Issue
The "JSON test" when creating a Alert workflow rule provides the wrong syntax and subsequently the workflow rule does not perform as expected.
Environment
Red Canary
Resolution
It's important to use proper syntax for setting up workflow rules when using the "When Native Alert JSON field equals" condition. This is also applicable when using the native_json_raw variable in Playbooks.
Users must specify "native_json_raw" followed by the field in which the value that they are matching is found.
The field must be enclosed using braces and a single quote: ['field_name']. If the value is nested under another field, user must specify the parent field and the field that contains the value: ['parent_field']['nested_field'].
Using the following JSON output as an example:
If a user wanted to create a WFR around the ttps
, under Enter field the customer should add the following:
native_json_raw['threat_indicators']['ttps']
Under Enter value, the customer can enter any of the values listed under the "ttps" field. In most cases, there is no need to add any quotes around the value.
Comments
0 comments
Please sign in to leave a comment.