After selecting a placeholder for the parameter in the playbook action, you
can use the JSON results. These results give you comprehensive information
returned by the action, which you can use in subsequent playbook actions and
flow. For more information, see
Use Cases for Expression Builder.
You can adjust the JSON result data using the Expression Builder in order
to extract the relevant data for the action input.
The Expression Builder lets you parse and modify JSON results, for use in
subsequent actions. The Expression Builder generates various dynamic
transformation functions that you can chain together, preview, and test,
providing an interactive experience for transforming and parsing raw action results.
View the Expression Builder screen
A typical Expression Builder screen contains the following information:
JSON Sample:
This is an example of potential data and is
not based on real time results. The actual data may be different and may
contain more or less fields from the example. If the analyst knows of extra
fields that will be returned in runtime then they can type the relevant key
path in the syntax field.
Functions:
The following pipe functions are supported:
First (x) - Returns the first X elements of an array.
Example: alerts | First(2) (If alerts is [{"id": "A"}, {"id": "B"}, {"id": "C"}], returns [{"id": "A"}, {"id": "B"}])
Last (x) - Returns the last X elements of an array.
Example: alerts | Last(1) (If alerts is [{"id": "A"}, {"id": "B"}, {"id": "C"}], returns [{"id": "C"}])
Min (KeyPath) - Returns the item with the minimum value from an array. If a keyPath parameter is provided, it returns the object with the minimum value at the specified path.
Example: alerts | Min("score") (If alerts contains list of objects with a score field, returns the object with the lowest score)
Max (KeyPath) - Returns the item with the maximum value from an array. If a keyPath parameter is provided, it returns the object with the maximum value at the specified path.
Example: alerts | Max("score") (If alerts contains list of objects with a score field, returns the object with the highest score)
Filter (ConditionKey, Operator, Value) - Filters an array of objects, returning only the objects that match a condition on a specified field.
ConditionKey: The field in each object to evaluate against the condition.
Operator: Operator to use for the condition.
For string input: =, !=, in, not in.
For number/date input: =, !=, >, >=, <, <=.
Value: Value to check in condition.
Example: alerts | Filter("severity", "=", "HIGH") (Returns all alerts where the severity field is "HIGH")
DateFormat ("pattern") - Format a date in a given pattern (pattern is specified as parameter) to the following format: YYYY-MM-DDThh:mm:ssZ.
Example: timestamp_field | DateFormat("yyyy/MM/ddTHH:mm:ss") (If timestamp_field is "2024/07/20T10:00:00Z", returns "2024-07-20 10:00:00")
Count () - Returns the number of items in the input array.
Example: alerts | Count() (If alerts is an array with 4 elements, returns 4)
OrderBy ("keyPath", "direction") - Orders an array of objects based on the values of a specified key path.
Example: alerts | OrderBy("score", "DESC") (Orders the alerts array by score in descending order)
toLower () - Convert an input to lowercase characters.
Example: status_field | toLower() (If status_field is "OPEN", returns "open")
toUpper () - Convert an input to uppercase characters.
Example: severity_field | toUpper() (If severity_field is "high", returns "HIGH")
Replace ("x", "y") - Replaces a substring within a string with another string.
Example: message_field | Replace("World", "Universe") (If message_field is "Hello World", returns "Hello Universe")
Distinct () - Removes duplicate values from an array. For arrays of objects, performs a deep comparison to identify duplicated objects.
Example: [10, 20, 30, 20, 40] | Distinct() (Returns [10, 20, 30, 40])
getByIndex ("index") - Get items of an array by a specified index or a list of indexes.
Example: alerts | getByIndex("0") (Returns the first element of the alerts array)
Example: alerts | getByIndex("0,2") (Returns the first and third elements of the alerts array)
split ("delimiter") - Divides a string into an array of substrings, using a specified delimiter.
Example: "tag1,tag2,tag3" | split(",") (Returns ["tag1", "tag2", "tag3"])
join ("delimiter") - Concatenates an array of strings into a single string, using a specified delimiter.
Example: ["malware", "critical"] | join(" & ") (Returns "malware & critical")
trim () - Removes leading and trailing whitespaces from a string.
Example: " hello world " | trim() (Returns "hello world")
trimChars ("characters") - Removes specified characters from the beginning and end of a string. Leading and trailing whitespaces are always removed, even if not explicitly specified.
Example: "--TEST--ABC--" | trimChars("-") (Returns "TEST--ABC")
substring (start, end) - Extracts a substring from a string, using a specified start index and an optional end index.
Example: "Hello World" | substring(0, 5) (Returns "Hello")
Example: "Hello World" | substring(6) (Returns "World")
incrementValue (value) - Increases a numeric value by a specified amount. If no amount is specified, the value is incremented by 1.
Example: score_field | incrementValue(5) (If score_field is 90, returns 95)
Example: counter_field | incrementValue() (If counter_field is 10, returns 11)
setIfEmpty ("defaultValue") - Returns the provided default value if the input value is empty.
Example: optional_field | setIfEmpty("N/A") (If optional_field is empty, returns "N/A"; otherwise, returns the value of optional_field)
toUnixtime () - Converts a human-readable date and time string (e.g. "2014/03/12T13:37:27Z" or "2014-03-12T13:37:27+01:00") to a Unix timestamp, expressed in UTC.
Example: "2024-07-20T10:00:00Z" | toUnixtime() (Returns 1721469600)
ifThenElse ("operator", "comparedValue", "trueResult", "falseResult") - Evaluates a condition and returns the first expression if true, otherwise returns the second expression.
Example: severity_field | ifThenElse("=", "HIGH", "High Priority", "Normal Priority") (If severity_field is "HIGH", returns "High Priority"; otherwise, returns "Normal Priority")
Example: score_field | ifThenElse(">", "70", "Above Threshold", "Below Threshold") (If score_field is 90, returns "Above Threshold"; if score_field is 60, returns "Below Threshold")
Expression:
The Expression field is where you insert the JSON results together with the
functions and pipes to add several functions together and build the
expression.
Run / Results:
After filling in the Expression Builder, click Run to display the Results
based on the JSON Sample Data displayed in the Expression Builder.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe Expression Builder allows users to parse and manipulate JSON results from Playbook actions, making it possible to extract relevant data for use in subsequent actions.\u003c/p\u003e\n"],["\u003cp\u003eIt provides an interactive experience with dynamic transformation functions that can be chained together, previewed, and tested for parsing raw action results.\u003c/p\u003e\n"],["\u003cp\u003eThe Expression Builder screen includes a JSON Sample, a list of supported functions, an Expression field for combining JSON results with functions, and a Run/Results section to test transformations.\u003c/p\u003e\n"],["\u003cp\u003eSupported functions include \u003ccode\u003eFirst\u003c/code\u003e, \u003ccode\u003eLast\u003c/code\u003e, \u003ccode\u003eMin\u003c/code\u003e, \u003ccode\u003eMax\u003c/code\u003e, \u003ccode\u003eFilter\u003c/code\u003e, \u003ccode\u003eDateFormat\u003c/code\u003e, \u003ccode\u003eCount\u003c/code\u003e, \u003ccode\u003eOrderBy\u003c/code\u003e, \u003ccode\u003etoLower\u003c/code\u003e, \u003ccode\u003etoUpper\u003c/code\u003e, \u003ccode\u003eReplace\u003c/code\u003e, and \u003ccode\u003eDistinct\u003c/code\u003e, enabling diverse data manipulation.\u003c/p\u003e\n"],["\u003cp\u003eSome characters like forward slash, backslash, or quotation marks require a back slash as an escape character in order to return results.\u003c/p\u003e\n"]]],[],null,["# Use the Expression Builder\n==========================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nAfter selecting a placeholder for the parameter in the playbook action, you\ncan use the JSON results. These results give you comprehensive information\nreturned by the action, which you can use in subsequent playbook actions and\nflow. For more information, see\n[Use Cases for Expression Builder](/chronicle/docs/soar/respond/working-with-playbooks/use-cases-for-expression-builder).\n\n\nYou can adjust the JSON result data using the Expression Builder in order\nto extract the relevant data for the action input.\n\n\nThe Expression Builder lets you parse and modify JSON results, for use in\nsubsequent actions. The Expression Builder generates various dynamic\ntransformation functions that you can chain together, preview, and test,\nproviding an interactive experience for transforming and parsing raw action results.\n| **Note:** Some characters in the Expression Builder, like slash (/), backslash (\\\\) or quotation marks (\"), require an escape character, like a backslash (\\\\) before them to return results. For example: `replace(\"\\/\",\"y\") `\n\nView the Expression Builder screen\n----------------------------------\n\n\nA typical Expression Builder screen contains the following information:\n\n**JSON Sample:**\nThis is an example of potential data and is not based on real time results. The actual data may be different and may contain more or less fields from the example. If the analyst knows of extra fields that will be returned in runtime then they can type the relevant key path in the syntax field.\n\n**Functions:**\n\nThe following pipe functions are supported:\n\n- **First (x)** - Returns the first X elements of an array. \n Example: `alerts | First(2)` (If `alerts` is `[{\"id\": \"A\"}, {\"id\": \"B\"}, {\"id\": \"C\"}]`, returns `[{\"id\": \"A\"}, {\"id\": \"B\"}]`)\n- **Last (x)** - Returns the last X elements of an array. \n Example: `alerts | Last(1)` (If `alerts` is `[{\"id\": \"A\"}, {\"id\": \"B\"}, {\"id\": \"C\"}]`, returns `[{\"id\": \"C\"}]`)\n- **Min (KeyPath)** - Returns the item with the minimum value from an array. If a keyPath parameter is provided, it returns the object with the minimum value at the specified path. \n Example: `alerts | Min(\"score\")` (If `alerts` contains list of objects with a `score` field, returns the object with the lowest score)\n- **Max (KeyPath)** - Returns the item with the maximum value from an array. If a keyPath parameter is provided, it returns the object with the maximum value at the specified path. \n Example: `alerts | Max(\"score\")` (If `alerts` contains list of objects with a `score` field, returns the object with the highest score)\n- **Filter (ConditionKey, Operator, Value)** - Filters an array of objects, returning only the objects that match a condition on a specified field.\n - **ConditionKey**: The field in each object to evaluate against the condition.\n - **Operator** : Operator to use for the condition.\n - For string input: `=`, `!=`, `in`, `not in`.\n - For number/date input: `=`, `!=`, `\u003e`, `\u003e=`, `\u003c`, `\u003c=`.\n - **Value**: Value to check in condition.\nExample: `alerts | Filter(\"severity\", \"=\", \"HIGH\")` (Returns all alerts where the `severity` field is \"HIGH\")\n- **DateFormat (\"pattern\")** - Format a date in a given pattern (pattern is specified as parameter) to the following format: `YYYY-MM-DDThh:mm:ssZ`. \n Example: `timestamp_field | DateFormat(\"yyyy/MM/ddTHH:mm:ss\")` (If `timestamp_field` is \"2024/07/20T10:00:00Z\", returns \"2024-07-20 10:00:00\")\n- **Count ()** - Returns the number of items in the input array. \n Example: `alerts | Count()` (If `alerts` is an array with 4 elements, returns 4)\n- **OrderBy (\"keyPath\", \"direction\")** - Orders an array of objects based on the values of a specified key path. \n Example: `alerts | OrderBy(\"score\", \"DESC\")` (Orders the `alerts` array by `score` in descending order)\n- **toLower ()** - Convert an input to lowercase characters. \n Example: `status_field | toLower()` (If `status_field` is \"OPEN\", returns \"open\")\n- **toUpper ()** - Convert an input to uppercase characters. \n Example: `severity_field | toUpper()` (If `severity_field` is \"high\", returns \"HIGH\")\n- **Replace (\"x\", \"y\")** - Replaces a substring within a string with another string. \n Example: `message_field | Replace(\"World\", \"Universe\")` (If `message_field` is \"Hello World\", returns \"Hello Universe\")\n- **Distinct ()** - Removes duplicate values from an array. For arrays of objects, performs a deep comparison to identify duplicated objects. \n Example: `[10, 20, 30, 20, 40] | Distinct()` (Returns `[10, 20, 30, 40]`)\n- **getByIndex (\"index\")** - Get items of an array by a specified index or a list of indexes. \n Example: `alerts | getByIndex(\"0\")` (Returns the first element of the `alerts` array) \n Example: `alerts | getByIndex(\"0,2\")` (Returns the first and third elements of the `alerts` array)\n- **split (\"delimiter\")** - Divides a string into an array of substrings, using a specified delimiter. \n Example: `\"tag1,tag2,tag3\" | split(\",\")` (Returns `[\"tag1\", \"tag2\", \"tag3\"]`)\n- **join (\"delimiter\")** - Concatenates an array of strings into a single string, using a specified delimiter. \n Example: `[\"malware\", \"critical\"] | join(\" & \")` (Returns \"malware \\& critical\")\n- **trim ()** - Removes leading and trailing whitespaces from a string. \n Example: `\" hello world \" | trim()` (Returns \"hello world\")\n- **trimChars (\"characters\")** - Removes specified characters from the beginning and end of a string. Leading and trailing whitespaces are always removed, even if not explicitly specified. \n Example: `\"--TEST--ABC--\" | trimChars(\"-\")` (Returns \"TEST--ABC\")\n- **substring (start, end)** - Extracts a substring from a string, using a specified start index and an optional end index. \n Example: `\"Hello World\" | substring(0, 5)` (Returns \"Hello\") \n Example: `\"Hello World\" | substring(6)` (Returns \"World\")\n- **incrementValue (value)** - Increases a numeric value by a specified amount. If no amount is specified, the value is incremented by 1. \n Example: `score_field | incrementValue(5)` (If `score_field` is 90, returns 95) \n Example: `counter_field | incrementValue()` (If `counter_field` is 10, returns 11)\n- **setIfEmpty (\"defaultValue\")** - Returns the provided default value if the input value is empty. \n Example: `optional_field | setIfEmpty(\"N/A\")` (If `optional_field` is empty, returns \"N/A\"; otherwise, returns the value of `optional_field`)\n- **toUnixtime ()** - Converts a human-readable date and time string (e.g. \"2014/03/12T13:37:27Z\" or \"2014-03-12T13:37:27+01:00\") to a Unix timestamp, expressed in UTC. \n Example: `\"2024-07-20T10:00:00Z\" | toUnixtime()` (Returns 1721469600)\n- **ifThenElse (\"operator\", \"comparedValue\", \"trueResult\", \"falseResult\")** - Evaluates a condition and returns the first expression if true, otherwise returns the second expression. \n Example: `severity_field | ifThenElse(\"=\", \"HIGH\", \"High Priority\", \"Normal Priority\")` (If `severity_field` is \"HIGH\", returns \"High Priority\"; otherwise, returns \"Normal Priority\") \n Example: `score_field | ifThenElse(\"\u003e\", \"70\", \"Above Threshold\", \"Below Threshold\")` (If `score_field` is 90, returns \"Above Threshold\"; if `score_field` is 60, returns \"Below Threshold\")\n\n**Expression:**\nThe Expression field is where you insert the JSON results together with the functions and pipes to add several functions together and build the expression.\n\n\u003cbr /\u003e\n\n**Run / Results:**\nAfter filling in the Expression Builder, click **Run** to display the Results based on the JSON Sample Data displayed in the Expression Builder.\n\n\u003cbr /\u003e\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
