HI
Your help is needed. I came across this JSON event format:
{ "results": [ { "id": "667e8d33156b6c38232c9043", "name": "SQL Injection attack (S3)", "description": "SQL Injection attack hitting the server at HTTPS. Same IP should not appear more than once in 24 hours in this list.", "author_name": "BotnetExposer", "modified": "2024-06-28T10:15:15.199000", "created": "2024-06-28T10:15:15.199000", "revision": 1, "tlp": "green", "public": 1, "adversary": "", "indicators": [ { "id": 3911822559, "indicator": "177.221.230.236", "type": "IPv4", "created": "2024-06-28T10:15:16", "content": "", "title": "", "description": "", "expiration": "2024-07-28T10:00:00", "is_active": 1, "role": null }, { "id": 3912838123, "indicator": "201.90.79.18", "type": "IPv4", "created": "2024-06-28T10:15:16", "content": "", "title": "", "description": "", "expiration": "2024-07-28T10:00:00", "is_active": 1, "role": null } ], "tags": [ "tcp", "http", "sql", "mysql", "php", "honeypot", "Malicious IP", "blacklist" ], "targeted_countries": [], "malware_families": [], "attack_ids": [], "references": [], "industries": [], "extract_source": [], "more_indicators": false } ], "count": 1, "prefetch_pulse_ids": false, "t": 0, "t2": 18.366106510162354, "t3": 2.127166986465454, "previous": null, "next": null }
I use Flex JSON Multiple Folder Follower for processing, and it seems to me that the problem with my parser is these brackets []
Here is a snippet of my parser:
trigger.node.location=/
token.count=13
token[0].name=pulse_id
token[0].type=String
token[0].location=/results/id
token[1].name=pulse_name
token[1].type=String
token[1].location=/results/name
token[2].name=pulse_description
token[2].type=String
token[2].location=/results/description
token[3].name=pulse_author_name
token[3].type=String
token[3].location=/results/author_name
token[4].name=pulse_modified
token[4].type=TimeStamp
token[4].location=/results/modified
token[5].name=pulse_created
token[5].type=TimeStamp
token[5].location=/results/created
token[6].name=indicator_id
token[6].type=String
token[6].location=/results/indicators/id
token[7].name=indicator
token[7].type=IPAddress
token[7].location=/results/indicators/indicator
token[8].name=indicator_type
token[8].type=String
token[8].location=/results/indicators/type
Please tell me, for this format, the path to the fields must be written in a slightly different way, or will it be easier to convert the result of the file into another text format (for example, CSV)??
P. S. My goal in the future is to use the received data and store it in the active list. Maybe a different format would be more appropriate for my end result or does it not matter much?
Thanks in advance
Bohdan