The filter component passes data that meets your conditions to the next node in a playbook.
Actions
| Action | Description | Scenarios |
|---|---|---|
| filter | Filters data from a specific node, selecting records that match your rules. | Filters data from a specific node to select data that meets the rules. |
Configuration example
Save the following JSON as a file, then import it into the visualization flow editor as a test playbook. For import steps, see Playbook import.
{
"cells": [
{
"position": {
"x": -770,
"y": -170
},
"size": {
"width": 36,
"height": 36
},
"attrs": {
"body": {
"fill": "white",
"strokeOpacity": 0.95,
"stroke": "#63ba4d",
"strokeWidth": 2
},
"label": {
"text": "start",
"fontSize": 12,
"refX": 0.5,
"refY": "100%",
"refY2": 4,
"textAnchor": "middle",
"textVerticalAnchor": "top"
},
"path": {
"stroke": "#63ba4d"
}
},
"visible": true,
"shape": "circle",
"id": "58d87b7d-28d9-4f0e-b135-4adc4f1a70e4",
"zIndex": 1,
"data": {
"nodeType": "startEvent",
"appType": "basic",
"nodeName": "start",
"icon": "icon-circle",
"description": "Playbook start node. A playbook must have one and only one start node, which requires input data configuration for the playbook."
},
"markup": [
{
"tagName": "circle",
"selector": "body"
},
{
"tagName": "text",
"selector": "label"
}
],
"isNode": true
},
{
"shape": "custom-edge",
"attrs": {
"line": {
"stroke": "#63ba4d",
"targetMarker": {
"stroke": "#63ba4d"
}
}
},
"zIndex": 1,
"id": "5293c3f9-e1c9-4a49-b0eb-635067dc67e8",
"data": {
"nodeType": "sequenceFlow",
"appType": "basic",
"isRequired": true,
"icon": "icon-upper-right-arrow"
},
"isNode": false,
"source": {
"cell": "58d87b7d-28d9-4f0e-b135-4adc4f1a70e4"
},
"target": {
"cell": "c1b02b5a-b343-48c9-8e17-984abf6965ed"
},
"visible": true,
"router": {
"name": "manhattan",
"args": {
"padding": 5,
"excludeHiddenNodes": true,
"excludeNodes": [
"clone_node_id"
]
}
},
"vertices": [
]
},
{
"position": {
"x": 80,
"y": -170
},
"size": {
"width": 36,
"height": 36
},
"attrs": {
"body": {
"fill": "white",
"strokeOpacity": 0.95,
"stroke": "#63ba4d",
"strokeWidth": 2
},
"path": {
"r": 12,
"refX": "50%",
"refY": "50%",
"fill": "#63ba4d",
"strokeOpacity": 0.95,
"stroke": "#63ba4d",
"strokeWidth": 4
},
"label": {
"text": "end",
"fontSize": 12,
"refX": 0.5,
"refY": "100%",
"refY2": 4,
"textAnchor": "middle",
"textVerticalAnchor": "top"
}
},
"visible": true,
"shape": "circle",
"id": "317dd1be-2d20-460e-977e-1fc936ffb583",
"zIndex": 1,
"data": {
"nodeType": "endEvent",
"appType": "basic",
"nodeName": "end",
"icon": "icon-radio-off-full",
"description": "end"
},
"markup": [
{
"tagName": "circle",
"selector": "body"
},
{
"tagName": "circle",
"selector": "path"
},
{
"tagName": "text",
"selector": "label"
}
],
"isNode": true
},
{
"position": {
"x": -380,
"y": -185
},
"size": {
"width": 137,
"height": 66
},
"view": "react-shape-view",
"attrs": {
"label": {
"text": "filter"
}
},
"shape": "activity",
"id": "41ac8fbf-0390-4b1c-9d44-b91150a607a3",
"data": {
"componentName": "filter",
"appType": "component",
"nodeType": "action",
"icon": "https://img.alicdn.com/imgextra/i3/O1CN01zYP1Bk1msd4DgMiBa_!!6000000005010-55-tps-22-22.svg",
"ownType": "sys",
"zIndex": 1,
"customInput": false,
"operateType": "general",
"name": "filter",
"nodeName": "filter",
"actionName": "filter",
"actionDisplayName": "filter",
"cascaderValue": [
{
"label": "DataFormat",
"value": "${DataFormat}",
"children": [
{
"label": "DataFormat.total_data_with_dup",
"name": "DataFormat.total_data_with_dup",
"value": "${DataFormat.total_data_with_dup}"
},
{
"label": "DataFormat.datalist.*.name",
"name": "DataFormat.datalist.*.name",
"value": "${DataFormat.datalist.*.name}"
},
{
"label": "DataFormat.total_exe_successful",
"name": "DataFormat.total_exe_successful",
"value": "${DataFormat.total_exe_successful}"
},
{
"label": "DataFormat.total_data",
"name": "DataFormat.total_data",
"value": "${DataFormat.total_data}"
},
{
"label": "DataFormat.total_exe",
"name": "DataFormat.total_exe",
"value": "${DataFormat.total_exe}"
},
{
"label": "DataFormat.status",
"name": "DataFormat.status",
"value": "${DataFormat.status}"
},
{
"label": "DataFormat.total_data_successful",
"name": "DataFormat.total_data_successful",
"value": "${DataFormat.total_data_successful}"
}
]
}
],
"valueData": {
"upstreamNode": "DataFormat",
"condition": "{\"condition\":\"AND\",\"rules\":[{\"field\":\"${DataFormat.datalist.*.name}\",\"value\":[\"test1\"],\"match\":\"is\",\"type\":\"string\",\"valueSource\":\"value\"}]}"
},
"status": "success"
},
"zIndex": 1
},
{
"shape": "custom-edge",
"attrs": {
"line": {
"stroke": "#63ba4d",
"targetMarker": {
"stroke": "#63ba4d"
}
}
},
"zIndex": 1,
"id": "3e5126c8-61ce-4582-9fcd-49e3fca844ea",
"data": {
"nodeType": "sequenceFlow",
"appType": "basic",
"isRequired": true,
"icon": "icon-upper-right-arrow"
},
"isNode": false,
"visible": true,
"router": {
"name": "manhattan",
"args": {
"padding": 5,
"excludeHiddenNodes": true,
"excludeNodes": [
"clone_node_id"
]
}
},
"source": {
"cell": "41ac8fbf-0390-4b1c-9d44-b91150a607a3"
},
"target": {
"cell": "437f1a16-609f-40d9-9ac8-5d9bd8aeafcd"
},
"vertices": [
]
},
{
"position": {
"x": -165,
"y": -185
},
"size": {
"width": 137,
"height": 66
},
"view": "react-shape-view",
"attrs": {
"label": {
"text": "DataFormat_2"
}
},
"shape": "activity",
"id": "437f1a16-609f-40d9-9ac8-5d9bd8aeafcd",
"data": {
"componentName": "DataFormat",
"appType": "component",
"nodeType": "action",
"icon": "https://sophon-gen-v2.oss-cn-zhangjiakou.aliyuncs.com/componentUpload/1719222281702_DataFormat_logo.png?Expires=1745654600&OSSAccessKeyId=STS. NXW5************&Signature=j5SXLh%2Fw5b4PhkhzWa%2FWgl%2BGWRQ%3D&security-token=CAIS2AJ1q6Ft5B2yfSjIr5vifvv6269M2bWOYV%2FojmsWNLhPgrXsiTz2IHhMenFpAegcv%2Fw%2BlGFZ6%2F8elrp6SJtIXleCZtF94oxN9h2gb4fb40Y6HzyK0s%2FLI3OaLjKm9u2wCryLYbGwU%2FOpbE%2B%2B5U0X6LDmdDKkckW4OJmS8%2FBOZcgWWQ%2FKBlgvRq0hRG1YpdQdKGHaONu0LxfumRCwNkdzvRdmgm4NgsbWgO%2Fks0OP3AOrlrBN%2Bdiuf8T9NvMBZskvD42Hu8VtbbfE3SJq7BxHybx7lqQs%2B02c5onDWwAJu0%2FXa7uEo4wydVNjFbM9A65Dqufxn%2Fpgt%2Braj4X7xhhEIOVJSSPbSZBbSxJNvU1RXDxQVcEYWxylurjnXvF%2Bo58zxrcUGin%2B2svzhw6RGJ1dq8DgINtD0jokjPndRVbLXs84nxS7gbsGn76oY2zradH%2FdU4J6tvBMytAXxqAAYb6jxZjLe7TMmktKoKJDPNYGnTAeViZJKpduCT2k7DBuEUN%2B%2B8fsvmMKsLLycLOYmqBqU%2FB4%2Fdy5Muz%2B6WDAQFoEDgzB17wouEZsoQG5EoCHljEH6DBajdzaAaISFedQrIaeBqEJIrLqLMKQlSqas3HEp8VqOaseKoWLb5PDxTGIAA%3D",
"ownType": "sys",
"zIndex": 1,
"tenantId": "baba",
"customInput": false,
"description": "Generate new data",
"id": 0,
"name": "formatdata",
"operateType": "general",
"output": [
],
"parameters": [
{
"dataType": "Complex",
"defaultValue": "",
"description": "Data to be transformed and generated",
"enDescription": "",
"name": "outputFields",
"needCascader": false,
"required": false,
"tags": ""
}
],
"riskLevel": 2,
"nodeName": "DataFormat_2",
"actionName": "formatdata",
"actionDisplayName": "formatdata",
"cascaderValue": [
{
"label": "filter_1",
"value": "${filter_1}",
"children": [
{
"label": "filter_1.failedReason",
"name": "filter_1.failedReason",
"value": "${filter_1.failedReason}"
},
{
"label": "filter_1.total_exe_successful",
"name": "filter_1.total_exe_successful",
"value": "${filter_1.total_exe_successful}"
},
{
"label": "filter_1.status",
"name": "filter_1.status",
"value": "${filter_1.status}"
},
{
"label": "filter_1.filter_total_data_successful",
"name": "filter_1.filter_total_data_successful",
"value": "${filter_1.filter_total_data_successful}"
},
{
"label": "filter_1.total_data_successful",
"name": "filter_1.total_data_successful",
"value": "${filter_1.total_data_successful}"
},
{
"label": "filter_1.total_data_with_dup",
"name": "filter_1.total_data_with_dup",
"value": "${filter_1.total_data_with_dup}"
},
{
"label": "filter_1.filter_total_data",
"name": "filter_1.filter_total_data",
"value": "${filter_1.filter_total_data}"
},
{
"label": "filter_1.total_data",
"name": "filter_1.total_data",
"value": "${filter_1.total_data}"
},
{
"label": "filter_1.total_exe",
"name": "filter_1.total_exe",
"value": "${filter_1.total_exe}"
}
]
},
{
"label": "DataFormat",
"value": "${DataFormat}",
"children": [
]
}
],
"valueData": {
"outputFields": "[{\"fieldName\":\"name\",\"fieldValue\":\"${filter.datalist.*.name}\"}]"
},
"status": "success"
},
"zIndex": 1
},
{
"shape": "custom-edge",
"attrs": {
"line": {
"stroke": "#63ba4d",
"targetMarker": {
"stroke": "#63ba4d"
}
}
},
"zIndex": 1,
"id": "b299b622-6607-4284-b05d-aa8339eee601",
"data": {
"nodeType": "sequenceFlow",
"appType": "basic",
"isRequired": true,
"icon": "icon-upper-right-arrow"
},
"isNode": false,
"visible": true,
"router": {
"name": "manhattan",
"args": {
"padding": 5,
"excludeHiddenNodes": true,
"excludeNodes": [
"clone_node_id"
]
}
},
"source": {
"cell": "437f1a16-609f-40d9-9ac8-5d9bd8aeafcd"
},
"target": {
"cell": "317dd1be-2d20-460e-977e-1fc936ffb583"
},
"vertices": [
]
},
{
"position": {
"x": -610,
"y": -190
},
"size": {
"width": 137,
"height": 66
},
"view": "react-shape-view",
"attrs": {
"label": {
"text": "DataFormat"
}
},
"shape": "activity",
"id": "c1b02b5a-b343-48c9-8e17-984abf6965ed",
"data": {
"componentName": "DataFormat",
"appType": "component",
"nodeType": "action",
"icon": "https://sophon-gen-v2.oss-cn-zhangjiakou.aliyuncs.com/componentUpload/1719222281702_DataFormat_logo.png?Expires=1745654600&OSSAccessKeyId=STS. NXW5************&Signature=j5SXLh%2Fw5b4PhkhzWa%2FWgl%2BGWRQ%3D&security-token=CAIS2AJ1q6Ft5B2yfSjIr5vifvv6269M2bWOYV%2FojmsWNLhPgrXsiTz2IHhMenFpAegcv%2Fw%2BlGFZ6%2F8elrp6SJtIXleCZtF94oxN9h2gb4fb40Y6HzyK0s%2FLI3OaLjKm9u2wCryLYbGwU%2FOpbE%2B%2B5U0X6LDmdDKkckW4OJmS8%2FBOZcgWWQ%2FKBlgvRq0hRG1YpdQdKGHaONu0LxfumRCwNkdzvRdmgm4NgsbWgO%2Fks0OP3AOrlrBN%2Bdiuf8T9NvMBZskvD42Hu8VtbbfE3SJq7BxHybx7lqQs%2B02c5onDWwAJu0%2FXa7uEo4wydVNjFbM9A65Dqufxn%2Fpgt%2Braj4X7xhhEIOVJSSPbSZBbSxJNvU1RXDxQVcEYWxylurjnXvF%2Bo58zxrcUGin%2B2svzhw6RGJ1dq8DgINtD0jokjPndRVbLXs84nxS7gbsGn76oY2zradH%2FdU4J6tvBMytAXxqAAYb6jxZjLe7TMmktKoKJDPNYGnTAeViZJKpduCT2k7DBuEUN%2B%2B8fsvmMKsLLycLOYmqBqU%2FB4%2Fdy5Muz%2B6WDAQFoEDgzB17wouEZsoQG5EoCHljEH6DBajdzaAaISFedQrIaeBqEJIrLqLMKQlSqas3HEp8VqOaseKoWLb5PDxTGIAA%3D",
"ownType": "sys",
"zIndex": 1,
"tenantId": "baba",
"customInput": false,
"description": "Convert input data to JSON type. If it is a JSONArray, all arrays are placed directly in the datalist. If it is a JSONObject, it is treated as a row of data in the datalist",
"id": 0,
"name": "convertToJSON",
"operateType": "general",
"parameters": [
{
"dataType": "Text",
"defaultValue": "",
"description": "Input data",
"name": "inputData",
"needCascader": false,
"required": false
}
],
"riskLevel": 2,
"nodeName": "DataFormat",
"actionName": "convertToJSON",
"actionDisplayName": "convertToJSON",
"cascaderValue": [
],
"valueData": {
"inputData": "[{\"name\":\"test\"},{\"name\":\"test1\"}]"
},
"status": "success"
},
"zIndex": 1
},
{
"shape": "custom-edge",
"attrs": {
"line": {
"stroke": "#63ba4d",
"targetMarker": {
"stroke": "#63ba4d"
}
}
},
"zIndex": 1,
"id": "d87ef9c5-9ce1-4a0a-81c3-5bbb1fc22c6a",
"data": {
"nodeType": "sequenceFlow",
"appType": "basic",
"isRequired": true,
"icon": "icon-upper-right-arrow"
},
"isNode": false,
"visible": true,
"router": {
"name": "manhattan",
"args": {
"padding": 5,
"excludeHiddenNodes": true,
"excludeNodes": [
"clone_node_id"
]
}
},
"source": {
"cell": "c1b02b5a-b343-48c9-8e17-984abf6965ed"
},
"target": {
"cell": "41ac8fbf-0390-4b1c-9d44-b91150a607a3"
},
"vertices": [
]
}
]
}filter
Passes data that meets the conditions to the next node.
Parameters
| Parameter | Description |
|---|---|
| Select Node | The node whose data is to be filtered. |
| Condition | The filter conditions to apply. Supports multiple combined conditions. Defaults to one condition group. |
Condition configuration
Security Orchestration, Automation, and Response (SOAR) provides a visual interface for configuring filter conditions. The interface is described below.
| Number | Element | Description |
|---|---|---|
| 1-Logical operator | AND / OR | Controls the logical relationship between rules within the same group. AND requires all rules to match; OR requires at least one rule to match. |
| 2-NOT switch | NOT | Negates the condition judgment for the current group. |
| 3-Add rule within group | — | Adds a rule inside the group. The logical relationship between rules in the same group is set by 1-Logical operator. |
| 4-Add condition group | — | Adds a new condition group. The relationship between different groups is always AND, regardless of the 1-Logical operator setting. |
| 5-Condition field | — | Accepts expressions and constants. Typically references output fields from preceding nodes. |
| 6-Condition judgment rule | — | The comparison operation to apply. Supports string, number, and dataset operations. |
| 7-Condition value | — | Accepts expressions and constants. |
Important
The logical operator in element 1 only applies within a single group. Conditions across different groups are always combined with AND cannot be changed.
Example
In the example above, the condition is met when name equals john or alice AND age is between 12 and 20 (inclusive).
Condition rules
Select the rule that matches the data type of your condition field.
Dataset rules
| Rule | Description | Remarks |
|---|---|---|
| IN IP Dataset | The value is in the IP dataset. | — |
| NOT IN IP Dataset | The value is not in the IP dataset. | Datasets need to be configured in Security Center > CTDR > Integration Center > Observation List before they can be selected. |
| IN Dataset | The value is in the dataset. | — |
| NOT IN Dataset | The value is not in the dataset. | — |
String rules
| Rule | Example |
|---|---|
| Equal | "abc" equals "abc" |
| Not equal | "abc" does not equal "def" |
| Contains | "abcdef" contains "bcd" |
| Does not contain | "abcdef" does not contain "xyz" |
| Starts with | "abcdef" starts with "abc" |
| Ends with | "abcdef" ends with "def" |
| Does not end with | "abcdef" does not end with "abc" |
| Regex match | "abcabc" matches (abc)+ |
| Not regex match | "abab" does not match (abc)+ |
| Is empty | Matches empty strings, null, and NULL. |
| Is not empty | Matches any non-empty string. |
Number rules
| Rule | Example |
|---|---|
| Equal | 5 equals 5 |
| Not equal | 5 does not equal 6 |
| Greater than | 5 is greater than 3 |
| Greater than or equal to | 5 is greater than or equal to 5 |
| Less than | 3 is less than 5 |
| Less than or equal to | 5 is less than or equal to 5 |
| Range | 1 is within the range -1,5 (format: value,value) |