Mapping the Microsoft Security Graph to a custom incident type

EVanderhasselt — Wed, 24 Mar 2021 16:10:56 GMT

Hello,

I am a noob in XSOAR, so if I am missing something obvious, my apologies.

I am working on a implementation where the system owner has set up a custom incident type for their Microsoft Security Graph API. The idea is now to do the mapping and I am stuck. The JSON contains the classic key value pairs but some of the values are actually arrays with dictionaries in them. For example

hostStates:[{"fqdn":"host.domain.example","isAzureAdJoined":"false",...}]

I would like to map the Hostnames field to the fqdn but I have no clue how to. I tried a couple of things already (hostStates.fqdn and hostStates[0]['fqdn']) without success.

I noticed that in the examples I found online everybody has a nice key:value, nothing like what I am trying to do so this makes me wonder if what I am trying to do is actually possible via the web interface.

Like I said, this is a new tool for me and so every day I am learning something new.

Kind regards,

Erik

Re: Mapping the Microsoft Security Graph to a custom incident type

EVanderhasselt — Wed, 24 Mar 2021 16:29:55 GMT

Like I said, I am a beginner and when I discussed it with a coworker he pointed out to an automation that didn't take into account the recursion. This topic can thus be considered closed.

topic Re: Mapping the Microsoft Security Graph to a custom incident type in Cortex XSOAR Discussions

Mapping the Microsoft Security Graph to a custom incident type

Re: Mapping the Microsoft Security Graph to a custom incident type