Use cases: JSON lists - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-04-25
Category
Administrator Guide
Abstract

Manage JSON lists in Cortex XSIAM that can be accessed by automations, playbooks, etc. List commands, lists arrays separators delimiters

List data can be stored in various structures, including JSON format. When accessing a valid JSON file from within a playbook, it is automatically parsed as a JSON object (list). Depending on how you store the data, you may need to Transform a List into an Array. For example, if using non-built-in commands in a script or you want to loop over list items, you should transform a list into an array. Working with JSON files in playbooks typically involves the following:

  • Extract the data from a JSON object

  • Extract a subset of the data

  • Filter extracted data

  • Apply transformers to extracted data.

Extract data from a JSON object

Create a JSON list and use the Set automation to create a new context key that can extract the data from the list.

  1. Create a List:

    1. In the Name field, type Test1.

    2. Select Settings → Configurations → Object Setup → Lists → Add a List.

    3. In the Content Type field, select JSON and add the following content:

      {    
    "domain": {
        "name": "mwidomain",
        "prod_mode": "prod",
        "user": "weblogic",
        "admin": {
            "servername": "AdminServer",
            "listenport": "8001"
        },
        "machines": [
            {
                "refname": "Machine1",
                "name": "MWINODE01"
            },
            {
                "refname": "Machine2",
                "name": "MWINODE02"
            }
        ],
        "clusters": [
            {
                "refname": "Cluster1",
                "name": "App1Cluster",
                "machine": "Box1"
            },
            {
                "refname": "Cluster1",
                "name": "App2Cluster",
                "machine": "Box2"
            }
        ],
        "servers": [
            {
                "name": "ms1",
                "port": 9001,
                "machine": "Box1",
                "clusterrefname": "Cluster1"
            },
            {
                "name": "ms2",
                "port": 9002,
                "machine": "Box2",
                "clusterrefname": "Cluster2"
            }
        ]
    }
}

    4. Save the list.

  2. Create a playbook task with the Set automation:

    1. Select Incident Response → Automation → Playbooks → New Playbook.

    2. Name the playbook, and click Save.

    3. Click Create Task and provide a task name.

    4. In the Choose Script field, select Set .

      The Set script sets a value in context under the key entered.

    5. In the key field, define a context key name for the data. For example, JSONData.

      Screenshot_2024-02-22_at_13_00_37.png

    6. In the value field, set the list you want to extract by clicking the curly brackets.

    7. Click Filters And Transformers.

    8. In the Get field, click the curly brackets, and in the Select source for value section, select the list you created in step 1: Test1.

    9. In the Fetch data field, select an alert to test the data.

    10. Click Test.

      In this example, the test results have found the list data.

      Screenshot_2024-02-22_at_14_08_00.png

    11. When the test completes, click Save.

    12. Save the task and playbook.

  3. Check all the data is stored in the context key you defined by testing the playbook using the debugger:

    1. Click Run.

    2. Open the Debugger Panel.

      The key you defined, JSONData, holds the data in context from the JSON object.

      Screenshot_2024-02-22_at_14_40_34.png
Extract a subset of the data

In general, you can extract subsets of context data in a playbook to analyze a specific information set. This also applies to working with lists, for example extracting a subset of the data from a JSON object. In this example, we want to extract server information from the list created above.

  1. In a playbook, create a task.

    1. In the Choose Script field, select Set .

    2. In the key field, define a context key name for the data; for example, JSONDataSubset.

    3. In the value field, set the list you want to extract by clicking the curly brackets.

    4. Click Filters And Transformers.

    5. In the Get field, enter lists.Test1.domain.servers.

    6. In the Fetch data field, select an alert to test the data.

    7. Click Test.

    8. When the test completes, click Save.

    9. Save the task and the playbook.

  2. Check that all the data is stored in the context key you defined by testing the playbook using the debugger.

    1. Click Run Debugger Panel.

    2. The key you defined (JSONDataSubset) holds the subset of the data in context from the JSON object.

      work-with-json-lists-subset-8x.png
Filter extracted data

You can filter the data subset you extracted and analyze this information on a more granular level. In this example, you want to filter Box1 information from the list created in Extract the data from a JSON Object above.

  1. Re-open the task you created above.

  2. Click the value field.

  3. Under Filter, click Add Filter.

  4. Set the condition you want to filter.

    In this example, retrieve the list of machines named Box1 from Test1 list by setting the filter lists.Test1.domain.servers.machine Equals Box1.

    work-with-json-lists-filter-data-8-x.png

  5. Click Test.

  6. Check whether the data subset was accessed successfully by selecting the data source from an alert. You can see the results returned machine: Box1.

    lists-test.png
Apply transformers to extracted data

In general, in a playbook task, you can transform (apply changes) to the data you extracted. This also applies to working with lists, for example, to transform extracted data from a JSON object. In this example, we extract the first element in the list and transform the data to upper case from the list created in Extract data from a JSON object above.

  1. Re-open the task, click the contents of the value field, and keep the current filters.

  2. In the Apply transformers on the field, click Add transformer.

  3. Add the following transformers to the extracted data:

    1. Add the Get index (General) transformer to extract a specific machine element.

      Set index: 0 to extract the first element from the list.

    2. Add the To upper case (String) transformer.

      The To upper case (String) transformer does not work on lists, only on individual elements. Therefore, the Get index (General) transformer should be applied before adding the To upper case (String) transformer.

    lists-trans.png

  4. In the Fetch Data field, select an alert to test and click Test.