This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

DT Query, special characters in key:value pair

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DT Query, special characters in key:value pair

cmcneil
L2 Linker

‎09-11-2024 10:22 AM

I'm trying to create a "dt" filter for use with the GenericPolling playbook. (https://xsoar.pan.dev/docs/playbooks/generic-polling)

The key I need to check for the existence of is

MsGraph.Alert.Evidence.[1].@odata\.type

(XSOAR automatically adds the "\" before ".type" as the period is part of the key name when copying the context path of the key)

with a value of 

#microsoft.graph.security.analyzedMessageEvidence

 

cmcneil_0-1726072639505.png

Note that both the key and value contain periods, the key name starts with an @ symbol, and the value starts with an # symbol.

 

There are generally 3 entries in the "Evidence" array and each entry contains an "@odata.type" key. The specific value I need to find is usually in the second entry, but I need to assume that the value could be in any entry and that there could be more or less than 3 entries.

 

I have tried many ways to escape the special characters in both the key name and value, but everything comes back with "Nothing found".

 

${MsGraph.Alert.Evidence.[1].@odata\.type} will return the value as a "result:"

cmcneil_1-1726073507105.png

 

${MsGraph.Alert.Evidence.@odata\.type} returns "Nothing found." as does ${MsGraph.Alert.Evidence.\@odata\.type} and any other permutation or combination I have tried of wrapping the key name in parens (), single quotes '@odata\.type', or escaping the @ symbol with a "\".

 

I'm pretty sure the parsing issue is due to the key name starting with the @ symbol, but I'm just running up against a wall at this point.

 

Is this a "me" problem, or is this a limitation of the XSOAR DT language to query this data coming back from Microsoft?

 

Scrubbed Context JSON below.

Spoiler
{
"MsGraph": {
    "Alert": {
      "ActorDisplayName": null,
      "AdditionalData": null,
      "AlertPolicyId": null,
      "AssignedTo": null,
      "Category": "InitialAccess",
      "Classification": null,
      "Comments": [],
      "CreatedDate": "2020-12-21T15:57:20.2566667Z",
      "Description": "This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3",
      "DetectionSource": "microsoftDefenderForOffice365",
      "DetectorId": "bbbbbbbb-4444-aaaa-1234-111111111111",
      "Determination": null,
      "Evidence": [
        {
          "@odata.type": "#microsoft.graph.security.mailboxEvidence",
          "CreatedDate": "2020-12-21T15:57:20.63Z",
          "DetailedRoles": [],
          "DisplayName": "Josh Doe",
          "PrimaryAddress": "josh.doe@contoso.org",
          "RemediationStatus": "none",
          "RemediationStatusDetails": null,
          "Roles": [],
          "Tags": [],
          "UserAccount": {
            "AccountName": "josh.doe",
            "AzureAdUserId": "12345678-1234-1234-1234-123456789012",
            "DisplayName": null,
            "DomainName": "contoso.org",
            "UserPrincipalName": "josh.doe@contoso.org",
            "UserSid": "S-1-5-21-123456789-1234567890-1234567890-12345"
          },
          "Verdict": "unknown"
        },
        {
          "@odata.type": "#microsoft.graph.security.analyzedMessageEvidence",
          "AntiSpamDirection": null,
          "AttachmentsCount": 0,
          "CreatedDate": "2020-12-21T15:57:20.63Z",
          "DeliveryAction": null,
          "DeliveryLocation": null,
          "DetailedRoles": [],
          "InternetMessageId": "INTERNETMEASSAGEID-1234-abcd-000000@us-west-2.amazonses.com",
          "Language": null,
          "NetworkMessageId": "NETWORKMESSAGEID",
          "P1Sender": {
            "DisplayName": null,
            "DomainName": null,
            "EmailAddress": null
          },
          "P2Sender": {
            "DisplayName": null,
            "DomainName": null,
            "EmailAddress": "no-reply@dropbox.com"
          },
          "ReceivedDateTime": "2020-12-21T23:12:13.1259674Z",
          "RecipientEmailAddress": "josh.doe@contoso.org",
          "RemediationStatus": "none",
          "RemediationStatusDetails": null,
          "Roles": [],
          "SenderIp": "12.345.67.890",
          "Subject": "PHISHER shared \"PHISHING DOC08302024.paper\" with you",
          "Tags": [],
          "ThreatDetectionMethods": [],
          "Threats": [],
          "UrlCount": 0,
          "Urls": [],
          "Urn": null,
          "Verdict": "unknown"
        },
        {
          "@odata.type": "#microsoft.graph.security.userEvidence",
          "CreatedDate": "2020-12-21T15:57:20.63Z",
          "DetailedRoles": [],
          "RemediationStatus": "none",
          "RemediationStatusDetails": null,
          "Roles": [],
          "Stream": null,
          "Tags": [],
          "UserAccount": {
            "AccountName": "josh.doe",
            "AzureAdUserId": "12345678-1234-1234-1234-123456789012",
            "DisplayName": "Josh Doe",
            "DomainName": "contoso.org",
            "UserPrincipalName": "josh.doe@contoso.org",
            "UserSid": "S-1-5-21-123456789-1234567890-1234567890-12345"
          },
          "Verdict": "unknown"
        }
      ],
      "FirstActivityDateTime": "2020-12-21T15:54:49.6823166Z",
      "ID": "abcdefghij-klmn-1234-ab12-123456789abc",
      "IncidentId": "25262",
      "LastActivityDateTime": "2020-12-21T15:54:49.6823166Z",
      "LastUpdateDateTime": "2020-12-21T15:57:21.9066667Z",
      "MitreTechniques": [
        "T1566"
      ],
      "ProductName": "Microsoft Defender for Office 365",
      "ProviderAlertId": "abcdefgh-1234-ab12-ab12-abcd12345678",
      "RecommendedActions": "",
      "ResolvedDateTime": null,
      "ServiceSource": "microsoftDefenderForOffice365",
      "Severity": "low",
      "Status": "inProgress",
      "SystemTags": [],
      "TenantId": "TENANTID",
      "ThreatDisplayName": null,
      "ThreatFamilyName": null,
      "Title": "Email reported by user as malware or phish"
    }
  }
}

 

 

0 Likes Likes
1 REPLY 1

cmcneil
L2 Linker

‎09-11-2024 10:32 AM

In case it's relevant, the data is coming from the "msg-search-alerts" automation of the Microsoft Graph Security integration. (https://xsoar.pan.dev/docs/reference/integrations/microsoft-graph)
The "msg-get-alert-details" automation can also retrieve the same data, but the search-alerts automation is easier to filter based on the incident ID which is included when the incident is fetched by XSOAR. In either case, the key name structure is the same from both automations.

0 Likes Likes
  • 55 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks