Convert JSON or String to Array

991842 · August 15, 2023, 12:00am

Hi there,

I need to extract some keys and values from a JSON object and create an array to loop through through them.
JSON example:

{
“event”: {
“computer”: {
“active”: true,
“connector_guid”: “300588d8-7ebd-488f-931b-f838d2ef596f”,
“external_ip”: “72.117.52.44”,
“hostname”: “LAPTOP01”,
“links”: {
“computer”: “https://crowdstrike.com/computers/300588d8-7ebd-488f-931b-f838d2ef596f”,
“group”: “https://crowdstrike.com/groups/d440d0ea-cd87-4ad5-868f-676f1dc1706a”,
“trajectory”: “https://crowdstrike.com/computers/300588d8-7ebd-488f-931b-f838d2ef596f/trajectory”
},
“network_addresses”: [
{
“ip”: “192.168.143.122”,
“mac”: “00:38:51:63:96:48”
}
]
},
“connector_guid”: “300588d8-7ebd-488f-931b-f838d2ef596f”,
“date”: “2023-04-28T02:59:31+00:00”,
“detection”: “Win.Ransomware.Wannacryptor::1201”,
“detection_id”: “7226930032034186913”,
“event_type”: “Threat Detected”,
“event_type_id”: 1090519054,
“file”: {
“disposition”: “Malicious”,
“file_name”: “ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe”,
“file_path”: “\\?\C:\Users\Documents\BAS\Ransomware Samples\Ransomware.WannaCry\Ransomware.WannaCry.exe”,
“identity”: {
“md5”: “84c82835a5d21bbcf75a61706d8ab549”,
“sha1”: “5ff465afaabcbf0150d1a3ab2c2e74f3a4426467”,
“sha256”: “ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa”
}
},
“group_guids”: [
“d440d0ea-cd87-4ad5-868f-676f1dc1706a”
],
“id”: 7226930032034187000,
“severity”: “Medium”,
“tactics”: [
“TA0002”,
“TA0011”,
“TA0042”
],
“techniques”: [
“T1105”,
“T1204”,
“T1204.003”,
“T1569”
],
“timestamp”: 1682650771,
“timestamp_nanoseconds”: 639000000
}
}

Desired array output:

[
{
“type”: “ip”,
“value”: “72.117.52.44”
},
{
“type”: “md5”,
“value”: “84c82835a5d21bbcf75a61706d8ab549”
},
{
“type”: “sha1”,
“value”: “5ff465afaabcbf0150d1a3ab2c2e74f3a4426467”
},
{
“type”: “sha256”,
“value”: “ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa”
}
]

What plugins should I use to get the desired array output?

Best,
Delvain Mbina

michael_cochran · September 20, 2023, 9:19pm

You can use JQ, not sure of the appropriate syntax off the top of my head without playing with it. Or you can use a couple of plugins to do it as well.

Type Converter → Object to String
ExtractIt → Extract IP, Hashes, etc… (This would be a step per item to extract)
Type Converter → Combine Arrays
Run loop over combined array

ebennick · September 21, 2023, 4:13am

I would use the regular expresstion step twice, and store the results in artifacts. Create the expressions stating with a lookback to determine where to start and forward or length to end. Since your looking for the same specific info every time, its easier to use regex than to try and parse.

991842 · October 16, 2023, 5:58pm

Hi @michael_cochran and @ebennick,

Thank you for your suggestions. For simplicity and efficiency, I used the Python plugin and wrote a code that created an array as output to parse it using the loop step.