json_extract_array - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language json_extract_array() function that accepts a string representing a JSON array, and returns an XQL-native array.

Important

Before using this JSON function, it's important that you understand how Cortex XSIAM treats a JSON in the Cortex Query Language. For more information, see JSON functions.

Syntax
json_extract_array(<json_array_string>, <json_path>)

When a field in the <json_path> contains characters, such as a dot (.) or colon (:), use the syntax:

json_extract_array(<json_array_string>, "['<json_field>']")

To make it easier for you to write your XQL queries, you can also use the following syntactic sugar format.

<json_array_string> -> <json_path>[]

When a field in the <json_path> contains characters, such as a dot (.) or colon (:), use the syntax:

<json_array_string> -> ["<json_field>"][]
Description

The json_extract_array() function accepts a string representing a JSON array, and returns an XQL-native array. To convert a string field to a JSON object, use the to_json_string function.

Important

JSON field names are case sensitive, so the key to field pairing must be identical in an XQL query for results to be found. For example, if a field value is "TIMESTAMP" and your query is defined to look for "timestamp", no results will be found.

Examples

Extract the first IPV4 address found in the first element of the agent_interface_map array.

dataset = xdr_data 
| fields agent_interface_map as aim 
| alter ipv4 = json_extract_array(to_json_string(arrayindex(aim, 0)) , "$.ipv4") 
| filter aim != null 
| limit 10

The same example above with a syntactic sugar format.

dataset = xdr_data
| fields agent_interface_map as aim
| alter ipv4 = to_json_string(aim)->[0].ipv4[0]
| filter aim != null
| limit 10