Creating a comment that includes all results of .match

Chelsie August 28, 2023

I'm trying to add a comment to a jira ticket with a variable that contains all results of .match

Using the result from a http get to virustotal, I was able to build a smart variable that contains this data. I did this first because each vendor (PrecisionSec,PhishLabs,SecureBrain) has a unique dot walk, so I needed to hardcode the names, one by one to get the result.

{{webResponse.body.data.attributes.last_analysis_results.PrecisionSec.category}}

My issue is, when I use .match against the resulting data, I'm only getting one "*vendor*:harmless" added to the comment or audit log. This will be changed to malicious once I can validate everything is working as expected. If I need to convert to a list, or iterate over it as an array some other way, I'm not sure how.

https://regex101.com/r/xra4Xb/1

Regex I'm using: 

(\*\w+:\*\s+harmless)+

Data:

VTDomainMalVendors: *Antiy-AVL*: malicious, *Kaspersky:* harmless, *Avira:* harmless, *Bkav:* undetected, *CMC Threat Intelligence:* harmless, *Snort IP sample list:* harmless, *0xSI_f33d:* undetected, *ViriBack:* harmless, *PhishLabs:* undetected, *K7AntiVirus:* harmless, *CINS Army.:* harmless, *Quttera:* harmless, *PrecisionSec:* undetected, *OpenPhish:* harmless, *VX Vault:* harmless, *ArcSight Threat Intelligence:* undetected, *AlienVault:* harmless, *Sophos:* harmless, *Phishtank:* harmless, *Cyan:* undetected, *Spam404:* harmless, *SecureBrain:* harmless, *CRDF:* harmless, *Fortinet:* harmless, *alphaMountain.ai:* , *Lionic:* harmless, *Cyble:* harmless, *Seclookup:* harmless, *Xcitium Verdict Cloud:* harmless, *Google Safebrowsing:* harmless, *SafeToOpen:* undetected, *ADMINUSLabs:* harmless, *ESTsecurity:* harmless, *Juniper Networks:* harmless, *Heimdal Security:* harmless, *AutoShun:* undetected, *Trustwave:* harmless, *AICC (MONITORAPP:* harmless, *CyRadar:* harmless, *Dr.Web:* , *Emsisoft:* harmless, *Abusix:* harmless, *Webroot:* harmless, *securolytics:* harmless, *AlphaSOC:* undetected, *Acronis:* harmless, *Quick Heal:* harmless, *URLQuery:* undetected, *Viettel Threat Intelligence* harmless, *DNS8:* harmless, *benkow.cc* , *EmergingThreats:* harmless, *Chong Lua Dao:* harmless, *Yandex Safebrowsing:* harmless, *Lumu:* undetected, *zvelo:* undetected, *Bfore.Ai PreCrime:* , *BitDefender:* harmless, *Blueliv:* harmless, *Certego:* harmless, *desenmascara.me:* , *ESET:* harmless, *Forcepoint ThreatSeeker:* harmless, *G-Data:* harmless, *GreenSnow:* harmless, *IPsum:* harmless, *Malwared:* harmless, *MalwarePatrol:* harmless, *malwares.com URL checker:* , *Phishing Database:* harmless, *PREBYTES:* harmless, *Scantitan:* harmless, *SCUMWARE.org:* , *SOCRadar:* harmless, *StopForumSpam:* harmless, *Sucuri SiteCheck:* harmless, *ThreatHive:* harmless, *Threatsourcing:* harmless, *URLhaus:* harmless, *ZeroCERT:* harmless, *Cluster25:* undetected, *Criminal IP:* undetected, *CrowdSec:* undetected, *Netcraft:* undetected, *PhishFort:* undetected, *Segasec:* undetected, *VIPRE:* undetected

 

The result is one capture group and multiple matches. How do I display the multiple matches in one comment?

Thank you kindly.

1 answer

1 accepted

2 votes
Answer accepted
Bill Sheboy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 28, 2023

Hi Chelsie, 

Would you please show the automation rule details, including the action where you are using the match() call?  That context will help the community to offer suggestions.  Thanks!

Until we see that...my understanding is the regular expression parsing for automation rules is based on Java's Pattern class but they do not indicate what is / is not actually supported.  Perhaps try a simpler expression first, writing the results to the audit log, and use that to build up to a workable expression.

Kind regards,
Bill

Chelsie August 28, 2023

Sure, this is the response body extraction into a variable.

Screenshot 2023-08-28 125638.png

Smart value:
*Antiy-AVL*: {{webResponse.body.data.attributes.last_analysis_results.Antiy-AVL.category}}, *Kaspersky:* {{webResponse.body.data.attributes.last_analysis_results.Kaspersky.category}}, *Avira:* {{webResponse.body.data.attributes.last_analysis_results.Avira.category}}, *Bkav:* {{webResponse.body.data.attributes.last_analysis_results.Bkav.category}}, *CMC Threat Intelligence:* {{webResponse.body.data.attributes.last_analysis_results.CMC Threat Intelligence.category}}, *Snort IP sample list:* {{webResponse.body.data.attributes.last_analysis_results.Snort IP sample list.category}}, *0xSI_f33d:* {{webResponse.body.data.attributes.last_analysis_results.0xSI_f33d.category}}, *ViriBack:* {{webResponse.body.data.attributes.last_analysis_results.ViriBack.category}}, *PhishLabs:* {{webResponse.body.data.attributes.last_analysis_results.PhishLabs.category}}, *K7AntiVirus:* {{webResponse.body.data.attributes.last_analysis_results.K7AntiVirus.category}}, *CINS Army.:* {{webResponse.body.data.attributes.last_analysis_results.CINS Army.category}}, *Quttera:* {{webResponse.body.data.attributes.last_analysis_results.Quttera.category}}, *PrecisionSec:* {{webResponse.body.data.attributes.last_analysis_results.PrecisionSec.category}}, *OpenPhish:* {{webResponse.body.data.attributes.last_analysis_results.OpenPhish.category}}, *VX Vault:* {{webResponse.body.data.attributes.last_analysis_results.VX Vault.category}}, *ArcSight Threat Intelligence:* {{webResponse.body.data.attributes.last_analysis_results.ArcSight Threat Intelligence.category}}, *AlienVault:* {{webResponse.body.data.attributes.last_analysis_results.AlienVault.category}}, *Sophos:* {{webResponse.body.data.attributes.last_analysis_results.Sophos.category}}, *Phishtank:* {{webResponse.body.data.attributes.last_analysis_results.Phishtank.category}}, *Cyan:* {{webResponse.body.data.attributes.last_analysis_results.Cyan.category}}, *Spam404:* {{webResponse.body.data.attributes.last_analysis_results.Spam404.category}}, *SecureBrain:* {{webResponse.body.data.attributes.last_analysis_results.SecureBrain.category}}, *CRDF:* {{webResponse.body.data.attributes.last_analysis_results.CRDF.category}}, *Fortinet:* {{webResponse.body.data.attributes.last_analysis_results.Fortinet.category}}, *alphaMountain.ai:* {{webResponse.body.data.attributes.last_analysis_results.alphaMountain.ai.category}}, *Lionic:* {{webResponse.body.data.attributes.last_analysis_results.Lionic.category}}, *Cyble:* {{webResponse.body.data.attributes.last_analysis_results.Cyble.category}}, *Seclookup:* {{webResponse.body.data.attributes.last_analysis_results.Seclookup.category}}, *Xcitium Verdict Cloud:* {{webResponse.body.data.attributes.last_analysis_results.Xcitium Verdict Cloud.category}}, *Google Safebrowsing:* {{webResponse.body.data.attributes.last_analysis_results.Google Safebrowsing.category}}, *SafeToOpen:* {{webResponse.body.data.attributes.last_analysis_results.SafeToOpen.category}}, *ADMINUSLabs:* {{webResponse.body.data.attributes.last_analysis_results.ADMINUSLabs.category}}, *ESTsecurity:* {{webResponse.body.data.attributes.last_analysis_results.ESTsecurity.category}}, *Juniper Networks:* {{webResponse.body.data.attributes.last_analysis_results.Juniper Networks.category}}, *Heimdal Security:* {{webResponse.body.data.attributes.last_analysis_results.Heimdal Security.category}}, *AutoShun:* {{webResponse.body.data.attributes.last_analysis_results.AutoShun.category}}, *Trustwave:* {{webResponse.body.data.attributes.last_analysis_results.Trustwave.category}}, *AICC (MONITORAPP:* {{webResponse.body.data.attributes.last_analysis_results.AICC (MONITORAPP).category}}, *CyRadar:* {{webResponse.body.data.attributes.last_analysis_results.CyRadar.category}}, *Dr.Web:* {{webResponse.body.data.attributes.last_analysis_results.Dr.Web.category}}, *Emsisoft:* {{webResponse.body.data.attributes.last_analysis_results.Emsisoft.category}}, *Abusix:* {{webResponse.body.data.attributes.last_analysis_results.Abusix.category}}, *Webroot:* {{webResponse.body.data.attributes.last_analysis_results.Webroot.category}}, *securolytics:* {{webResponse.body.data.attributes.last_analysis_results.securolytics.category}}, *AlphaSOC:* {{webResponse.body.data.attributes.last_analysis_results.AlphaSOC.category}}, *Acronis:* {{webResponse.body.data.attributes.last_analysis_results.Acronis.category}}, *Quick Heal:* {{webResponse.body.data.attributes.last_analysis_results.Quick Heal.category}}, *URLQuery:* {{webResponse.body.data.attributes.last_analysis_results.URLQuery.category}}, *Viettel Threat Intelligence* {{webResponse.body.data.attributes.last_analysis_results.Viettel Threat Intelligence.category}}, *DNS8:* {{webResponse.body.data.attributes.last_analysis_results.DNS8.category}}, *benkow.cc* {{webResponse.body.data.attributes.last_analysis_results.benkow.cc.category}}, *EmergingThreats:* {{webResponse.body.data.attributes.last_analysis_results.EmergingThreats.category}}, *Chong Lua Dao:* {{webResponse.body.data.attributes.last_analysis_results.Chong Lua Dao.category}}, *Yandex Safebrowsing:* {{webResponse.body.data.attributes.last_analysis_results.Yandex Safebrowsing.category}}, *Lumu:* {{webResponse.body.data.attributes.last_analysis_results.Lumu.category}}, *zvelo:* {{webResponse.body.data.attributes.last_analysis_results.zvelo.category}}, *Bfore.Ai PreCrime:* {{webResponse.body.data.attributes.last_analysis_results.Bfore.Ai PreCrime.category}}, *BitDefender:* {{webResponse.body.data.attributes.last_analysis_results.BitDefender.category}}, *Blueliv:* {{webResponse.body.data.attributes.last_analysis_results.Blueliv.category}}, *Certego:* {{webResponse.body.data.attributes.last_analysis_results.Certego.category}}, *desenmascara.me:* {{webResponse.body.data.attributes.last_analysis_results.desenmascara.me.category}}, *ESET:* {{webResponse.body.data.attributes.last_analysis_results.ESET.category}}, *Forcepoint ThreatSeeker:* {{webResponse.body.data.attributes.last_analysis_results.Forcepoint ThreatSeeker.category}}, *G-Data:* {{webResponse.body.data.attributes.last_analysis_results.G-Data.category}}, *GreenSnow:* {{webResponse.body.data.attributes.last_analysis_results.GreenSnow.category}}, *IPsum:* {{webResponse.body.data.attributes.last_analysis_results.IPsum.category}}, *Malwared:* {{webResponse.body.data.attributes.last_analysis_results.Malwared.category}}, *MalwarePatrol:* {{webResponse.body.data.attributes.last_analysis_results.MalwarePatrol.category}}, *malwares.com URL checker:* {{webResponse.body.data.attributes.last_analysis_results.malwares.com URL checker.category}}, *Phishing Database:* {{webResponse.body.data.attributes.last_analysis_results.Phishing Database.category}}, *PREBYTES:* {{webResponse.body.data.attributes.last_analysis_results.PREBYTES.category}}, *Scantitan:* {{webResponse.body.data.attributes.last_analysis_results.Scantitan.category}}, *SCUMWARE.org:* {{webResponse.body.data.attributes.last_analysis_results.SCUMWARE.org.category}}, *SOCRadar:* {{webResponse.body.data.attributes.last_analysis_results.SOCRadar.category}}, *StopForumSpam:* {{webResponse.body.data.attributes.last_analysis_results.StopForumSpam.category}}, *Sucuri SiteCheck:* {{webResponse.body.data.attributes.last_analysis_results.Sucuri SiteCheck.category}}, *ThreatHive:* {{webResponse.body.data.attributes.last_analysis_results.ThreatHive.category}}, *Threatsourcing:* {{webResponse.body.data.attributes.last_analysis_results.Threatsourcing.category}}, *URLhaus:* {{webResponse.body.data.attributes.last_analysis_results.URLhaus.category}}, *ZeroCERT:* {{webResponse.body.data.attributes.last_analysis_results.ZeroCERT.category}}, *Cluster25:* {{webResponse.body.data.attributes.last_analysis_results.Cluster25.category}}, *Criminal IP:* {{webResponse.body.data.attributes.last_analysis_results.Criminal IP.category}}, *CrowdSec:* {{webResponse.body.data.attributes.last_analysis_results.CrowdSec.category}}, *Netcraft:* {{webResponse.body.data.attributes.last_analysis_results.Netcraft.category}}, *PhishFort:* {{webResponse.body.data.attributes.last_analysis_results.PhishFort.category}}, *Segasec:* {{webResponse.body.data.attributes.last_analysis_results.Segasec.category}}, *VIPRE:* {{webResponse.body.data.attributes.last_analysis_results.VIPRE.category}}


This is the Create Variable, trying to grab a subset with the goal of adding just that subset as a Comment. Screenshot 2023-08-28 125418.png

Bill Sheboy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 28, 2023

Are there line breaks / newlines in your source text, or multiple possible matches per line?

The match() function does not handle those well, particularly when there are multiple results in a single search row.  One work-around is to first force line breaks (or list item breaks) at possible match boundaries, and then use match().

Your source appears to be comma-separated values; perhaps try this for your second created variable:

{{VTDomainMalVendors.split(",").match(".*(\*\w+:\*\s+harmless).*")}}

Also...as you are using Jira Cloud, you may want to consider using Lookup Tables to capture that first long list of vendor information.  With the recent enhancements it may be easier to maintain than the large single created variable. https://community.atlassian.com/t5/Automation-articles/Update-Create-lookup-table-action-improvements/ba-p/2427798

Chelsie August 28, 2023

Bill, that split worked like a charm! Thank you!

Like Bill Sheboy likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events