DT Query, special characters in key:value pair

cmcneil — Thu, 12 Sep 2024 16:37:02 GMT

I'm trying to create a "dt" filter for use with the GenericPolling playbook. (https://xsoar.pan.dev/docs/playbooks/generic-polling)

The key I need to check for the existence of is

MsGraph.Alert.Evidence.[1].@odata\.type

(XSOAR automatically adds the "\" before ".type" as the period is part of the key name when copying the context path of the key)

with a value of

#microsoft.graph.security.analyzedMessageEvidence

Note that both the key and value contain periods, the key name starts with an @ symbol, and the value starts with an # symbol.

There are generally 3 entries in the "Evidence" array and each entry contains an "@odata.type" key. The specific value I need to find is usually in the second entry, but I need to assume that the value could be in any entry and that there could be more or less than 3 entries.

I have tried many ways to escape the special characters in both the key name and value, but everything comes back with "Nothing found".

${MsGraph.Alert.Evidence.[1].@odata\.type} will return the value as a "result:"

${MsGraph.Alert.Evidence.@odata\.type} returns "Nothing found." as does ${MsGraph.Alert.Evidence.\@odata\.type} and any other permutation or combination I have tried of wrapping the key name in parens (), single quotes '@odata\.type', or escaping the @ symbol with a "\".

I'm pretty sure the parsing issue is due to the key name starting with the @ symbol, but I'm just running up against a wall at this point.

Is this a "me" problem, or is this a limitation of the XSOAR DT language to query this data coming back from Microsoft?

Scrubbed Context JSON below. (Edit: Simplified the JSON data to only include the relevant items)

{

"MsGraph": {

"Alert": {

"Evidence": [

{

"@odata.type": "#microsoft.graph.security.mailboxEvidence",

"CreatedDate": "2020-12-21T15:57:20.63Z",

"DetailedRoles": [],

"DisplayName": "Josh Mulders",

"PrimaryAddress": "josh.mulders@contoso.org",

"RemediationStatus": "none",

"RemediationStatusDetails": null,

"Roles": [],

"Tags": [],

"UserAccount": {

"AccountName": "josh.mulders",

"AzureAdUserId": "12345678-1234-1234-1234-123456789012",

"DisplayName": null,

"DomainName": "contoso.org",

"UserPrincipalName": "josh.mulders@contoso.org",

"UserSid": "S-1-5-21-123456789-1234567890-1234567890-12345"

"Verdict": "unknown"

{

"@odata.type": "#microsoft.graph.security.analyzedMessageEvidence",

"AntiSpamDirection": null,

"AttachmentsCount": 0,

"CreatedDate": "2020-12-21T15:57:20.63Z",

"DeliveryAction": null,

"DeliveryLocation": null,

"DetailedRoles": [],

"InternetMessageId": "INTERNETMEASSAGEID-1234-abcd-000000@us-west-2.amazonses.com",

"Language": null,

"NetworkMessageId": "NETWORKMESSAGEID",

"P1Sender": {

"DisplayName": null,

"DomainName": null,

"EmailAddress": null

"P2Sender": {

"DisplayName": null,

"DomainName": null,

"EmailAddress": "no-reply@dropbox.com"

"ReceivedDateTime": "2020-12-21T23:12:13.1259674Z",

"RecipientEmailAddress": "josh.mulders@contoso.org",

"RemediationStatus": "none",

"RemediationStatusDetails": null,

"Roles": [],

"SenderIp": "12.345.67.890",

"Subject": "PHISHER shared \"PHISHING DOC08302024.paper\" with you",

"Tags": [],

"ThreatDetectionMethods": [],

"Threats": [],

"UrlCount": 0,

"Urls": [],

"Urn": null,

"Verdict": "unknown"

{

"@odata.type": "#microsoft.graph.security.userEvidence",

"CreatedDate": "2020-12-21T15:57:20.63Z",

"DetailedRoles": [],

"RemediationStatus": "none",

"RemediationStatusDetails": null,

"Roles": [],

"Stream": null,

"Tags": [],

"UserAccount": {

"AccountName": "josh.mulders",

"AzureAdUserId": "12345678-1234-1234-1234-123456789012",

"DisplayName": "Josh Mulders",

"DomainName": "contoso.org",

"UserPrincipalName": "josh.mulders@contoso.org",

"UserSid": "S-1-5-21-123456789-1234567890-1234567890-12345"

"Verdict": "unknown"

}

]

}

Re: DT Query, special characters in key:value pair

cmcneil — Wed, 11 Sep 2024 17:32:00 GMT

In case it's relevant, the data is coming from the "msg-search-alerts" automation of the Microsoft Graph Security integration. (https://xsoar.pan.dev/docs/reference/integrations/microsoft-graph)
The "msg-get-alert-details" automation can also retrieve the same data, but the search-alerts automation is easier to filter based on the incident ID which is included when the incident is fetched by XSOAR. In either case, the key name structure is the same from both automations.

Re: DT Query, special characters in key:value pair

SeanKirby — Fri, 29 Aug 2025 20:56:57 GMT

${MsGraph.Alert.Evidence.@odata\\.type} see if that helps

Re: DT Query, special characters in key:value pair

pagnihotri — Sun, 14 Sep 2025 17:54:18 GMT

${MicrosoftData.MsGraph.Alert.Evidence.[].@odata\.type}

@cmcneil @SeanKirby

This works.

topic Re: DT Query, special characters in key:value pair in Cortex XSOAR Discussions

DT Query, special characters in key:value pair

Re: DT Query, special characters in key:value pair

Re: DT Query, special characters in key:value pair

Re: DT Query, special characters in key:value pair