Retrieve JSON Data from an Advanced Threat Defense Report
When Advanced Threat Defense is called by a rule on Web Gateway to scan a web object, the scanning result is stored as the value of the Antimalware.MATD.Report property.
The result is provided as a string that has the elements of the result arranged in JSON style. It can be converted into a JSON element, using the JSON.ReadFromString property. This property takes the AntiMalware.MATD.Report property as a parameter.
The JSON element can then be set as the value of a user-defined property.
The rule that uses these properties could look as follows:
Name Set value of JSON type user defined property to Advanced Threat Defense report Criteria Action Event Always –> Continue – Set User-Defined.myjsonmatdreport = JSON.ReadFromString (Antimalware.MATD.Report)
You can retrieve the data of the result using the JSON.GetByName property and, for example, write it into a log file.
Name Write JSON data from Advanced Threat Defense report into log file Criteria Action Event Always –> Continue – FileSystemLogging.WriteLogEntry(GetByName(User-Defined.myjsonmatdreport, "Summary")<AdvancedThreat DefenseLog>
In the event of this rule, "Summary" is the key of a JSON element that has the data of a scanning result as its
value. This key and its value are contained in a JSON object, which is the value of the Antimalware.MATD.Report property.
The structure of the JSON object is shown in the following.
It contains several embedded objects. The element keys are the ones that are actually used in a report, while the values are examples.
Report: {"Summary": {"Selectors": [{"Engine": "GAM engine", "MalwareName": "EICAR test file", "Severity": "5" }], "Verdict": {"Severity": "5", "Description": "Subject is malicious" }, "Stats": [{"ID": "0", "Category": "Persistence, Installation Boot Survival", "Severity": "5" }] }