Troubleshooting Datadog SIEM notification variables referencing array elements

harlanK · April 11, 2024, 2:50pm

hello there, quick question about Datadog SIEM notification variables (https://docs.datadoghq.com/security/notifications/variables/?tab=cloudsiem)

I have some security events that have a field “target,” which is an array of different. Objects with various fields (including id). I tried using this target field in a SIEM alert message but it doesn’t display anything and I guess I am not using a correct syntax or maybe this is not supported.

Does someone know how I can specify that I want to print the parameters of the first target or for all targets, etc??

Example event:

	"target": [
		{
			"alternateId": "<mailto:test@gmail.com|test@gmail.com>",
			"displayName": "Test user",
			"id": "01uaof0g3l2Br34aad91",
			"type": "User"
		},
		{
			"alternateId": "unknown",
			"displayName": "Test group",
			"id": "11atsddoaD2a45ahd6aa",
			"type": "UserGroup"
		}
	],
    "usr": {
		"name": "Test admin",
		"id": "ssra63y2232Yu3J5y696",
		"type": "SystemPrincipal",
		"email": "<mailto:test-admin@test.com|test-admin@test.com>"
	}
}```


if I try adding something like this to a SIEM rule notification description:



```The admin {{@usr.name}} added {{@target[0].displayName}} to {{@target[1].displayName}} group.```


Only `{{@usr.name}}` gets correctly replaced in the notification, is there any way to access array elements with another syntax?

kPate · April 11, 2024, 3:41pm

Hey Fran, so I actually had the same issue as you. I’m gonna take a wild guess that this is Okta . From my understanding on how to handle these arrays you actually need to use {{@target.1.displayName}} one of the issues if you do end up wanting to use it for SIEM rules the element would need be in the same positions every time it comes through the logs which from what I’ve seen they can change

harlanK · April 11, 2024, 3:43pm

ey Chris, yes, your guess is right haha! thank you for sharing the right syntax! Do you have any advice on how to handle that problem where the objects inside of target appear in different orders?

kPate · April 11, 2024, 4:31pm

Haven’t gotten that far yet unfortunately. I was thinking of remapping it in the pipeline but the problem is it’s not always consistent where in the array something will come through under.

harlanK · April 11, 2024, 4:41pm

alright, well, thanks, I will think about it. Actually is interesting because if in the log search you make a query with @target.id:xxxx it will work… but I am not sure if it is taking the first target and only showing the logs were the first target matches the query… or if it is checking all the objects in the target

kPate · April 11, 2024, 5:08pm

If you’re not specifying which element in the array to search through it should be checking all of them.

harlanK · April 11, 2024, 5:10pm

yeah, that is was I though but is not super clear here in the docs https://docs.datadoghq.com/logs/explorer/search_syntax/#arrays