Professional Documents
Culture Documents
Dylan's Commonly Used Jinja
Dylan's Commonly Used Jinja
Dylan's Commonly Used Jinja
Inline If statement
Jinja if Blocks-
{% if xyz %}{{thisvalue}}{% elif abc %}{{othervalue}}{% else %}{{finalvalue}}{% endif %}
Blocks seem like they'd be more readable, but they get SUPER picky about whitespace which can cause
problems
Regex match Phone Numbers
{{ mal | map('regex_replace', '^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$', '\\1[.]\\2.\\3.\\4') |
list}}
Filter Statements
Usefull filters
fromIRI
toJSON
toDICT
Other options
Json2html()te="Generic", display="Horizontal", styling=false, table_style={})
{% set ns = namespace(valid={}) %}
{% for key,value in vars.myData.data.data.items()%}
{% if value not in ["", [], null]%}{{ ns.valid.update({key:value})}}
{%endif%}
{%endfor%}
{{vars.filteredData.update(ns.valid)}}
Reverse a list
Jinja:
{% set myDict = {}%}{% for line in text.split("\r\n")%}{%set key,value = line.split(":",1)%}{{"" if
myDict.update({key:value})}}{%endfor%}{{myDict}}
JSON:
{
"text": "ts: 2022-01-05T14:18:35.409Z\r\nqtype: AAAA\r\nquery: archit.requestcatcher.com\r\nsourceHost:
none\r\ndomain: requestcatcher.com\r\neventType: dns"
}
YAQL filter examples
{{ {"var1":1,"var2":"a"} | yaql('$.var1') }}
returns# 1
{{ "test" | yaql('$.toUpper()') }}
returns# TEST
#Filter down to non-False data
Sample Data
{
"data":{
"av_cate":"Riskware/NetCat",
"wf_cate":"",
"ioc_cate":"",
"ioc_tags":[
],
"confidence":"High",
"spam_cates":[
],
"reference_url":"https://ioc.fortiguard.com/search?
query=E8FBEC25DB4F9D95B5E8F41CCA51A4B32BE8674A4DEA7A45B6F7AEB22DBC38DB&filter=in
dicator"
},
"success":true
}
{{ data | yaql('dict($.items().where(bool($[1])))') }}
returns#
{
"av_cate": "Riskware/NetCat",
"confidence": "High",
"reference_url": "https://ioc.fortiguard.com/search?
query=E8FBEC25DB4F9D95B5E8F41CCA51A4B32BE8674A4DEA7A45B6F7AEB22DBC38DB&filter=in
dicator"
}
Json_query using a variable inside of the query with tick symbol. Everything inside of json_query must
be a string, so when referencing a dynamic value inside of json query for a filter you need to use the
below format
Example 1
json_query('[?name==`' + vars.groupName + '`].sys_id')
Example 2
{{vars.steps.Reiterate_Pages.total_ids}}
{{vars.resolved_alerts.append((('/api' + vars.item) | fromIRI).env.input.records[0] | json_query('{name:
name, id: id, createDate: createDate, workflowID:`' + vars.item.split("/")[4] | string + '`}'))}}
Filtering with ~ for exact. Using ~ is the preferred way to add strings instead of the + sign
json_query('[?createDate <`' ~ vars.oldDate ~ '`]')}}
{% set duplicate =[] %}{% for key, value in vars.all_alerts.items() %}{% if key not in
vars.engine_hash_mapping.values()%}{{"" if duplicate.append({'iri':key, 'comment': "This record is a
duplicate of " + (vars.engine_hash_mapping[value] | fromIRI).id | string }) }}
{%endif%}{%endfor%}{{duplicate}}
Filter tags that starts with IP
Correlate assets and identities based on the alert id comon between them
{{vars.steps.Create_Asset | json_query('[][alerts[?contains(@,`' + vars.item["@id"] + '`)] | [0],"@id"] |
[*][1]') | unique or ""}}
Group dictionaries up based on url, and take the minimum time of each group
{% set mylist = []%}{%set reducedList = []%}{% for name,items in result | unique | groupby("url") %}{{"" if
mylist.append({"grouper": name, "all_items":items}) }}{%endfor%}{% for sample in mylist%}
{{sample["all_items"] | json_query('[].messageTime |min(@)')}} {{"" if
reducedList.append(sample['grouper']) }}{%endfor%}
Arrow Examples-
{{arrow.utcnow().format('YYYY-MM-DD HH:mm:ss')}}
{{arrow.get(tzinfo="US/Central").shift(hours=-2).format('YYYY-MM-DDTHH:mm:ss[Z]')}}
To check whether a key has value or EMPTY , do below test and then proceed.
{% if vars.keyName != NoneType %}{{'value is available'}}{% else %}{{'value is NOT available'}}{% endif
%}