Unflattened Raw Event Data

For events that were ingested into SOAR via the Google Chronicle - Chronicle Alerts Connector, is there a way to access the UNflattened raw event JSON data containing the UDM fields for an alert?

It appears all events are being flattened using the dict_to_flat function which I may have found some bugs in that make unflattening very difficult if not impossible. So I'm wondering if there's another way to access the unflattened UDM data for an event either via an API or if it gets stored away somewhere else in a property of the alert or event

Page 1 / 1

Hey @Kmart95 ,

Use action "Get Detection Details" , it has a useful predefined widget associated with it + JSON result will contain the unflattened version of detection.

This is perfect thank you.

I could see some potential issues with needing to make API calls for every alert that comes in, so I think it would still be nice to have this data saved somewhere during the ingestion process - in case you want my feedback.

But ultimately this does provide what i was looking for. Thanks

This is perfect thank you.

I could see some potential issues with needing to make API calls for every alert that comes in, so I think it would still be nice to have this data saved somewhere during the ingestion process - in case you want my feedback.

But ultimately this does provide what i was looking for. Thanks

I agree, I seen this done with having the ability to just call the field name:
principal_ip = to get the list of all the value and when you want a specific index from the array you just use principal_ip_x

Some thing like this would be nice especially when using variables.

Trying to pass all potential IPs into an action gets messy when you have to account for all possible indexes.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded