Fun with Filters

Besides being an awesome band from the 90’s Filter(s) can be a very useful tool within a workflow to control step execution and the flow of data within a workflow.

Filters:

Use a filter step after a trigger to prevent workflows from executing if the filter query yields no matches. Filter steps are very useful when your workflow is looking for only specific data to fully execute through the workflow. Otherwise, data will come through via the trigger and be rejected by the filter, without your intervention.

Filters are a key part of controlling workflow functionality. For example, In my phishing workflow I want to ignore any reply emails that come into the inbox. I can use a filter to stop execution of the workflow if it meets a specific criteria for the subject (does not start with Potential Phish).

Subject_Match

This allows my workflow to check the subject as the first step and then if it is not a new email it will stop the execution of the workflow and move to the next job.

Format Query Language (FQL)

Filters and Automated Decisions use the Format Query Language to generate queries and control the flow of a workflow.

Hey man, nice Filter

Let’s take a look at some Filters used to control a loop within this Phishing workflow.

In the Loop Step “Phishing Database 2nd Check” there are two filter steps used.

This loop is configured to run 3 times every 10 seconds to check a Global Artifact for a sender and subject match for phishing emails.
Loop_Config

There are 2 filters used within the loop to control loop execution for missing data and a successful match.

The first filter we are going to loop over a global artifact a set number of times to check for a sender / subject match within the artifact to make an automated decision versus continuing on to a manual review and decision by an analyst.

The second filter will be used to check if an email has had an automated action taken and been moved from the inbox, and if so the workflow will be terminated.

Filter 1 - Check Path Name:

The first filter checks the path name and stops the execution of the loop if there is a match.
Blank_Data_Filter

Blank_Config

{{["Check for Blank Subject"].[path]}}="Blank"

Output variable to check: {{["Check for Blank Subject"].[path]}}
Query ="Blank"

How does this filter work?

This filter checks to compare the name of the path taken in the "Check for Blank Subject" step against the string value "Blank". If the path name matches the string value in the filter, the loop breaks and the workflow will continue without performing the actions within the loop.

Filter 2 - Success Check, Kill Command:

The filter checks the success output variable for the successful completion of the move step indicating a match was found and the reported email was responded to and moved out of the inbox.

Success_Config

{{["2nd Check Move Step"].[success]}}=true OR {{["2nd Check Move Step"].[$success]}}=true

Output Variables to check: {{["2nd Check Move Step"].[success]}} OR {["2nd Check Move Step"].[$success]}}

Query =true

This filter step varies from the above step in a few ways:

  1. Using OR to check two seperate output variables
  2. Checks a boolean value (True/False) and not a string value.
  3. Stop step which means if the filter is matched then the job is complete and the workflow stops.

The examples above are just a few of the things you can do with FQL and Filters to control your workflow. In my opinion Filters and the Format Query Language are some of the most useful utility functions of InsightConnect and workflow building.

1 Like