The filter component provides data filtering functionality.
Feature description
Action | Description | Scenarios |
filter | Filters data from a specific node. | Filters data from a specific node to select data that meets the rules. |
Configuration example
This topic provides parameter configuration examples for various actions of the filter component, which you can import as test playbooks. Through the visualization flow editor, you can more intuitively understand and test the configuration parameters of each action, easily mastering the functional logic and usage of the component. For the procedure, see Playbook import.
You can save the example data as a JSON file first, then import it into the editor.
filter
Passes data that meets the conditions to the next node.
Parameter description
Parameter | Description |
Select Node | The node whose data is to be filtered. |
Condition | Supports multiple combined conditions. The default is one condition group. |
Condition configuration
Security Orchestration, Automation, and Response (SOAR) provides a visual interface for configuring conditional rules for the filter component. The following image and table describe the user interface (UI).
Number | Description |
1-Logical operator | AND: All conditions must be met. OR: Meeting any one condition is sufficient. Important Logical operators can only determine the logical relationship between different rules within the same group. |
2-NOT switch | Negates the condition judgment for the current group. |
3-Add rule within group | Adds a rule within the group. The logical relationship between multiple rules within a group is determined by the 1-Logical operator in the upper left corner. |
4-Add condition group | Click to add a group of filtering conditions. Important The condition between different groups is fixed as AND and is not affected by the 1-Logical operator. |
5-Condition field | Supports input of expressions and constants, typically output fields from preceding nodes. |
6-Condition judgment rule | Supports operations such as IN, = for strings, numbers, and datasets. For specific instructions, see the filter component below. |
7-Condition value | Supports input of expressions and constants. |
Condition configuration example
Using the above figure as an example, when the name in the node is john or alice and age is between 12 and 20 (inclusive of boundary values), it will be determined as meeting the condition.
Conditional rules
Rule | Description | Remarks |
NOT IN IP Dataset | Not in the IP dataset. | Datasets need to be configured in "Security Center-CTDR-Integration Center-Observation List" before they can be selected. |
IN IP Dataset | In the IP dataset. | |
NOT IN Dataset | Not in the dataset. | |
IN Dataset | In the dataset. | |
String| Equal | Equal. | None |
String| Not equal | Not equal. | None |
String| Contains | Contains. | Example: abc contains bc. |
String| Does not contain | Does not contain. | Example: abc does not contain d. |
String| Starts with | Starts with. | Example: abc starts with ab. |
String| Ends with | Ends with. | Example: abc ends with bc. |
String| Does not end with | Does not end with. | Example: abc does not end with ab. |
String| Regex match | Regular expression match. | Example: abcabc matches (abc)+. |
String| Not regex match | Not a regular expression match. | Example: abab does not match (abc)+. |
String| Is empty | Is an empty string. | Empty string, null, and NULL are all considered empty strings. |
String| Is not empty | Is not an empty string. | None |
Number| Equal | Equal. | None |
Number| Not equal | Not equal. | None |
Number| Greater than | Greater than. | None |
Number| Greater than or equal to | Greater than or equal to. | None |
Number| Less than | Less than. | None |
Number| Less than or equal to | Less than or equal to. | None |
Number| Range | Whether the numeric condition value is within the configured range. Format is "value,value". | Example: 1 is within the range of -1,5. |