Filters module

TIPCommon.filters.filter_list_by_type

TIPCommon.filters.filter_list_by_type(array, inner_type)

Filter out any items in the list that are not of the requested type.

Parameters
array list[Any]

The list to check.
inner_type type

The requested type of the items in the list.

Example

>>> arr = [1, 2, '3', 4]
>>> arr1 = purify_typed_list(arr, int)
>>> arr2 = purify_typed_list(arr, str)
>>> arr1
[1, 2, 4]
>>> arr2
['3']

Returns

A new array containing only the items of the inner_type type.

Return type

list[type[inner_type]]

TIPCommon.filters.filter_none_kwargs

TIPCommon.filters.filter_none_kwargs(**kwargs)

Filter out arguments with None values.

Parameters
**kwargs Keyword arguments.

Returns

Keyword arguments where the argument value is not None.

Return type

dict

TIPCommon.filters.filter_old_alerts

TIPCommon.filters.filter_old_alerts(siemplify, alerts, existing_ids, id_key='alert_id')

Filter alerts that were already processed.

Parameters
siemplify obj

An instance of the SDK SiemplifyConnectorExecution class.
alerts list

List of Alert objects.
existing_ids list

List of IDs to filter.
id_key str

The key of the identifier under which the IDs can be found in the alert.
Default is alert_id.

Returns

List of filtered Alert objects.

TIPCommon.filters.filter_old_ids

TIPCommon.filters.filter_old_ids(alert_ids, existing_ids)

Filter IDs that were already processed.

Parameters
alert_ids list

List of new IDs from the alert to filter.
existing_ids list

List of IDs for comparison.

Returns

List of filtered IDs.

TIPCommon.filters.filter_old_ids_by_timestamp

TIPCommon.filters.filter_old_ids_by_timestamp(ids, offset_in_hours, convert_to_milliseconds, offset_is_in_days)

Filter IDs that appeared earlier than IDS_HOURS_LIMIT hours.

Parameters
ids dict

The IDs to filter.
offset_in_hours int

The IDs time limit (offset value) in hours.
offset_is_in_days bool

If the offset supplied to this method is in days, set it to True for converting the offset days into hours.
convert_to_milliseconds bool

Transform each ID's timestamp (UNIX) from seconds to milliseconds.

Returns

(dict)

The filtered IDs.

TIPCommon.filters.pass_whitelist_filter

TIPCommon.filters.pass_whitelist_filter(siemplify, whitelist_as_a_blacklist, model, model_key, whitelist=None)

Determine whether values from a key in a model pass the allowlist filter.

Parameters
siemplify obj

An instance of the SDK SiemplifyConnectorExecution class.
whitelist_as_a_blacklist bool

The value of the connector's input checkbox to use allowlist as a blocklist.
model obj

An alert object of some type from which to extract the specific type or ID which will be matched against the allowlist.
model_key str

The key (attribute) whose value is the specific type or ID which will be matched against the allowlist.
whitelist iterable

The list used to determine whether a value passes the filter. If no value is provided, the default is the full connector's allowlist as displayed in the Google Security Operations SOAR UI.

Returns

True if the model passed the filter successfully. Else, False.