How to input a regex extracted into virustotal hash check

i’m trying to create a workflow that reads a hash value from custom alert using the advanced regex plugin which extracts the hash value from the raw log data.

however i’m facing a situation were the extracted filehash from the regex extract step couldnt be inserted into the virustotal plugin to be checked due to type issues.

the hash being extracted from the extract step has some brackets along with it due to the output being of a type (array).

i’m wondering how to fix this issue and convert the output type into string to be able to insert it into the VT step to be checked.

I also faced this issue before and found a workaround solution.
Instead of using advanced regex or extractt, I went with jq (if your log also a JSON).
jq’s output is string and it made it easier for me.

But to make a completely useful comment, it would be nice if you can share the workflow you’ve created or at least the relevant steps.


that sounds like a workable solution and I might give it a try THANKS :).

however, let me tell you about my workflow.
its a very simple workflow that goes by like follows:

Custom alert trigger – regex extract data – VT check

extraction step is working smoothly just fine but the main issue is with the array thing i mentioned earlier.

Yeah that sounds like a simple one.
Also, in case you didn’t try yet, “ExtractIt” has a built-in function that extracts hash, ioc etc.
As far as I remember it returns an array, but might be good to check it.

There is another plugin that you can use to convert different data types. The plugin called “Type Converter” allows you to convert an array to a string. It also has a delimiter option to get more granular in how you break the data up.