Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Retrieve JSON Data from an Advanced Threat Defense Report

When Advanced Threat Defense is called by a rule on Web Gateway to scan a web object, the scanning result is stored as the value of the Antimalware.MATD.Report property.

The result is provided as a string that has the elements of the result arranged in JSON style. It can be converted into a JSON element, using the JSON.ReadFromString property. This property takes the AntiMalware.MATD.Report property as a parameter.

The JSON element can then be set as the value of a user-defined property.

The rule that uses these properties could look as follows:

Set value of JSON type user defined property to Advanced Threat Defense report
Criteria         Action         Event
Always        –> Continue     – Set User-Defined.myjsonmatdreport = JSON.ReadFromString

You can retrieve the data of the result using the JSON.GetByName property and, for example, write it into a log file.

Write JSON data from Advanced Threat Defense report into log file
Criteria         Action         Event
Always        –> Continue     – FileSystemLogging.WriteLogEntry(GetByName(User-Defined.myjsonmatdreport,
                                "Summary")<AdvancedThreat DefenseLog>

In the event of this rule, "Summary" is the key of a JSON element that has the data of a scanning result as its
value. This key and its value are contained in a JSON object, which is the value of the Antimalware.MATD.Report property.

The structure of the JSON object is shown in the following.

It contains several embedded objects. The element keys are the ones that are actually used in a report, while the values are examples.

Report: {"Summary":
                                          [{"Engine": "GAM engine",
                                            "MalwareName": "EICAR test file",
                                            "Severity": "5"
                                           {"Severity": "5",
                                            "Description": "Subject is malicious"
                            "Stats":      [{"ID": "0",
                                            "Category": "Persistence, Installation Boot
                                            "Severity": "5"
  • Was this article helpful?