This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Iterate through json output of table(rows and columns) resulted from query

Posted on 01-15-2025 11:38 AM
Tejaswini139
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi team,

I want to run "Execute custom query" from Microsoft365Defender Integration. query is:
EmailEvents | where Subject contains "testvalue".
This query returns result table which has rows and columns in json format.
for example,
row1 {col1:val1, col2:val2,..}, row2{col1:val1, col2:val2,..},row...
DeliveryLocation is one of the column names from the json result.
I need to check whether DeliveryLocation=Inbox/folder and for each row where this condition is met, should remediate those mails accordingly.
I exported the json result of this action and imported it in the IDE for this integration.
How can I iterate through each row from json result and fetch DeliveryLocation. 
In the placeholder of the condition, check for DeliveryLocation and remediate particular emails in every row where DeliveryLocation=Inbox/folder.

Thanks,
Tejaswini

Tejaswini139_1-1736968514012.png

Tejaswini139_0-1736968300202.png

Tejaswini139_2-1736969716039.png

 

 

1 3 339
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
Kyle_M
Staff
Reply posted on --/--/---- --:-- AM

Hi @Tejaswini139 

You can accomplish this with the Expression Builder. It will allow you to filter the objects in the list and return the objects that match.  Below is an example where I want to return the AlertId of each object in the list if the Severity is Medium.  The Expression Builder will return a comma separated string of AlertIds since I chose to return the AlertId attribute.

Kyle_M_0-1737046289266.png

For your use case your filter would look something like this: filter("DeliveryLocation", "=", "Inbox/folder").  You can use the Run button to verify your expression before moving on.  From there you can return what makes sense for the next action in the use case. 

 

Here's some additional documentation around the expression builder:

https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-the-expression-bui...

https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/use-cases-for-expression...

 

 

Posted on --/--/---- --:-- AM
Tejaswini139
Bronze 3
Bronze 3
In response to Kyle_M
Reply posted on --/--/---- --:-- AM

Thanks @Kyle_M , As I mentioned,  How can I remediate multiple emails (add "Delete mail" action)  wherever DeliveryLocation=Inbox/folder.

0 Likes

Posted on --/--/---- --:-- AM
Kyle_M
Staff
In response to Tejaswini139
Reply posted on --/--/---- --:-- AM

@Tejaswini139 I would need more details to give you an exact answer, but normally you would add the delete email action to the playbook. The parameter for the mailboxes to delete from usually takes a comma separated list, so you can click on the placeholder icon to leverage the expression builder to filter out the JSON data and return a comma separated list. You can try the filter I mentioned in my response, but you will need to validate it and return the field that holds the mailbox. 

0 Likes
Top Solution Authors
View all