Cortex XSOAR Transform Language (commonly referred to as DT) is used for various Context related functions in Cortex XSOAR. DT is a query language for JSON objects, similar to JSONQuery.
The following sample Context data will be used to show the various ways DT can access, aggregate, and mutate data.
DT can access keys from nested dictionaries as well as dictionaries.
Using the above Context data sample, you can access the following key values:
- The "Continent" key value, located in the "Geo" dictionary, which is located in the "MaxMind" dictionary.
- The "Hostname" key value, located in the "IP" dictionary.
- The "FirstSeen" key value, located in the "RecordedFuture" dictionary, which is located in the "IP" dictionary.
Access the key values using the following DT statements:
Access array values as you access any other dictionary (or JSON) key in dot notation, with an index.
Indices start with 0, not 1.
Using the above Context data sample:
Under "URLScan", there is an array called "Certificates". If you want to access the "SubjectName" value of the first entry, use the following DT statement.
|["www.google.com", "*.google.com", "www.google.de", "*.g.doubleclick.net", "*.apis.google.com"]|
|["www.google.com", "*.google.com", "www.google.de"]|
If you want to retrieve a range of results, you can use
[0:9] where "0" is the beginning of the array and "9" is the 9th position in the array.
You will notice that
The following are a few examples of selector methods:
|will return only Vendors that exactly match the urlscan.io description.|
|will return any SubjectName that starts with "www"|
|will return any SubjectName that contains doubleclick.|
|will return any Country that contains IE or ie or any mixed case.|
|will return all ValidTo for certificates that have SubjectName ending with de. Please notice that we tested a relative path to “SubjectName” (“de”) and returned a different path (“ValidTo”).|
|will return all SubjectNames for Certificates that have the same ValidTo time as the first Certificate in the array. Note that the bind value (val1) does not start with ‘.’ and will DT the Context from the top Context.|
Selectors help avoiding duplicate entries and can be used to add context to existing entries.
An example of how this may be used in your code is the following:
The code snippet
'URL(val.Data && val.Data == obj.Data)' will look for entries in the Context whose name found under "Data" are the same. If it finds a match, it will update the existing Context, If it does not, it will create a new entry in the Context because it views the entry as "unique" to the existing values.
Here are a few examples:
|Returns the timestamp where the SubjectName contains the word "doubleclick". Then it appends "Z" to the value|
|returns all the organizations but in lower case.|
|returns all the Vendors containing “Recorded” but in lower case.|
|returns the concatenated ip and vendor for all DBotScores.|