0

I need to combine values from 2 JSONs:

If there is a match in alerts IDs, I need to create structure, that will take data from both jsons. I need to find out how to get to those properties nested in arrays deep in json like: entities (JSON2) and devices (JSON).

Result for a match should look like:

$array = @()
$hashtable = @{}
$hashtable.AlertID (does not matter what JSON is it from)
$hashtable.Tags (from JSON 1)
$hashtable.IncidentName (from JSON2)
$hashtable.IncidentID (from JSON2)
$hashtable.entities (from JSON2)
$hashtable.devices (from JSON2)
$array += $hashtable

I need to loop through entities and display all non empty values there.

My goal is to understand how to deal with nested array values in json.

Loop through them without the upper for each loop not looping through the nested loops multiple times.

I would prefer if this would be done with c style powershell loop.

c style for loop = for ($x = 0; $x -array.count; $x++)

JSON 1:

[
    {
        "Status":  "Active",
        "IncidentId":  "3",
        "tags":  "SINC0008009",
        "AlertId":  [
                        "da637563185629568182_-638872186",
                        "da637563185631732095_1120592736",
                        "da637563185706412029_-614525914",
                        "da637563185760439486_-276692370",
                        "da637563185856325888_-1949235651",
                        "da637563186785996176_2128073884",
                        "da637563186789897000_1239551047",
                        "da637563186806513555_1512241399",
                        "da637563193194338043_-244132089"
                    ],
        "severity":  "Medium"
    },
    {
        "Status":  "Active",
        "IncidentId":  "4",
        "tags":  "SINC0008008",
        "AlertId":  [
                        "da637643650725801726_1735022501",
                        "da637643650741237104_1473290917",
                        "da637643650748739479_-40211355",
                        "da637643652767933265_-1887823168",
                        "da637643670830160376_-443360743"
                    ],
        "severity":  "Medium"
    },
    {
        "Status":  "Active",
        "IncidentId":  "2",
        "tags":  null,
        "AlertId":  [
                        "caD76232A5-F386-3C5D-94CD-7C82A7F778DC"
                    ],
        "severity":  "Medium"
    },
    {
        "Status":  "Active",
        "IncidentId":  "1",
        "tags":  null,
        "AlertId":  [
                        "ca6534FF45-D62A-3FB7-BD6B-FF5029C553DB"
                    ],
        "severity":  "Medium"
    }
]

JSON2:

{
  "value": [
    {
      "incidentId": 3,
      "incidentName": "Multi-stage incident involving Initial access & Discovery on one endpoint",
      "status": "Active",
      "severity": "Medium",
      "tags": ["SINC0000001"],
      "comments": [],
      "alerts": [
        {
          "alertId": "da637563185629568182_-638872186",
          "incidentId": 3,
          "description": "A suspicious PowerShell activity was observed on the machine. ",
          "status": "New",
          "severity": "Medium",
          "devices": [
            {
              "deviceDnsName": "xxxxx"
            }
          ],
          "entities": [
            {
              "entityType": "User",
              "accountName": "xxxxxx",
              "userPrincipalName": "xxx@xx.xx"
            },
            {
              "entityType": "Process"
            },
            {
              "entityType": "Process",
              "verdict": "Suspicious"
            },
            {
              "entityType": "File"
            }
          ]
        },
        {
          "alertId": "da637563185631732095_1120592736",
          "incidentId": 3,
          "devices": [
            {
              "osPlatform": "Windows10",
              "version": "1909"
            }
          ],
          "entities": [
            {
              "entityType": "User",
              "remediationStatus": "None"
            }
          ]
        }
      ]
    },
    {
      "incidentId": 4,
      "incidentName": "Multi-stage incident involving Initial access & Discovery on one endpoint",
      "status": "Active",
      "severity": "Medium",
      "tags": ["SINC0000002"],
      "comments": [],
      "alerts": [
        {
          "alertId": "da637563185629568182_-638872186",
          "incidentId": 3,
          "description": "A suspicious PowerShell activity was observed on the machine. ",
          "status": "New",
          "severity": "Medium",
          "devices": [
            {
              "deviceDnsName": "xxxxx"
            }
          ],
          "entities": [
            {
              "entityType": "User",
              "accountName": "xxxxxx",
              "userPrincipalName": "xxx@xx.xx"
            },
            {
              "entityType": "Process"
            },
            {
              "entityType": "Process",
              "verdict": "Suspicious"
            },
            {
              "entityType": "File"
            }
          ]
        },
        {
          "alertId": "da637563185631732095_1120592736",
          "incidentId": 3,
          "devices": [
            {
              "osPlatform": "Windows10",
              "version": "1909"
            }
          ],
          "entities": [
            {
              "entityType": "User",
              "remediationStatus": "None"
            }
          ]
        }
      ]
    }  
  ]
}

Thanks for suggestions. Aster

aster007
  • 335
  • 2
  • 13
  • 1
    Isn't that the same question like this actually [Powershell Iterate through multidimensional array of hashtables to find a match and combine values from both arrays](https://stackoverflow.com/q/68838145/9196560)? – Olaf Aug 22 '21 at 11:43
  • 1
    Hello Olaf, if you look into the comments, I am looking into how to get the entities out. The colleague who has answered a new question has asked me to open a new question for this. – aster007 Aug 22 '21 at 11:46

0 Answers0