i have these values from the events which is MME file type
but some events have 3 values ,4 values ,5 values -which unpredictable
i want to capture all these MME File type in a single field
what is the best way to do it
set context value for field for multiple values
+6What are you wanting to do with the information? Put it in a widget?
+11This looks like it's coming via Chronicle SIEM, and a YARA-L rule, in which case you could capture these values as an outcome variable, like below, in the YL2 rule itself:
mime_types = array_distinct($e.email.about.mime_type)
Otherwise, within SOAR there are probably multiple ways, but I would likely look at the Tools Get Alert Data (get the original data) and then write a custom Python Action to loop through the values and return a single object in the specific format you need for your use case.
+6@vanitharaj1208 Chris is right in where this came from but depending on what your trying to do with the information name change the approach here. If you are just wanting to display the information in an email or something like that using the Tools -> Get Case Data Action with the field to Return parameter set to "alerts.0.securityEventCards.
Then you can pass the information into TemplateEngine -> Render Template and in the editor you can use the following code which should iterate through all the events and pull out a specific set of field / values.
{% set events_var = [Tools_Get Case Data_1.JsonResult] -%}{% set events = events_var['alerts.0.securityEventCards'] -%}{% for event in events %}{% for grouped_fields in event.fields %}{% if grouped_fields.groupName == "Default" %}{% for field in grouped_fields['items'] %}{% if 'file_name' in field.name %}{ field.value }
{% endif %}{% endfor %}{% endif %}{% endfor %}{% endfor %}
for some reason it would not allow me to add double { around field.value. so add that and it should work. Like the screenshot below.
In the code sample I made an assumption that the field you were looking for was called mimeType. If it is not feel free to change it to what your looking for. The outcome of this action will be a ScriptResult of the vaules from those fields. In my example below I used file_name which is why they are file names.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.