Manage JSON lists inCortex XSOAR that can be accessed by scripts, playbooks, etc.
List data can be stored in various structures, including JSON. When you access a valid JSON file from within a playbook, it is automatically parsed as a JSON object (list). Working with JSON files in playbooks typically involves the following activities:
Extracting the data from a JSON object
Extracting a subset of the data
Filtering extracted data
Applying transformers to extracted data
See Filters and Transformers for more details.
Extract the Data from a JSON Object in a List
You can access lists from JSON objects similar to how you access incident context, including using scripts or playbook tasks.
In this example, you can use the Set script to extract the data in a list from a parsed JSON object.
Create a list.
Go to
→ → → → .In the Name field, type Test1.
Set the Content Type to
JSON
.Add the following content.
{ "domain": { "name": "mwidomain", "prod_mode": "prod", "user": "weblogic", "admin": { "servername": "AdminServer", "listenport": "8001" }, "machines": [ { "refname": "Machine1", "name": "MWINODE01" }, { "refname": "Machine2", "name": "MWINODE02" } ], "clusters": [ { "refname": "Cluster1", "name": "App1Cluster", "machine": "Box1" }, { "refname": "Cluster1", "name": "App2Cluster", "machine": "Box2" } ], "servers": [ { "name": "ms1", "port": 9001, "machine": "Box1", "clusterrefname": "Cluster1" }, { "name": "ms2", "port": 9002, "machine": "Box2", "clusterrefname": "Cluster2" }, { "name": "ms3", "port": 9003, "machine": "Box1", "clusterrefname": "Cluster1" }, { "name": "ms4", "port": 9004, "machine": "Box2", "clusterrefname": "Cluster2" } ] } }
Save the list.
Create a playbook task to extract the list.
Select
→ → .In the Script field, select the Set script.
The Set script sets a value in context under the key entered.
In the key field, define a context key name for the data. For example, JSONData.
In the value field, set the list you want to extract by clicking the curly brackets.
Click Filters And Transformers.
In the Get field, click the curly brackets, and in the LISTS section, select the list you created in step 1.
Click Test.
In the Fetch data field, select Playground.
Click Test.
When the test completes, click Done Testing.
Save the task and playbook.
Check that all the data is stored in the context key you defined by testing the playbook using the debugger.
Click
Run
.Open the Debugger Panel.
The key you defined (JSONdata) holds all the data in context from the JSON object.
Extract a Subset of the Data
In general, you can extract subsets of context data in a playbook to analyze a specific information set. This also applies to working with lists, for example extracting a subset of the data from a JSON object. In this example, we want to extract server information from the list created in Extract the Data from a JSON Object in a List.
Select
→ → .In the Script field, select the Set script.
The Set script sets a value in context under the key entered.
In the key field, define a context key name for the data. For example, JSONDataSubset.
In the value field, set the list you want to extract by clicking the curly brackets.
Click Filters And Transformers.
In the Get field, enter
lists.Test1.domain.servers
.Click Test.
In the Fetch data field, select Playground.
Click Test.
When the test completes, click Done Testing.
Save the task and the playbook.
Check that all the data is stored in the context key you defined by testing the playbook using the debugger.
Click
Run
.Open the Debugger Panel.
The key you defined (JSONDataSubset) holds the subset of the data in context from the JSON object.
Filter Extracted Data
You can filter the data subset you extracted to analyze extracted information on a more granular level. In this example, you want to filter Box1 information from the list created in Extract the Data from a JSON Object in a List.
Re-open the task and click the contents of the value field.
Under Filter, click + Add Filter.
Set the condition you want to filter for. For example, you can retrieve the list of machines named Box1 from the servers in the Test1 list by setting the filter
lists.Test1.domain.servers.machine
to EqualBox1
.Click Test.
In the Fetch data field, select Playground.
Click Test.
Check whether Box1 was accessed successfully.
When the test completes, click Done Testing.
Check that all the data is stored in the context key you defined by testing the playbook using the debugger.
Click
Run
.Open the Debugger Panel.
The key you defined (JSONDataSubset) holds the subset of the data in context from the JSON object.
Apply Transformers to Extracted Data
In general, in a playbook you can transform (apply changes) to the data you extracted. This also applies for working with lists, for example to transform extracted data from a JSON object. Also, depending on how you store the data, you may need to transform a list into an array. In this example, you want you want to extract the first element in the list and transform the data to upper case from the list created in Extract the Data from a JSON Object in a List.
Re-open the task and click the contents of the value field.
To extract only the list of machines, in the Get type, field, type
lists.test1.domain.servers.machine
.Keep the filter created in Filter Extracted Data.
In Apply transformers on the field, click Add transformer.
Set the transformation you want to apply to the extracted data.
Add the
Get index
transformer to extract a specific machine element.Set
index: 0
to extract the first element from the list.Add the
To upper case (String)
transformer.The
To upper case (String)
transformer does not work on lists, only on individual elements. Therefore, theGet index (General)
transformer needs to apply first before adding theTo upper case (String)
transformer.
Click Test.
In the Fetch data field, select Playground.
Click Test.
Check whether the data subset was accessed successfully by selecting the data source from an alert. You can see the results returned
BOX1
.When the test completes, click Done Testing.
Check that all the data is stored in the context key you defined by testing the playbook using the debugger.
Click
Run
.Open the Debugger Panel.
The key you defined (JSONDataSubset) holds the subset of the data in context from the JSON object.