I'm trying to create a "dt" filter for use with the GenericPolling playbook. (https://xsoar.pan.dev/docs/playbooks/generic-polling)
The key I need to check for the existence of is
MsGraph.Alert.Evidence.[1].@odata\.type
(XSOAR automatically adds the "\" before ".type" as the period is part of the key name when copying the context path of the key)
with a value of
#microsoft.graph.security.analyzedMessageEvidence
Note that both the key and value contain periods, the key name starts with an @ symbol, and the value starts with an # symbol.
There are generally 3 entries in the "Evidence" array and each entry contains an "@odata.type" key. The specific value I need to find is usually in the second entry, but I need to assume that the value could be in any entry and that there could be more or less than 3 entries.
I have tried many ways to escape the special characters in both the key name and value, but everything comes back with "Nothing found".
${MsGraph.Alert.Evidence.[1].@odata\.type} will return the value as a "result:"
${MsGraph.Alert.Evidence.@odata\.type} returns "Nothing found." as does ${MsGraph.Alert.Evidence.\@odata\.type} and any other permutation or combination I have tried of wrapping the key name in parens (), single quotes '@odata\.type', or escaping the @ symbol with a "\".
I'm pretty sure the parsing issue is due to the key name starting with the @ symbol, but I'm just running up against a wall at this point.
Is this a "me" problem, or is this a limitation of the XSOAR DT language to query this data coming back from Microsoft?
Scrubbed Context JSON below. (Edit: Simplified the JSON data to only include the relevant items)
