Jinja

Monday, November 29, 2021

1:19 PM

Inline If statement

{{thisvalue if xyz else othervalue if abc else finalvalue}}

Jinja if Blocks-
{% if xyz %}{{thisvalue}}{% elif abc %}{{othervalue}}{% else %}{{finalvalue}}{% endif %}

Blocks seem like they'd be more readable, but they get SUPER picky about whitespace which can cause
problems
Regex match Phone Numbers
{{ mal | map('regex_replace', '^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$', '\\1[.]\\2.\\3.\\4') |
list}}

Filter out phone numbers from indicators

{%for indicator in iocs %}
{% if not indicator.value | regex_search('\+[0-9][0-9][0-9][0-9[0-9][0-9][0-9][0-9][0-9][0-9][0-9]') %}
{{indicator.value}}
{% endif %}
{%endfor%}

Filter Statements

Usefull filters
fromIRI
toJSON
toDICT

Convert Json to HTML Table

{{ vars.your_list_of_dictionaries | json2html([list, of, attributes, you, want, in, table]) }}

Convert to prettier table

{{ filteredData | json2html(template="Stylized with row selection", display="Vertical", styling=false,
table_style={})}}

Other options
Json2html()te="Generic", display="Horizontal", styling=false, table_style={})

json2html(table_style={'table class=\'cs-data-table\'': 'max-width: 500px;', 'td': 'white-space: break-

spaces;'}, styling=true)
Create dictionary from non-Null values in Jinja

{% set ns = namespace(valid={}) %}
{% for key,value in vars.myData.data.data.items()%}
{% if value not in ["", [], null]%}{{ ns.valid.update({key:value})}}
{%endif%}
{%endfor%}
{{vars.filteredData.update(ns.valid)}}

Reverse a list

{%set reverse_iter = vars.steps.Reiterate_Pages.total_ids | reverse%}{% set mylist = []%}{%for item in

reverse_iter%}{{"" if mylist.append(item)}}{%endfor%}{{mylist}}

Filter out IP address

{{ vars.input.params['indicator_list'] | json_query('[?(type!=`IP Address` || !starts_with(value,

`105.128.`)) && type!=`NA`]') }}

Convert text to dictionary

Jinja:
{% set myDict = {}%}{% for line in text.split("\r\n")%}{%set key,value = line.split(":",1)%}{{"" if
myDict.update({key:value})}}{%endfor%}{{myDict}}
JSON:
{
"text": "ts: 2022-01-05T14:18:35.409Z\r\nqtype: AAAA\r\nquery: archit.requestcatcher.com\r\nsourceHost:
none\r\ndomain: requestcatcher.com\r\neventType: dns"
}
YAQL filter examples

{{ {"var1":1,"var2":"a"} | yaql('$.var1') }}
returns# 1
{{ "test" | yaql('$.toUpper()') }}
returns# TEST
#Filter down to non-False data
Sample Data
{
"data":{
"av_cate":"Riskware/NetCat",
"wf_cate":"",
"ioc_cate":"",
"ioc_tags":[

],
"confidence":"High",
"spam_cates":[

],
"reference_url":"https://ioc.fortiguard.com/search?
query=E8FBEC25DB4F9D95B5E8F41CCA51A4B32BE8674A4DEA7A45B6F7AEB22DBC38DB&filter=in
dicator"
},
"success":true
}
{{ data | yaql('dict($.items().where(bool($[1])))') }}
returns#
{
"av_cate": "Riskware/NetCat",
"confidence": "High",
"reference_url": "https://ioc.fortiguard.com/search?
query=E8FBEC25DB4F9D95B5E8F41CCA51A4B32BE8674A4DEA7A45B6F7AEB22DBC38DB&filter=in
dicator"
}

Json_query using a variable inside of the query with tick symbol. Everything inside of json_query must
be a string, so when referencing a dynamic value inside of json query for a filter you need to use the
below format

Example 1
json_query('[?name==`' + vars.groupName + '`].sys_id')

Example 2
{{vars.steps.Reiterate_Pages.total_ids}}
{{vars.resolved_alerts.append((('/api' + vars.item) | fromIRI).env.input.records[0] | json_query('{name:
name, id: id, createDate: createDate, workflowID:`' + vars.item.split("/")[4] | string + '`}'))}}

Filtering with ~ for exact. Using ~ is the preferred way to add strings instead of the + sign
json_query('[?createDate <`' ~ vars.oldDate ~ '`]')}}

Filter list of Alerts where status is Closed

{{code_output | json_query('[?status.itemValue == `Closed`]') }}

If you get this error-

Error Executing Code: while parsing a flow mapping in \"<unicode string>\", line 1, column 14962:
expected ',' or '}', but got '<scalar>'\n in \"<unicode string>\", line 1, column 15184: Connector :: code-
snippetV1.2.4

Try adding this jinja are your variable: {{ | replace("\\'", "") }}

Find Duplicate Alerts

{% set duplicate =[] %}{% for key, value in vars.all_alerts.items() %}{% if key not in
vars.engine_hash_mapping.values()%}{{"" if duplicate.append({'iri':key, 'comment': "This record is a
duplicate of " + (vars.engine_hash_mapping[value] | fromIRI).id | string }) }}
{%endif%}{%endfor%}{{duplicate}}
Filter tags that starts with IP

{% set ips = vars.input.params.extraFields.split(',') | json_query('[?starts_with(@,`IP`)] ') %}{% set

cleanIps = []%}{% for ip in ips%}{{"" if cleanIps. append(ip.split('IP:')[1])}}{%endfor%}{{cleanIps}}

Correlate assets and identities based on the alert id comon between them
{{vars.steps.Create_Asset | json_query('[][alerts[?contains(@,`' + vars.item["@id"] + '`)] | [0],"@id"] |
[*][1]') | unique or ""}}

Convert groupby tuple to dictionary

{% set mylist = []%}{% for name,items in result | unique | groupby("name") %}{{"" if

mylist.append({"grouper": name, "all_items":items}) }}{%endfor%}{{mylist}}

Group dictionaries up based on url, and take the minimum time of each group
{% set mylist = []%}{%set reducedList = []%}{% for name,items in result | unique | groupby("url") %}{{"" if
mylist.append({"grouper": name, "all_items":items}) }}{%endfor%}{% for sample in mylist%}
{{sample["all_items"] | json_query('[].messageTime |min(@)')}} {{"" if
reducedList.append(sample['grouper']) }}{%endfor%}

Filtering data based on nested data

Data
{
"data": {
"result": [
{
"group": {
"display_value": "Technology KB Viewers"
}
},
{
"group": {
"display_value": "KB Viewers"
}
},
{
"group": {
"display_value": "to-io.sec-soip-l2-inv"
}
}
]
}
}

{{data.result | json_query('[?group.display_value != `KB Viewers` && group.display_value != `Technology

KB Viewers`].group.display_value')}}
{{data.result | json_query('[? !contains(group.display_value, `KB`)].group.display_value')}}

Get manual input based from alert id - /api/wf/api/manual-wf-input/?

format=json&limit=2147483647&unauthenticated_input=false&record={{vars.input.records[0]['@id'] |
urlencode}}

to get just the itemValues, you would use a json_query:

{{ "Severity" | picklist(True) | first | json_query('picklists[].itemValue') }}

An alternative if you prefer not to use json_query:

{{ ("Severity" | picklist(True) | first).picklists | map(attribute='itemValue') | list}}

Arrow Examples-
{{arrow.utcnow().format('YYYY-MM-DD HH:mm:ss')}}

{{arrow.get(tzinfo="US/Central").shift(hours=-2).format('YYYY-MM-DDTHH:mm:ss[Z]')}}

To check whether a key has value or EMPTY , do below test and then proceed.
{% if vars.keyName != NoneType %}{{'value is available'}}{% else %}{{'value is NOT available'}}{% endif
%}