I have some security events that have a field “target,” which is an array of different. Objects with various fields (including id). I tried using this target field in a SIEM alert message but it doesn’t display anything and I guess I am not using a correct syntax or maybe this is not supported.
Does someone know how I can specify that I want to print the parameters of the first target or for all targets, etc??
Example event:
"target": [
{
"alternateId": "<mailto:test@gmail.com|test@gmail.com>",
"displayName": "Test user",
"id": "01uaof0g3l2Br34aad91",
"type": "User"
},
{
"alternateId": "unknown",
"displayName": "Test group",
"id": "11atsddoaD2a45ahd6aa",
"type": "UserGroup"
}
],
"usr": {
"name": "Test admin",
"id": "ssra63y2232Yu3J5y696",
"type": "SystemPrincipal",
"email": "<mailto:test-admin@test.com|test-admin@test.com>"
}
}```
if I try adding something like this to a SIEM rule notification description:
```The admin {{@usr.name}} added {{@target[0].displayName}} to {{@target[1].displayName}} group.```
Only `{{@usr.name}}` gets correctly replaced in the notification, is there any way to access array elements with another syntax?
Hey Fran, so I actually had the same issue as you. I’m gonna take a wild guess that this is Okta . From my understanding on how to handle these arrays you actually need to use {{@target.1.displayName}} one of the issues if you do end up wanting to use it for SIEM rules the element would need be in the same positions every time it comes through the logs which from what I’ve seen they can change
ey Chris, yes, your guess is right haha! thank you for sharing the right syntax! Do you have any advice on how to handle that problem where the objects inside of target appear in different orders?
Haven’t gotten that far yet unfortunately. I was thinking of remapping it in the pipeline but the problem is it’s not always consistent where in the array something will come through under.
alright, well, thanks, I will think about it. Actually is interesting because if in the log search you make a query with @target.id:xxxx it will work… but I am not sure if it is taking the first target and only showing the logs were the first target matches the query… or if it is checking all the objects in the target