×
Template Engine and Formatters
Nevelex Labs Logo

Template Engine

The Mustache Format notation is used within Security Flows Template Engine format for generation of dynamic content at run time. A mustache is simply a set of double curly braces surrounding a variable, e.g. {{ variable }}. Within a Security Flow node, the {{ variable }} is located within the incoming message. For example, assuming the following template and incoming message:

Template
Working with domain {{ payload.ioc.domain }} and the first array element is {{ payload.array.0.data }}.
Incoming Message
{
  "payload":
  {
    "ioc":
    {
      "domain": "nevelexlabs.com"
    }
    "array":
    [
      {
        "data": "Sample Data"
      }
    ]
  }
}

The resulting dynamic content will be:

Working with domain nevelexlabs.com and the first array element is Sample Data.

The previous example just scratches the surface of what is possible with the Security Flows Template Engine. To learn more, visit the Mustache template site.

A number of nodes utilize the mustache template engine for the generation of a dynamic search or filter criteria. A few example nodes utilizing the template engine are:

  • AzureAD Identity Access node In expert mode, the filtering area is a free-form entry area for creating a filter statement. Read through the filter parameters section for more details on writing filters.
  • CrowdStrike Hosts node: The Hosts Filter area is a free-form entry area for creating a filter statement. Read through Falcon Query Language page for details on writing filters.
  • ServiceNow node: In expert mode, the Search is a free-form entry area for creating a ServiceNow condition statement. The ServiceNow Operators available for filters and queries page gives a detailed overview of operators for constructing condition statement.
  • Formatters

    In addition to direct variable substitution, formatters are provided to manipulate the data before substitution. The formatters listed below are available for use within the template engine.

    Formatter Description / Example
    Date / Time Formatters
    addDays This formatter adjusts the date string or date object input parameter by adding the number of days specified. The days are specified as a parameter after a colon character, (:). The following example subtracts 14 days from the reference timestamp.

    {{ timestamp | addDays: -14 }}

    addMinutes This formatter adjusts the date string or date object input parameter by adding the number of minutes specified. The minutes are specified as a parameter after a colon character, (:). The following example adds 120 minutes to the reference timestamp.

    {{ timestamp | addMinutes: 120 }}

    addMonths This formatter adjusts the date string or date object input parameter by adding the number of months specified. The months are specified as a parameter after a colon character, (:). The following example adds 1 month to the reference timestamp.

    {{ timestamp | addMonths: 1 }}

    addSeconds This formatter adjusts the date string or date object input parameter by adding the number of seconds specified. The seconds are specified as a parameter after a colon character, (:). The following example subtracts 3,600 seconds from the reference timestamp.

    {{ timestamp | addSeconds: -3600 }}

    addYears This formatter adjusts the date string or date object input parameter by adding the number of years specified. The years are specified as a parameter after a colon character, (:). The following example subtracts 1 year to the reference timestamp.

    {{ timestamp | addYears: -1 }}

    now Returns the current date-time. No additional parameters need be specified. The input parameter is required, but ignored. The following example returns the current date-time regardless of the reference timestamp.

    {{ timestamp | now }}

    toDDMMYYYY This formatter converts the date string or date object input parameter to a format of DD/MM/YYYY using the System Setting's Default Timezone. The following example converts the reference timestamp.

    {{ timestamp | toDDMMYYYY }}

    toISODate This formatter converts the date string or date object input parameter to a format of YYYY-MM-DD. The following example converts the reference timestamp.

    {{ timestamp | toISODate }}

    toISODateTime This formatter converts the date string or date object input parameter to a format of YYYY-MM-DDTHH:mm:ss.sssZ. The following example converts the reference timestamp.

    {{ timestamp | toISODateTime }}

    toMMDDYYYY This formatter converts the date string or date object input parameter to a format of MM/DD/YYYY using the System Setting's Default Timezone. The following example converts the reference timestamp.

    {{ timestamp | toMMDDYYYY }}

    IP Addresses
    toCIDR This formatter transforms the input IP Address and prefix length into CIDR notation. When the input parameter is a string, it is required to be either an IPv4 or IPv6 address. If the input parameter is an object, the object must be defined as follows:
    parameter:
    {
      ipAddress: "[IPv4 or IPv6 String]",
      prefixLength: number
    }
    
    The following example encodes the payload.ioc.ip to a CIDR block address with a hardcoded prefix length of 24.

    {{ payload.ioc.ip | toCIDR : 24 }}

    The following example encodes the payload.ipObj (an object) to a CIDR block address with the prefix length defined in the input.

    {{ payload.ipObj | toCIDR }}

    URL Formatters
    encodeURIComponent This formatter encodes the input parameter as a URI component. The following example encodes the parameter to a value safe for use in a URL.

    {{ parameter | encodeURIComponent }}

    Examples

    Below is the response received when using the AzureAD Identity Access node to do an expert search of Sign-ins for a specific user over the last 14 days, userPrincipalName eq '{{payload.user}}' and createdDateTime le {{timestamp | toISODate}} and createdDateTime ge {{timestamp | addDays : -14 | toISODate}}.

    Below is the response received when using the ServiceNow node to do an expert search to find a specific incident via it's incident number, number={{payload.number}}, in the ServiceNow portal.

    Nevelex Labs, Main Office

    Metro Office Park
    2950 Metro Drive, Suite 104
    Bloomington, MN 55425
    Phone: +1 952-500-8921

    ©Nevelex Labs, LLC. 2018-2021, All Rights Reserved.

    EULA