Use DT syntax to get select keys from a list of dictionaries - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-12-04
End_of_Life
EoL
Category
Administrator Guide
Abstract

Use DT to get select keys of interest from a command that returns a list of dictionaries containing many keys.

DT syntax is supported within the extend-context value. You can use DT to get select keys of interest from a command that returns a list of dictionaries containing many keys. For example, the findIndicators automation returns a long list of indicator properties, but you may only be interested in saving the value and the indicator_type to minimize the size of the context data.

Example
  1. Run the command !findIndicators size=2 query="type:IP" raw-response=true.

    You will see a list of two dictionaries containing 20+ items.

  2. Use the following value for extend-context to save only value and indicator_type into a context key called FoundIndicators:

    !findIndicators size=2 query="type:IP" extend-context=`FoundIndicators=.={"value": val.value, "indicator_type": val.indicator_type}`
  3. Use the following value for extend-context to save only the incident name, status, and id to a key called FoundIncidents:

    !SearchIncidentsV2 id=<ANY_INCIDENT_ID> extend-context=`FoundIncidents=Contents.data={"name": val.name, "status": val.status, "id": val.id}` ignore-outputs=true