Use cases: JSON lists - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-12-12
Category
Administrator Guide
Solution
Cloud
Abstract

Manage JSON lists in Cortex XSOAR that can be accessed by automations, playbooks, etc. List commands, lists arrays separators delimiters

List data can be stored in various structures, including JSON format. When accessing a valid JSON file from within a playbook, it is automatically parsed as a JSON object (list). Depending on how you store the data, you may need to Transform a list into an array. For example, when using non-built-in commands in a script or looping over items in a list, you should convert the list into an array. Working with a JSON file list in a playbook typically involves the following:

  • Extract the data from a JSON object

  • Extract a subset of the data

  • Filter extracted data

  • Apply transformers to extracted data.

Create a JSON list and use the Set automation to create a new context key that can extract the data from the list.

  1. Create a List:

    1. In the Name field, type Test1.

    2. Select Settings & Info Settings Advanced Lists Add a List.

    3. In the Content Type field, select JSON and add the following content:

      {    
          "domain": {
              "name": "mwidomain",
              "prod_mode": "prod",
              "user": "weblogic",
              "admin": {
                  "servername": "AdminServer",
                  "listenport": "8001"
              },
              "machines": [
                  {
                      "refname": "Machine1",
                      "name": "MWINODE01"
                  },
                  {
                      "refname": "Machine2",
                      "name": "MWINODE02"
                  }
              ],
              "clusters": [
                  {
                      "refname": "Cluster1",
                      "name": "App1Cluster",
                      "machine": "Box1"
                  },
                  {
                      "refname": "Cluster1",
                      "name": "App2Cluster",
                      "machine": "Box2"
                  }
              ],
              "servers": [
                  {
                      "name": "ms1",
                      "port": 9001,
                      "machine": "Box1",
                      "clusterrefname": "Cluster1"
                  },
                  {
                      "name": "ms2",
                      "port": 9002,
                      "machine": "Box2",
                      "clusterrefname": "Cluster2"
                  }
              ]
          }
      }
    4. Save the list.

  2. Create a playbook task with the Set automation:

    1. Select PlaybooksNew Playbook.

    2. Name the playbook, and click Save.

    3. Click Create Task and provide a task name.

    4. In the Choose Script field, select Set .

      The Set script sets a value in context under the key entered.

    5. In the key field, define a context key name for the data. For example, JSONData.

      Screenshot_2024-02-22_at_13_00_37.png
    6. In the value field, set the list you want to extract by clicking the curly brackets.

    7. Click Filters And Transformers.

    8. In the Get field, click the curly brackets, and in the Select source for value section, select the list you created in step 1: Test1.

    9. In the Fetch data field, select an incident to test the data.

    10. Click Test.

      In this example, the test results have found the list data.

      Screenshot_2024-02-22_at_14_08_00.png
    11. When the test completes, click Save.

    12. Save the task and playbook.

  3. Check all the data is stored in the context key you defined by testing the playbook using the debugger:

    1. Click Run.

    2. Open the Debugger Panel.

      The key you defined, JSONData, holds the data in context from the JSON object.

      Screenshot_2024-02-22_at_14_40_34.png

In a playbook, you can extract subsets of context data to analyze a specific information set. This approach also applies when working with lists, such as extracting a subset of data from a JSON object. In this example, we extract server information from the list created above.

  1. In a playbook, create a task.

    1. In the Choose Script field, select Set .

    2. In the key field, define a context key name for the data; for example, JSONDataSubset.

    3. In the value field, set the list you want to extract by clicking the curly brackets.

    4. Click Filters And Transformers.

    5. In the Get field, enter lists.Test1.domain.servers.

    6. In the Fetch data field, select an incident to test the data.

    7. Click Test.

    8. When the test completes, click Save.

    9. Save the task and the playbook.

  2. Check that all the data is stored in the context key you defined by testing the playbook using the debugger.

    1. Click Run Debugger Panel.

    2. The key you defined (JSONDataSubset) holds the subset of the data in context from the JSON object.

      work-with-json-lists-subset-8x.png

You can filter the extracted data subset to analyze it on a more granular level. In this example, we filter Box1 information from the list created in Extract the data from a JSON Object above.

  1. Re-open the task you created above.

  2. Click the value field.

  3. Under Filter, click Add Filter.

  4. Set the condition you want to filter.

    In this example, retrieve the list of machines named Box1 from Test1 list by setting the filter lists.Test1.domain.servers.machine Equals Box1.

    work-with-json-lists-filter-data-8-x.png
  5. Click Test.

  6. Check whether the data subset was accessed successfully by selecting the data source from an incident. You can see the results returned machine: Box1.

    lists-test.png

In general, in a playbook task, you can transform (apply changes) to the data extracted. This also applies to working with lists ,such as transforming extracted data from a JSON object. In this example, we extract the first element from the list created in the 'Extract Data from a JSON Object' section above and transform it to uppercase.

  1. Re-open the task, click the contents of the value field, and keep the current filters.

  2. In the Apply transformers on the field, click Add transformer.

  3. Add the following transformers to the extracted data:

    1. Add the Get index (General) transformer to extract a specific machine element.

      Set index: 0 to extract the first element from the list.

    2. Add the To upper case (String) transformer.

      The To upper case (String) transformer does not work on lists, only on individual elements. Therefore, the Get index (General) transformer should be applied before adding the To upper case (String) transformer.

    lists-trans.png
  4. In the Fetch Data field, select anincident to test and click Test.