IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  Extract nested Json fields

    Posted Mon March 11, 2019 12:39 PM
    ​Hi team,

    I am currently trying to extract Json fields from the following piece of Json document:

    ***********************************
    Result:
     {'report':
      {u'task':
       {u'domURL': u'https://urlscan.io/dom/7e3058fd-730d-4668-828b-6ccc3800ebd0/',
        u'screenshotURL': u'https://urlscan.io/screenshots/7e3058fd-730d-4668-828b-6ccc3800ebd0.png',
        u'uuid': u'7e3058fd-730d-4668-828b-6ccc3800ebd0',
        u'url': u'https://www.knowbe4.com/',
        u'visibility': u'public',
        u'options': {u'useragent': u'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36'},
        u'source': u'58d285ff',
        u'time': u'2019-03-11T09:30:12.518Z',
        u'reportURL': u'https://urlscan.io/result/7e3058fd-730d-4668-828b-6ccc3800ebd0/',
        u'userAgent': u'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36',
        u'method': u'api'},
        u'stats': {u'secureRequests': 174,}}}

    *****************************************

    As you can see, some values are nested, which is fine for me if I want to extract values requiring calling up to three fields, ex: results.report.task.reportURL. But when it come to fetching fields located beyond a 3 fields distance, ex: results.report.task.stats.secureRequests, I have the following error message:

    An error occurred while processing the action acknowledgement. Additional information: Post-processing script for Function 'Scan with urlscan.io' from Workflow 'Example: urlscan.io' was unable to complete because: 'NoneType' object has no attribute 'secureRequests'

    Note: I am customizing urlscan.io functions.
     

    I try to use alternatives like (value['secureResquests'] for value in results.report.task.stats) but I still encounter the same problem.

    Rings any bells for someone?

    Thanks in advance for your help.



    ------------------------------
    Zohra SMAIL
    ------------------------------


  • 2.  RE: Extract nested Json fields

    Posted Tue March 12, 2019 06:48 AM
    Hi,

    Note that 'stats' key is inside report.
    Use: 
    results.get('report').get('stats').get('secureRequests')

    Regards,
    Dídac.

    ------------------------------
    Didac Cornet
    ------------------------------



  • 3.  RE: Extract nested Json fields

    Posted Wed March 27, 2019 05:28 AM
    ​Hi,

    Didn't use the "get" statemnts but it worked fine.

    Thanks

    Zohra

    ------------------------------
    Zohra SMAIL
    ------------------------------