I have a lookup table going to AlienVault OTX and I’m trying to figure out how to get the data out of the pulses with a pipeline rule. I’m able to get some of the data but not in the nested array:
{
"single_value": 6,
"multi_value": {
"indicator": "170fb7438316f7335f34fa1a431afc1676a786f1ad9dee63d78c3f5efd3a0ac0",
"sections": [
"general",
"analysis"
],
"pulse_info": {
"count": 6,
"references": [
"",
"https://www.symantec.com/security-center/writeup/2019-012908-2815-99",
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/"
],
"pulses": [
{
"indicator_type_counts": {
"FileHash-SHA256": 18,
"FileHash-MD5": 5
},
"pulse_source": "web",
"TLP": "white",
"description": "Anatova was discovered in a private peer-to-peer (p2p) network. After initial analysis, and making sure that our customers are protected, we decided to make this discovery public.",
"subscriber_count": 76542,
"tags": [
"ransomware"
],
//
// REMOVED TO SAVE SPACE
//
]
},
"base_indicator": {
"indicator": "170fb7438316f7335f34fa1a431afc1676a786f1ad9dee63d78c3f5efd3a0ac0",
"description": "",
"title": "",
"access_reason": "",
"access_type": "public",
"content": "",
"type": "FileHash-SHA256",
"id": 1609015553
},
"type": "sha256",
"type_title": "FileHash-SHA256"
},
"ttl": 9223372036854776000
}
I am able to get the pulse count:
But I can’t quite figure out how to access the rest since “pulses” is another array under “pulse_info”. I’m thinking it has something to do with select_jsonpath but I assume I’d have to first convert it to JSON somehow?