The filter component filters data based on specified conditions.
Actions
Action | Description | Scenarios |
filter | Filters data from a specific node. | Filters data from a specific node to select records that match the rules. |
Configuration example
This topic provides configuration examples for filter component actions. You can import them as test playbooks into the visual flow editor to explore and test configuration parameters. For import steps, see Playbook import.
Save the sample data as a JSON file before importing it into the editor.
filter
Passes data that meets the conditions to the next node.
Parameters
Parameter | Description |
Select Node | The node whose data is to be filtered. |
Condition | Supports multiple combined conditions. Defaults to one condition group. |
Condition configuration
SOAR provides a visual interface for configuring the condition rules of the filter component. The interface is described as follows:
|
Number |
Description |
|
1 - Logical operator |
AND: All conditions must be met. OR: At least one of the conditions must be met. Important
The logical operator only determines the logical relationship between rules within the same group. |
|
2 - Negation switch |
Negates the condition evaluation for the current group. |
|
3 - Add rule to group |
Adds a rule to the group. The logical relationship between multiple rules in a group is determined by the 1 - Logical operator in the top left corner. |
|
4 - Add condition group |
Adds a group of filter conditions. Important
The relationship between different groups is always AND and is not affected by the 1 - Logical operator. |
|
5 - Condition field |
Supports expressions and constants, typically an output field from a preceding node. |
|
6 - Condition judgment rule |
Supports operations such as IN and = for strings (String), numbers (Number), and observation lists. For more information, see the documentation for the filter component. |
|
7 - Condition value |
Supports expressions and constants. |
Condition rules
|
Rule |
Description |
Remarks |
|
NOT IN IP Dataset |
Not in the IP observation list. |
Before you can select an observation list, you must first configure it in Security Center > Agentic SOC > Integration Center > Observation Lists. |
|
IN IP Dataset |
In the IP observation list. |
|
|
NOT IN Dataset |
Not in the observation list. |
|
|
IN Dataset |
In the observation list. |
|
|
String| equals |
Checks if the string equals the specified value. |
None |
|
String| not equal to |
Checks if the string does not equal the specified value. |
None |
|
String| contains |
Checks if the string contains the specified value. |
Example: 'abc' contains 'bc'. |
|
String| does not contain |
Checks if the string does not contain the specified value. |
Example: 'abc' does not contain 'd'. |
|
String| starts with |
Checks if the string starts with the specified value. |
Example: 'abc' starts with 'ab'. |
|
String| ends with |
Checks if the string ends with the specified value. |
Example: 'abc' ends with 'bc'. |
|
String| does not end with |
Checks if the string does not end with the specified value. |
Example: 'abc' does not end with 'ab'. |
|
String| regex match |
Checks if the string matches the specified regular expression. |
Example: 'abcabc' matches the regex '(abc)+'. |
|
String| not regex match |
Checks if the string does not match the specified regular expression. |
Example: 'abab' does not match the regex '(abc)+'. |
|
String| is empty |
Checks if the string is empty. |
Empty strings (''), null, and NULL are all considered empty. |
|
String| is not empty |
Checks if the string is not empty. |
None |
|
Number| equals |
Checks if the number is equal to the specified value. |
None |
|
Number| not equal to |
Checks if the number is not equal to the specified value. |
None |
|
Number| greater than |
Checks if the number is greater than the specified value. |
None |
|
Number| greater than or equal to |
Checks if the number is greater than or equal to the specified value. |
None |
|
Number| less than |
Checks if the number is less than the specified value. |
None |
|
Number| less than or equal to |
Checks if the number is less than or equal to the specified value. |
None |
|
Number| in range |
Checks if the number falls within the configured range. Format: number,number. |
Example: 1 is in the range -1,5. |
Condition configuration example
The outer AND logic group contains two rules: field path ${node.datalist.*.age}, type Number, with operators greater than (>) and less than (<). The nested OR logic subgroup contains two rules: field path ${node.datalist.*.name}, type String, both using the equals (is) operator.
In the example above, the condition is met if the name field of the node is 'john' or 'alice' AND the age field is between 12 and 20 (inclusive).