https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/output-json-for-incident-mapping/m-p/389470#M162 <P>Hi all,</P><P>We have several incidents that we need to work on the mapping of, but they are relatively rare and are not pulled from the (SplunkPy) integration often enough that they are in any of the events that we get when we do the mapping (6.0) and pull from the integration.</P><P>&nbsp;</P><P>They have been classified correctly, and we have several instances in XSOAR, so what we would like to do is to export the JSON from an existing incident and load it into the mapper to map the fields.&nbsp;</P><P>&nbsp;</P><P>We've tried several commands (PrintContext and DumpJSON) but neither seem to give us the incident entries.</P><P>&nbsp;</P><P>How can we best export events as JSON to load into the mapper and map fields?</P><P>&nbsp;</P><P>Thanks,</P><P>Sean</P> Fri, 05 Mar 2021 20:41:43 GMT Sean_L 2021-03-05T20:41:43Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/output-json-for-incident-mapping/m-p/389470#M162 <P>Hi all,</P><P>We have several incidents that we need to work on the mapping of, but they are relatively rare and are not pulled from the (SplunkPy) integration often enough that they are in any of the events that we get when we do the mapping (6.0) and pull from the integration.</P><P>&nbsp;</P><P>They have been classified correctly, and we have several instances in XSOAR, so what we would like to do is to export the JSON from an existing incident and load it into the mapper to map the fields.&nbsp;</P><P>&nbsp;</P><P>We've tried several commands (PrintContext and DumpJSON) but neither seem to give us the incident entries.</P><P>&nbsp;</P><P>How can we best export events as JSON to load into the mapper and map fields?</P><P>&nbsp;</P><P>Thanks,</P><P>Sean</P> Fri, 05 Mar 2021 20:41:43 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/output-json-for-incident-mapping/m-p/389470#M162 Sean_L 2021-03-05T20:41:43Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/output-json-for-incident-mapping/m-p/389491#M163 <P>Hi Sean,</P><P>&nbsp;</P><P>In your current mapper, do you map any unmapped fields into the labels in the context data?</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Adam</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 05 Mar 2021 22:41:02 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/output-json-for-incident-mapping/m-p/389491#M163 ABurt 2021-03-05T22:41:02Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/output-json-for-incident-mapping/m-p/389615#M165 <P>Yes we do</P> Sun, 07 Mar 2021 18:14:32 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/output-json-for-incident-mapping/m-p/389615#M165 Sean_L 2021-03-07T18:14:32Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/output-json-for-incident-mapping/m-p/389720#M167 <P>You could export an existing incident and make the labels the main fields on the incident and use this JSON as a file input into the mapping.</P><P>&nbsp;</P><P>For example, create an automation script called "exportIncidentLabels" and use the following code:<BR /><BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="python">incident = demisto.incident().get('labels', {}) parsed_incident = dict() for item in incident: parsed_incident[item['type']] = item['value'] demisto.results([json.dumps(parsed_incident)])</LI-CODE><P>&nbsp;</P><P>Then execute it from the war room of the desired incident that contains the relevant labels. When the results show, download them as a file:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ABurt_0-1615205436695.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30223i0E0C5C5FCCB4B9C8/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ABurt_0-1615205436695.png" alt="ABurt_0-1615205436695.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ABurt_1-1615205468654.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30224i6DC2FC54BA8C5A80/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ABurt_1-1615205468654.png" alt="ABurt_1-1615205468654.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ABurt_2-1615205499328.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30225i4F6D52D655C4BBB2/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="ABurt_2-1615205499328.png" alt="ABurt_2-1615205499328.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Then open the mapper and use:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ABurt_3-1615205576784.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30226i1F8DC4CCF6D5C05B/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="ABurt_3-1615205576784.png" alt="ABurt_3-1615205576784.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ABurt_4-1615205646092.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30227i64CE37CB28FA3235/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ABurt_4-1615205646092.png" alt="ABurt_4-1615205646092.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>However you get the data out, the mapper JSON input file expects a JSON list of dictionaries. Each array entry is considered a new incident and the JSON dictionary is considered the "rawJSON" input into an incident.</P><P>&nbsp;</P><P>[</P><P>{</P><P>&nbsp; &nbsp; "incident1_field1": "value1",</P><P>&nbsp; &nbsp; "incident1_field2": "value2"</P><P>},</P><P>{</P><P>&nbsp; &nbsp; "incident2_field1": "value1",</P><P>&nbsp; &nbsp; "incident2_field2": "value2"</P><P>}</P><P>]</P><P>&nbsp;</P> Mon, 08 Mar 2021 12:19:35 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/output-json-for-incident-mapping/m-p/389720#M167 ABurt 2021-03-08T12:19:35Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/output-json-for-incident-mapping/m-p/390689#M170 <P>So I finally got around to it and I added the script.&nbsp; It outputs the labels nicely.&nbsp; I ran them though CyberChef to make sure everything was correct, and there were no formatting issue, but when I upload in the Mapping Editor I get this:</P><P>&nbsp;</P><P><SPAN class="oops-title"><SPAN>Error parsing request</SPAN></SPAN></P><DIV class="oops-details">Request body is not well-formed. It must be JSON.</DIV><DIV class="oops-details">&nbsp;</DIV><DIV class="oops-error"><STRONG><SPAN>Error details</SPAN></STRONG><PRE>json: cannot unmarshal number into Go struct field queryDTOnList.list of type map[string]interface {}</PRE><P>&nbsp;</P><P>&nbsp;</P><P>This is the same message I get when I export from Splunk as JSON as well.</P></DIV> Thu, 11 Mar 2021 18:04:42 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/output-json-for-incident-mapping/m-p/390689#M170 Sean_L 2021-03-11T18:04:42Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/output-json-for-incident-mapping/m-p/390696#M171 <P>I figured out.&nbsp; The JSON needs top be enclosed in '[' and ']' for it to work.</P><P>&nbsp;</P><P>Adding this to the start and end of the file after the export from the script worked!</P><P>&nbsp;</P><P>Thanks!</P> Thu, 11 Mar 2021 18:09:28 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/output-json-for-incident-mapping/m-p/390696#M171 Sean_L 2021-03-11T18:09:28Z