Filters module
TIPCommon.filters.filter_list_by_type
TIPCommon.filters.filter_list_by_type(array, inner_type)
Filter out any items in the list that are not of the requested type.
Parameters | |
---|---|
array |
list[Any] The list to check. |
inner_type |
type The requested type of the items in the list. |
Example
>>> arr = [1, 2, '3', 4]
>>> arr1 = purify_typed_list(arr, int)
>>> arr2 = purify_typed_list(arr, str)
>>> arr1
[1, 2, 4]
>>> arr2
['3']
Returns
A new array containing only the items of the inner_type
type.
Return type
list[type[inner_type]]
TIPCommon.filters.filter_none_kwargs
TIPCommon.filters.filter_none_kwargs(**kwargs)
Filter out arguments with None
values.
Parameters | |
---|---|
**kwargs |
Keyword arguments. |
Returns
Keyword arguments where the argument value is not None
.
Return type
dict
TIPCommon.filters.filter_old_alerts
TIPCommon.filters.filter_old_alerts(siemplify, alerts, existing_ids, id_key='alert_id')
Filter alerts that were already processed.
Parameters | |
---|---|
siemplify |
obj An instance of the SDK
|
alerts |
list List of Alert objects. |
existing_ids |
list List of IDs to filter. |
id_key |
str The key of the identifier under which the IDs can
be found in the alert. |
Returns
List of filtered Alert objects.
TIPCommon.filters.filter_old_ids
TIPCommon.filters.filter_old_ids(alert_ids, existing_ids)
Filter IDs that were already processed.
Parameters | |
---|---|
alert_ids |
list List of new IDs from the alert to filter. |
existing_ids |
list List of IDs for comparison. |
Returns
List of filtered IDs.
TIPCommon.filters.filter_old_ids_by_timestamp
TIPCommon.filters.filter_old_ids_by_timestamp(ids, offset_in_hours, convert_to_milliseconds, offset_is_in_days)
Filter IDs that appeared earlier than IDS_HOURS_LIMIT
hours.
Parameters | |
---|---|
ids |
dict The IDs to filter. |
offset_in_hours |
int The IDs time limit (offset value) in hours. |
offset_is_in_days |
bool If the offset supplied to this method is in days,
set it to |
convert_to_milliseconds |
bool Transform each ID's timestamp (UNIX) from seconds to milliseconds. |
Returns
(dict)
The filtered IDs.
TIPCommon.filters.pass_whitelist_filter
TIPCommon.filters.pass_whitelist_filter(siemplify, whitelist_as_a_blacklist, model, model_key, whitelist=None)
Determine whether values from a key in a model pass the allowlist filter.
Parameters | |
---|---|
siemplify |
obj An instance of the SDK
|
whitelist_as_a_blacklist |
bool The value of the connector's input checkbox to use allowlist as a blocklist. |
model |
obj An alert object of some type from which to extract the specific type or ID which will be matched against the allowlist. |
model_key |
str The key (attribute) whose value is the specific type or ID which will be matched against the allowlist. |
whitelist |
iterable The list used to determine whether a value passes the filter. If no value is provided, the default is the full connector's allowlist as displayed in the Google Security Operations SOAR UI. |
Returns
True
if the model passed the filter successfully. Else, False
.