Skip to main content

Filter patterns

Equality: 
high_alerts: ${{ TRIGGER.alerts[?(@.severity == "high")] }}
open_findings: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")] }}
Inequality: 
secondary_roles: ${{ ACTIONS.parse_event.result.included[?(@.attributes.incident_role.data.attributes.slug != "primary-role")] }}
Numeric comparison: 
critical_scores: ${{ ACTIONS.lookup_users.result.users[?(@.score >= 90)] }}
recent_events: ${{ TRIGGER.events[?(@.count > 10)] }}
Truthy field check: 
users_with_email: ${{ ACTIONS.lookup_users.result.users[?(@.email)] }}
alerts_with_owner: ${{ TRIGGER.alerts[?(@.owner)] }}
String matching by exact value: 
prod_hosts: ${{ ACTIONS.inventory.result.hosts[?(@.environment == "prod")] }}
linux_hosts: ${{ ACTIONS.inventory.result.hosts[?(@.os == "linux")] }}
Nested field checks: 
owned_devices: ${{ TRIGGER.assets[?(@.owner.name == "SecOps")] }}
resolved_cases: ${{ ACTIONS.search_cases.result.items[?(@.status.name == "resolved")] }}
Filter and project a nested field: 
role_slugs: ${{ ACTIONS.parse_event.result.included[?(@.attributes.incident_role.data.attributes.slug)].attributes.incident_role.data.attributes.slug }}
Filter and return one field from matching rows: 
open_ids: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")].id }}

Return behavior

  • Single matches return a scalar.
  • Wildcards return a list.
  • Filters return a list.
  • Non-existent fields return None (no error is raised).
Examples: 
name: ${{ TRIGGER.user.name }}

names: ${{ TRIGGER.users[*].name }}

Examples

Trigger data: 
email: ${{ TRIGGER.user.email }}
Action result: 
ticket_id: ${{ ACTIONS.create_ticket.result.id }}
Array item: 
first_tag: ${{ ACTIONS.lookup_tags.result.tags[0] }}
Wildcard: 
tag_names: ${{ ACTIONS.lookup_tags.result.tags[*] }}
Filter: 
open_findings: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")] }}
Filter and project: 
open_titles: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")].title }}
  • See JSONPath for core concepts and syntax.
  • See Expressions for expression syntax and contexts.
  • See Functions for helper functions you can use alongside JSONPath access.