How do I extract multi-value using OTX adapter

blason · June 11, 2020, 7:02am

Hi team,

I am trying to extract my multi_value using OTX lookup plugin and need a help. Can someone please help me in building array of my below query as I have no clue how to build this?

My OTX array is like this and I need to extractor for my qdomain field and extract malware_families array “if Present” and single value number

{
  "single_value": 1,
  "multi_value": {
    "indicator": "tldrbox.ws",
    "alexa": "http://www.alexa.com/siteinfo/tldrbox.ws",
    "whois": "http://whois.domaintools.com/tldrbox.ws",
    "type": "domain",
    "pulse_info": {
      "count": 1,
      "references": [
        "https://s.tencent.com/research/report/1006.html"
      ],
      "pulses": [
        {
          "indicator_type_counts": {
            "FileHash-SHA256": 30,
            "domain": 3,
            "URL": 21,
            "FileHash-SHA1": 6,
            "IPv4": 2,
            "FileHash-MD5": 7
          },
          "pulse_source": "web",
          "TLP": "white",
          "description": "",
          "subscriber_count": 153,
          "tags": [
            "filehash-md5",
            "filehash-sha1",
            "sha-256",
            "sha-1"
          ],
          "export_count": 4,
          "malware_families": [
            {
              "display_name": "Avaddon",
              "id": "Avaddon",
              "target": null
            },
            {
              "display_name": "Phorpiex",
              "id": "Phorpiex",
              "target": null
            }
          ],
          "is_modified": false,
          "upvotes_count": 0,
          "modified_text": "17 hours ago ",
          "is_subscribing": null,
          "references": [
            "https://s.tencent.com/research/report/1006.html"
          ],
          "targeted_countries": [],
          "groups": [],
          "vote": 0,
          "validator_count": 0,
          "threat_hunter_scannable": true,
          "is_author": false,
          "adversary": "",
          "id": "5ee0e3950550f0266e82dfab",
          "industries": [],
          "locked": 0,
          "name": "Phorpiex botnet used to deliver Avaddon ransomware",
          "created": "2020-06-10T13:43:49.529000",
          "threat_hunter_has_agents": 1,
          "cloned_from": null,
          "downvotes_count": 0,
          "modified": "2020-06-10T13:43:49.529000",
          "comment_count": 0,
          "indicator_count": 69,
          "attack_ids": [],
          "in_group": false,
          "follower_count": 0,
          "votes_count": 0,
          "author": {
            "username": "343GuiltySpark",
            "is_subscribed": true,
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_following": true,
            "id": "91492"
          },
          "public": 1
        }
      ]
    },
    "base_indicator": {
      "indicator": "tldrbox.ws",
      "description": "",
      "title": "",
      "access_reason": "",
      "access_type": "public",
      "content": "",
      "type": "domain",
      "id": 2267536951
    },
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ]
  },
  "string_list_value": null,
  "has_error": false,
  "ttl": 9223372036854776000
}

system · June 25, 2020, 7:02am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trying to enable the OTX plugin but unablt to find documents Graylog Central (peer support)	4	424	June 24, 2020
Parsing multi_value in pipeline with nested arrays Graylog Central (peer support)	1	612	March 22, 2019
Multiline lookup dsv or csv Graylog Central (peer support)	3	332	November 18, 2020
Pipeline value to extract Graylog Central (peer support) pipeline-rules	5	521	November 22, 2023
Threat Plugin output issues Graylog Central (peer support)	1	467	March 29, 2018

How do I extract multi-value using OTX adapter

Related topics