Convert JSON or String to Array

Hi there,

I need to extract some keys and values from a JSON object and create an array to loop through through them.
JSON example:

“event”: {
“computer”: {
“active”: true,
“connector_guid”: “300588d8-7ebd-488f-931b-f838d2ef596f”,
“external_ip”: “”,
“hostname”: “LAPTOP01”,
“links”: {
“computer”: “”,
“group”: “”,
“trajectory”: “
“network_addresses”: [
“ip”: “”,
“mac”: “00:38:51:63:96:48”
“connector_guid”: “300588d8-7ebd-488f-931b-f838d2ef596f”,
“date”: “2023-04-28T02:59:31+00:00”,
“detection”: “Win.Ransomware.Wannacryptor::1201”,
“detection_id”: “7226930032034186913”,
“event_type”: “Threat Detected”,
“event_type_id”: 1090519054,
“file”: {
“disposition”: “Malicious”,
“file_name”: “ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe”,
“file_path”: “\\?\C:\Users\Documents\BAS\Ransomware Samples\Ransomware.WannaCry\Ransomware.WannaCry.exe”,
“identity”: {
“md5”: “84c82835a5d21bbcf75a61706d8ab549”,
“sha1”: “5ff465afaabcbf0150d1a3ab2c2e74f3a4426467”,
“sha256”: “ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa”
“group_guids”: [
“id”: 7226930032034187000,
“severity”: “Medium”,
“tactics”: [
“techniques”: [
“timestamp”: 1682650771,
“timestamp_nanoseconds”: 639000000

Desired array output:

“type”: “ip”,
“value”: “”
“type”: “md5”,
“value”: “84c82835a5d21bbcf75a61706d8ab549”
“type”: “sha1”,
“value”: “5ff465afaabcbf0150d1a3ab2c2e74f3a4426467”
“type”: “sha256”,
“value”: “ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa”

What plugins should I use to get the desired array output?

Delvain Mbina

You can use JQ, not sure of the appropriate syntax off the top of my head without playing with it. Or you can use a couple of plugins to do it as well.

Type Converter → Object to String
ExtractIt → Extract IP, Hashes, etc… (This would be a step per item to extract)
Type Converter → Combine Arrays
Run loop over combined array

I would use the regular expresstion step twice, and store the results in artifacts. Create the expressions stating with a lookback to determine where to start and forward or length to end. Since your looking for the same specific info every time, its easier to use regex than to try and parse.

Hi @michael_cochran and @ebennick,

Thank you for your suggestions. For simplicity and efficiency, I used the Python plugin and wrote a code that created an array as output to parse it using the loop step.