL Explorer lets you test CEL expressions against a specific type of input so that you can see the outcome of the expression. The following input types are supported:

• Detections
• Assets (Endpoints)
• Entities
• Cases
• Playbook Executions

By providing a share link to an instance of one of the supported input types, the data for that object can be viewed and used for testing as the CEL statement is built.

Accessing CEL Explorer

CEL Explorer

Access CEL Explorer in multiple ways:

• From the Taegis Menu, select Tools → CEL Explorer.

• From the details page of a detection, endpoint, entity, case, or playbook execution, select the Actions menu and choose View in CEL Explorer.

  

  CEL Explorer

Tip

Accessing CEL Explorer from a details page automatically sets the Resource Type and ID to the associated input.

Using CEL Explorer

To evaluate the outcome of a CEL expression, follow these steps:

1. Select the desired Resource Type from the dropdown menu.

2. Paste the share link to the instance of the input you would like to test your expression against in the Resource ID field.

   Tip

   Accessing CEL Explorer from a details page automatically sets the Resource Type and ID to the associated input. Find a share link from the details page of the desired alert, endpoint, case, or playbook execution. Entities do not include a share link; select View in CEL Explorer from the Actions menu of an entity instead.

3. Paste or enter the CEL expression you would like to test in the CEL Expression field. See Additional Resources for help with CEL, supported macros, and examples.

   Tip

   CEL Explorer provides context-aware autocomplete for CEL macros, filtered by your selected Resource Type of Alert, Case, or Entity. As you type, it suggests relevant macros and lets you insert them directly into your expression in CEL Explorer.

4. Select Run to evaluate your CEL expression against the input.

Additional Resources

• Overview of CEL
• Supported CEL Macros
• Getting Started with CEL
• Example Use Cases for CEL