DT Query, special characters in key:value pair

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DT Query, special characters in key:value pair

L2 Linker

I'm trying to create a "dt" filter for use with the GenericPolling playbook. (https://xsoar.pan.dev/docs/playbooks/generic-polling)

The key I need to check for the existence of is

MsGraph.Alert.Evidence.[1].@odata\.type

(XSOAR automatically adds the "\" before ".type" as the period is part of the key name when copying the context path of the key)

with a value of 

#microsoft.graph.security.analyzedMessageEvidence

 

cmcneil_0-1726072639505.png

Note that both the key and value contain periods, the key name starts with an @ symbol, and the value starts with an # symbol.

 

There are generally 3 entries in the "Evidence" array and each entry contains an "@odata.type" key. The specific value I need to find is usually in the second entry, but I need to assume that the value could be in any entry and that there could be more or less than 3 entries.

 

I have tried many ways to escape the special characters in both the key name and value, but everything comes back with "Nothing found".

 

${MsGraph.Alert.Evidence.[1].@odata\.type} will return the value as a "result:"

cmcneil_1-1726073507105.png

 

${MsGraph.Alert.Evidence.@odata\.type} returns "Nothing found." as does ${MsGraph.Alert.Evidence.\@odata\.type} and any other permutation or combination I have tried of wrapping the key name in parens (), single quotes '@odata\.type', or escaping the @ symbol with a "\".

 

I'm pretty sure the parsing issue is due to the key name starting with the @ symbol, but I'm just running up against a wall at this point.

 

Is this a "me" problem, or is this a limitation of the XSOAR DT language to query this data coming back from Microsoft?

 

Scrubbed Context JSON below. (Edit: Simplified the JSON data to only include the relevant items)

Spoiler
{
"MsGraph": {
    "Alert": {
      "Evidence": [
        {
          "@odata.type": "#microsoft.graph.security.mailboxEvidence",
          "CreatedDate": "2020-12-21T15:57:20.63Z",
          "DetailedRoles": [],
          "DisplayName": "Josh Mulders",
          "PrimaryAddress": "josh.mulders@contoso.org",
          "RemediationStatus": "none",
          "RemediationStatusDetails": null,
          "Roles": [],
          "Tags": [],
          "UserAccount": {
            "AccountName": "josh.mulders",
            "AzureAdUserId": "12345678-1234-1234-1234-123456789012",
            "DisplayName": null,
            "DomainName": "contoso.org",
            "UserPrincipalName": "josh.mulders@contoso.org",
            "UserSid": "S-1-5-21-123456789-1234567890-1234567890-12345"
          },
          "Verdict": "unknown"
        },
        {
          "@odata.type": "#microsoft.graph.security.analyzedMessageEvidence",
          "AntiSpamDirection": null,
          "AttachmentsCount": 0,
          "CreatedDate": "2020-12-21T15:57:20.63Z",
          "DeliveryAction": null,
          "DeliveryLocation": null,
          "DetailedRoles": [],
          "InternetMessageId": "INTERNETMEASSAGEID-1234-abcd-000000@us-west-2.amazonses.com",
          "Language": null,
          "NetworkMessageId": "NETWORKMESSAGEID",
          "P1Sender": {
            "DisplayName": null,
            "DomainName": null,
            "EmailAddress": null
          },
          "P2Sender": {
            "DisplayName": null,
            "DomainName": null,
            "EmailAddress": "no-reply@dropbox.com"
          },
          "ReceivedDateTime": "2020-12-21T23:12:13.1259674Z",
          "RecipientEmailAddress": "josh.mulders@contoso.org",
          "RemediationStatus": "none",
          "RemediationStatusDetails": null,
          "Roles": [],
          "SenderIp": "12.345.67.890",
          "Subject": "PHISHER shared \"PHISHING DOC08302024.paper\" with you",
          "Tags": [],
          "ThreatDetectionMethods": [],
          "Threats": [],
          "UrlCount": 0,
          "Urls": [],
          "Urn": null,
          "Verdict": "unknown"
        },
        {
          "@odata.type": "#microsoft.graph.security.userEvidence",
          "CreatedDate": "2020-12-21T15:57:20.63Z",
          "DetailedRoles": [],
          "RemediationStatus": "none",
          "RemediationStatusDetails": null,
          "Roles": [],
          "Stream": null,
          "Tags": [],
          "UserAccount": {
            "AccountName": "josh.mulders",
            "AzureAdUserId": "12345678-1234-1234-1234-123456789012",
            "DisplayName": "Josh Mulders",
            "DomainName": "contoso.org",
            "UserPrincipalName": "josh.mulders@contoso.org",
            "UserSid": "S-1-5-21-123456789-1234567890-1234567890-12345"
          },
          "Verdict": "unknown"
        }
      ]
    }
  }
}

 

1 REPLY 1

L2 Linker

In case it's relevant, the data is coming from the "msg-search-alerts" automation of the Microsoft Graph Security integration. (https://xsoar.pan.dev/docs/reference/integrations/microsoft-graph)
The "msg-get-alert-details" automation can also retrieve the same data, but the search-alerts automation is easier to filter based on the incident ID which is included when the incident is fetched by XSOAR. In either case, the key name structure is the same from both automations.

  • 249 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!