Manage JSON lists in Cortex XSIAM that can be accessed by automations, playbooks, etc. List commands, lists arrays separators delimiters
List data can be stored in various structures, including JSON format. When accessing a valid JSON file from within a playbook, it is automatically parsed as a JSON object (list). Depending on how you store the data, you may need to Transform a list into an array. For example, if using non-built-in commands in a script or you want to loop over list items, you should transform a list into an array. Working with JSON files in playbooks typically involves the following:
Extract the data from a JSON object
Extract a subset of the data
Filter extracted data
Apply transformers to extracted data.
Create a JSON list and use the Set automation to create a new context key that can extract the data from the list.
Create a List:
In the Name field, type
Test1
.Select Settings → Configurations → Object Setup → Lists → Add a List.
In the Content Type field, select JSON and add the following content:
{ "domain": { "name": "mwidomain", "prod_mode": "prod", "user": "weblogic", "admin": { "servername": "AdminServer", "listenport": "8001" }, "machines": [ { "refname": "Machine1", "name": "MWINODE01" }, { "refname": "Machine2", "name": "MWINODE02" } ], "clusters": [ { "refname": "Cluster1", "name": "App1Cluster", "machine": "Box1" }, { "refname": "Cluster1", "name": "App2Cluster", "machine": "Box2" } ], "servers": [ { "name": "ms1", "port": 9001, "machine": "Box1", "clusterrefname": "Cluster1" }, { "name": "ms2", "port": 9002, "machine": "Box2", "clusterrefname": "Cluster2" } ] } }
Save the list.
Create a playbook task with the Set automation:
Select Incident Response → Automation → Playbooks → New Playbook.
Name the playbook, and click Save.
Click Create Task and provide a task name.
In the Choose Script field, select Set .
The Set script sets a value in context under the key entered.
In the key field, define a context key name for the data. For example, JSONData.
In the value field, set the list you want to extract by clicking the curly brackets.
Click Filters And Transformers.
In the Get field, click the curly brackets, and in the Select source for value section, select the list you created in step 1: Test1.
In the Fetch data field, select an alert to test the data.
Click Test.
In this example, the test results have found the list data.
When the test completes, click Save.
Save the task and playbook.
Check all the data is stored in the context key you defined by testing the playbook using the debugger:
Click Run.
Open the Debugger Panel.
The key you defined, JSONData, holds the data in context from the JSON object.
In general, you can extract subsets of context data in a playbook to analyze a specific information set. This also applies to working with lists, for example extracting a subset of the data from a JSON object. In this example, we want to extract server information from the list created above.
In a playbook, create a task.
In the Choose Script field, select Set .
In the key field, define a context key name for the data; for example, JSONDataSubset.
In the value field, set the list you want to extract by clicking the curly brackets.
Click Filters And Transformers.
In the Get field, enter
lists.Test1.domain.servers
.In the Fetch data field, select an alert to test the data.
Click Test.
When the test completes, click Save.
Save the task and the playbook.
Check that all the data is stored in the context key you defined by testing the playbook using the debugger.
Click
Run
Debugger Panel.The key you defined (JSONDataSubset) holds the subset of the data in context from the JSON object.
You can filter the data subset you extracted and analyze this information on a more granular level. In this example, you want to filter Box1 information from the list created in Extract the data from a JSON Object above.
Re-open the task you created above.
Click the value field.
Under Filter, click Add Filter.
Set the condition you want to filter.
In this example, retrieve the list of machines named
Box1
fromTest1
list by setting the filterlists.Test1.domain.servers.machine Equals Box1
.Click Test.
Check whether the data subset was accessed successfully by selecting the data source from an alert. You can see the results returned
machine: Box1
.
In general, in a playbook task, you can transform (apply changes) to the data you extracted. This also applies to working with lists, for example, to transform extracted data from a JSON object. In this example, we extract the first element in the list and transform the data to upper case from the list created in Extract data from a JSON object above.
Re-open the task, click the contents of the value field, and keep the current filters.
In the Apply transformers on the field, click Add transformer.
Add the following transformers to the extracted data:
Add the
Get index (General)
transformer to extract a specific machine element.Set
index: 0
to extract the first element from the list.Add the
To upper case (String
) transformer.The
To upper case (String)
transformer does not work on lists, only on individual elements. Therefore, theGet index (General)
transformer should be applied before adding theTo upper case (String)
transformer.
In the Fetch Data field, select an alert to test and click Test.