Skip to main content

Overview

JSONPath is used inside expression contexts such as TRIGGER and ACTIONS.<ref>.result to access nested fields and arrays.

Field access

Use dot notation for nested fields. 
theme: ${{ TRIGGER.data.settings.theme }}
status: ${{ ACTIONS.fetch_alert.result.status }}
Use quoted field names when the field contains special characters. 
value: ${{ TRIGGER.data."alert.sample.data" }}
dash_value: ${{ TRIGGER.data."field-with-dashes" }}

Array access

Use brackets to access array items. 
first_item: ${{ TRIGGER.items[0] }}
last_item: ${{ TRIGGER.items[-1] }}
first_name: ${{ ACTIONS.lookup_users.result.users[0].name }}

Wildcards

Use [*] to select all items in an array. 
ids: ${{ TRIGGER.items[*].id }}
names: ${{ ACTIONS.lookup_users.result.users[*].name }}
Wildcard expressions return a list.

Filters

Use filters to select matching items. 
active_users: ${{ ACTIONS.lookup_users.result.users[?(@.active == true)] }}
high_scores: ${{ ACTIONS.lookup_users.result.users[?(@.score >= 90)] }}
matching_alerts: ${{ TRIGGER.alerts[?(@.severity == "high")] }}
Filter expressions return a list. Common filter patterns: Equality: 
high_alerts: ${{ TRIGGER.alerts[?(@.severity == "high")] }}
open_findings: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")] }}
Inequality: 
secondary_roles: ${{ ACTIONS.parse_event.result.included[?(@.attributes.incident_role.data.attributes.slug != "primary-role")] }}
Numeric comparison: 
critical_scores: ${{ ACTIONS.lookup_users.result.users[?(@.score >= 90)] }}
recent_events: ${{ TRIGGER.events[?(@.count > 10)] }}
Truthy field check: 
users_with_email: ${{ ACTIONS.lookup_users.result.users[?(@.email)] }}
alerts_with_owner: ${{ TRIGGER.alerts[?(@.owner)] }}
String matching by exact value: 
prod_hosts: ${{ ACTIONS.inventory.result.hosts[?(@.environment == "prod")] }}
linux_hosts: ${{ ACTIONS.inventory.result.hosts[?(@.os == "linux")] }}
Nested field checks: 
owned_devices: ${{ TRIGGER.assets[?(@.owner.name == "SecOps")] }}
resolved_cases: ${{ ACTIONS.search_cases.result.items[?(@.status.name == "resolved")] }}
Filter and project a nested field: 
role_slugs: ${{ ACTIONS.parse_event.result.included[?(@.attributes.incident_role.data.attributes.slug)].attributes.incident_role.data.attributes.slug }}
Filter and return one field from matching rows: 
open_ids: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")].id }}

Return behavior

  • Single matches return a scalar.
  • Wildcards return a list.
  • Filters return a list.
Examples: 
name: ${{ TRIGGER.user.name }}

names: ${{ TRIGGER.users[*].name }}

Examples

Trigger data: 
email: ${{ TRIGGER.user.email }}
Action result: 
ticket_id: ${{ ACTIONS.create_ticket.result.id }}
Array item: 
first_tag: ${{ ACTIONS.lookup_tags.result.tags[0] }}
Wildcard: 
tag_names: ${{ ACTIONS.lookup_tags.result.tags[*].name }}
Filter: 
open_findings: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")] }}
Filter and project: 
open_titles: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")].title }}
  • See Expressions for expression syntax and contexts.
  • See Functions for helper functions you can use alongside JSONPath access.