I'm trying to add a comment to a jira ticket with a variable that contains all results of .match
Using the result from a http get to virustotal, I was able to build a smart variable that contains this data. I did this first because each vendor (PrecisionSec,PhishLabs,SecureBrain) has a unique dot walk, so I needed to hardcode the names, one by one to get the result.
{{webResponse.body.data.attributes.last_analysis_results.PrecisionSec.category}}
My issue is, when I use .match against the resulting data, I'm only getting one "*vendor*:harmless" added to the comment or audit log. This will be changed to malicious once I can validate everything is working as expected. If I need to convert to a list, or iterate over it as an array some other way, I'm not sure how.
https://regex101.com/r/xra4Xb/1
Regex I'm using:
(\*\w+:\*\s+harmless)+
Data:
VTDomainMalVendors: *Antiy-AVL*: malicious, *Kaspersky:* harmless, *Avira:* harmless, *Bkav:* undetected, *CMC Threat Intelligence:* harmless, *Snort IP sample list:* harmless, *0xSI_f33d:* undetected, *ViriBack:* harmless, *PhishLabs:* undetected, *K7AntiVirus:* harmless, *CINS Army.:* harmless, *Quttera:* harmless, *PrecisionSec:* undetected, *OpenPhish:* harmless, *VX Vault:* harmless, *ArcSight Threat Intelligence:* undetected, *AlienVault:* harmless, *Sophos:* harmless, *Phishtank:* harmless, *Cyan:* undetected, *Spam404:* harmless, *SecureBrain:* harmless, *CRDF:* harmless, *Fortinet:* harmless, *alphaMountain.ai:* , *Lionic:* harmless, *Cyble:* harmless, *Seclookup:* harmless, *Xcitium Verdict Cloud:* harmless, *Google Safebrowsing:* harmless, *SafeToOpen:* undetected, *ADMINUSLabs:* harmless, *ESTsecurity:* harmless, *Juniper Networks:* harmless, *Heimdal Security:* harmless, *AutoShun:* undetected, *Trustwave:* harmless, *AICC (MONITORAPP:* harmless, *CyRadar:* harmless, *Dr.Web:* , *Emsisoft:* harmless, *Abusix:* harmless, *Webroot:* harmless, *securolytics:* harmless, *AlphaSOC:* undetected, *Acronis:* harmless, *Quick Heal:* harmless, *URLQuery:* undetected, *Viettel Threat Intelligence* harmless, *DNS8:* harmless, *benkow.cc* , *EmergingThreats:* harmless, *Chong Lua Dao:* harmless, *Yandex Safebrowsing:* harmless, *Lumu:* undetected, *zvelo:* undetected, *Bfore.Ai PreCrime:* , *BitDefender:* harmless, *Blueliv:* harmless, *Certego:* harmless, *desenmascara.me:* , *ESET:* harmless, *Forcepoint ThreatSeeker:* harmless, *G-Data:* harmless, *GreenSnow:* harmless, *IPsum:* harmless, *Malwared:* harmless, *MalwarePatrol:* harmless, *malwares.com URL checker:* , *Phishing Database:* harmless, *PREBYTES:* harmless, *Scantitan:* harmless, *SCUMWARE.org:* , *SOCRadar:* harmless, *StopForumSpam:* harmless, *Sucuri SiteCheck:* harmless, *ThreatHive:* harmless, *Threatsourcing:* harmless, *URLhaus:* harmless, *ZeroCERT:* harmless, *Cluster25:* undetected, *Criminal IP:* undetected, *CrowdSec:* undetected, *Netcraft:* undetected, *PhishFort:* undetected, *Segasec:* undetected, *VIPRE:* undetected
The result is one capture group and multiple matches. How do I display the multiple matches in one comment?
Thank you kindly.
Hi Chelsie,
Would you please show the automation rule details, including the action where you are using the match() call? That context will help the community to offer suggestions. Thanks!
Until we see that...my understanding is the regular expression parsing for automation rules is based on Java's Pattern class but they do not indicate what is / is not actually supported. Perhaps try a simpler expression first, writing the results to the audit log, and use that to build up to a workable expression.
Kind regards,
Bill
Sure, this is the response body extraction into a variable.
Smart value:
*Antiy-AVL*: {{webResponse.body.data.attributes.last_analysis_results.Antiy-AVL.category}}, *Kaspersky:* {{webResponse.body.data.attributes.last_analysis_results.Kaspersky.category}}, *Avira:* {{webResponse.body.data.attributes.last_analysis_results.Avira.category}}, *Bkav:* {{webResponse.body.data.attributes.last_analysis_results.Bkav.category}}, *CMC Threat Intelligence:* {{webResponse.body.data.attributes.last_analysis_results.CMC Threat Intelligence.category}}, *Snort IP sample list:* {{webResponse.body.data.attributes.last_analysis_results.Snort IP sample list.category}}, *0xSI_f33d:* {{webResponse.body.data.attributes.last_analysis_results.0xSI_f33d.category}}, *ViriBack:* {{webResponse.body.data.attributes.last_analysis_results.ViriBack.category}}, *PhishLabs:* {{webResponse.body.data.attributes.last_analysis_results.PhishLabs.category}}, *K7AntiVirus:* {{webResponse.body.data.attributes.last_analysis_results.K7AntiVirus.category}}, *CINS Army.:* {{webResponse.body.data.attributes.last_analysis_results.CINS Army.category}}, *Quttera:* {{webResponse.body.data.attributes.last_analysis_results.Quttera.category}}, *PrecisionSec:* {{webResponse.body.data.attributes.last_analysis_results.PrecisionSec.category}}, *OpenPhish:* {{webResponse.body.data.attributes.last_analysis_results.OpenPhish.category}}, *VX Vault:* {{webResponse.body.data.attributes.last_analysis_results.VX Vault.category}}, *ArcSight Threat Intelligence:* {{webResponse.body.data.attributes.last_analysis_results.ArcSight Threat Intelligence.category}}, *AlienVault:* {{webResponse.body.data.attributes.last_analysis_results.AlienVault.category}}, *Sophos:* {{webResponse.body.data.attributes.last_analysis_results.Sophos.category}}, *Phishtank:* {{webResponse.body.data.attributes.last_analysis_results.Phishtank.category}}, *Cyan:* {{webResponse.body.data.attributes.last_analysis_results.Cyan.category}}, *Spam404:* {{webResponse.body.data.attributes.last_analysis_results.Spam404.category}}, *SecureBrain:* {{webResponse.body.data.attributes.last_analysis_results.SecureBrain.category}}, *CRDF:* {{webResponse.body.data.attributes.last_analysis_results.CRDF.category}}, *Fortinet:* {{webResponse.body.data.attributes.last_analysis_results.Fortinet.category}}, *alphaMountain.ai:* {{webResponse.body.data.attributes.last_analysis_results.alphaMountain.ai.category}}, *Lionic:* {{webResponse.body.data.attributes.last_analysis_results.Lionic.category}}, *Cyble:* {{webResponse.body.data.attributes.last_analysis_results.Cyble.category}}, *Seclookup:* {{webResponse.body.data.attributes.last_analysis_results.Seclookup.category}}, *Xcitium Verdict Cloud:* {{webResponse.body.data.attributes.last_analysis_results.Xcitium Verdict Cloud.category}}, *Google Safebrowsing:* {{webResponse.body.data.attributes.last_analysis_results.Google Safebrowsing.category}}, *SafeToOpen:* {{webResponse.body.data.attributes.last_analysis_results.SafeToOpen.category}}, *ADMINUSLabs:* {{webResponse.body.data.attributes.last_analysis_results.ADMINUSLabs.category}}, *ESTsecurity:* {{webResponse.body.data.attributes.last_analysis_results.ESTsecurity.category}}, *Juniper Networks:* {{webResponse.body.data.attributes.last_analysis_results.Juniper Networks.category}}, *Heimdal Security:* {{webResponse.body.data.attributes.last_analysis_results.Heimdal Security.category}}, *AutoShun:* {{webResponse.body.data.attributes.last_analysis_results.AutoShun.category}}, *Trustwave:* {{webResponse.body.data.attributes.last_analysis_results.Trustwave.category}}, *AICC (MONITORAPP:* {{webResponse.body.data.attributes.last_analysis_results.AICC (MONITORAPP).category}}, *CyRadar:* {{webResponse.body.data.attributes.last_analysis_results.CyRadar.category}}, *Dr.Web:* {{webResponse.body.data.attributes.last_analysis_results.Dr.Web.category}}, *Emsisoft:* {{webResponse.body.data.attributes.last_analysis_results.Emsisoft.category}}, *Abusix:* {{webResponse.body.data.attributes.last_analysis_results.Abusix.category}}, *Webroot:* {{webResponse.body.data.attributes.last_analysis_results.Webroot.category}}, *securolytics:* {{webResponse.body.data.attributes.last_analysis_results.securolytics.category}}, *AlphaSOC:* {{webResponse.body.data.attributes.last_analysis_results.AlphaSOC.category}}, *Acronis:* {{webResponse.body.data.attributes.last_analysis_results.Acronis.category}}, *Quick Heal:* {{webResponse.body.data.attributes.last_analysis_results.Quick Heal.category}}, *URLQuery:* {{webResponse.body.data.attributes.last_analysis_results.URLQuery.category}}, *Viettel Threat Intelligence* {{webResponse.body.data.attributes.last_analysis_results.Viettel Threat Intelligence.category}}, *DNS8:* {{webResponse.body.data.attributes.last_analysis_results.DNS8.category}}, *benkow.cc* {{webResponse.body.data.attributes.last_analysis_results.benkow.cc.category}}, *EmergingThreats:* {{webResponse.body.data.attributes.last_analysis_results.EmergingThreats.category}}, *Chong Lua Dao:* {{webResponse.body.data.attributes.last_analysis_results.Chong Lua Dao.category}}, *Yandex Safebrowsing:* {{webResponse.body.data.attributes.last_analysis_results.Yandex Safebrowsing.category}}, *Lumu:* {{webResponse.body.data.attributes.last_analysis_results.Lumu.category}}, *zvelo:* {{webResponse.body.data.attributes.last_analysis_results.zvelo.category}}, *Bfore.Ai PreCrime:* {{webResponse.body.data.attributes.last_analysis_results.Bfore.Ai PreCrime.category}}, *BitDefender:* {{webResponse.body.data.attributes.last_analysis_results.BitDefender.category}}, *Blueliv:* {{webResponse.body.data.attributes.last_analysis_results.Blueliv.category}}, *Certego:* {{webResponse.body.data.attributes.last_analysis_results.Certego.category}}, *desenmascara.me:* {{webResponse.body.data.attributes.last_analysis_results.desenmascara.me.category}}, *ESET:* {{webResponse.body.data.attributes.last_analysis_results.ESET.category}}, *Forcepoint ThreatSeeker:* {{webResponse.body.data.attributes.last_analysis_results.Forcepoint ThreatSeeker.category}}, *G-Data:* {{webResponse.body.data.attributes.last_analysis_results.G-Data.category}}, *GreenSnow:* {{webResponse.body.data.attributes.last_analysis_results.GreenSnow.category}}, *IPsum:* {{webResponse.body.data.attributes.last_analysis_results.IPsum.category}}, *Malwared:* {{webResponse.body.data.attributes.last_analysis_results.Malwared.category}}, *MalwarePatrol:* {{webResponse.body.data.attributes.last_analysis_results.MalwarePatrol.category}}, *malwares.com URL checker:* {{webResponse.body.data.attributes.last_analysis_results.malwares.com URL checker.category}}, *Phishing Database:* {{webResponse.body.data.attributes.last_analysis_results.Phishing Database.category}}, *PREBYTES:* {{webResponse.body.data.attributes.last_analysis_results.PREBYTES.category}}, *Scantitan:* {{webResponse.body.data.attributes.last_analysis_results.Scantitan.category}}, *SCUMWARE.org:* {{webResponse.body.data.attributes.last_analysis_results.SCUMWARE.org.category}}, *SOCRadar:* {{webResponse.body.data.attributes.last_analysis_results.SOCRadar.category}}, *StopForumSpam:* {{webResponse.body.data.attributes.last_analysis_results.StopForumSpam.category}}, *Sucuri SiteCheck:* {{webResponse.body.data.attributes.last_analysis_results.Sucuri SiteCheck.category}}, *ThreatHive:* {{webResponse.body.data.attributes.last_analysis_results.ThreatHive.category}}, *Threatsourcing:* {{webResponse.body.data.attributes.last_analysis_results.Threatsourcing.category}}, *URLhaus:* {{webResponse.body.data.attributes.last_analysis_results.URLhaus.category}}, *ZeroCERT:* {{webResponse.body.data.attributes.last_analysis_results.ZeroCERT.category}}, *Cluster25:* {{webResponse.body.data.attributes.last_analysis_results.Cluster25.category}}, *Criminal IP:* {{webResponse.body.data.attributes.last_analysis_results.Criminal IP.category}}, *CrowdSec:* {{webResponse.body.data.attributes.last_analysis_results.CrowdSec.category}}, *Netcraft:* {{webResponse.body.data.attributes.last_analysis_results.Netcraft.category}}, *PhishFort:* {{webResponse.body.data.attributes.last_analysis_results.PhishFort.category}}, *Segasec:* {{webResponse.body.data.attributes.last_analysis_results.Segasec.category}}, *VIPRE:* {{webResponse.body.data.attributes.last_analysis_results.VIPRE.category}}
This is the Create Variable, trying to grab a subset with the goal of adding just that subset as a Comment.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Are there line breaks / newlines in your source text, or multiple possible matches per line?
The match() function does not handle those well, particularly when there are multiple results in a single search row. One work-around is to first force line breaks (or list item breaks) at possible match boundaries, and then use match().
Your source appears to be comma-separated values; perhaps try this for your second created variable:
{{VTDomainMalVendors.split(",").match(".*(\*\w+:\*\s+harmless).*")}}
Also...as you are using Jira Cloud, you may want to consider using Lookup Tables to capture that first long list of vendor information. With the recent enhancements it may be easier to maintain than the large single created variable. https://community.atlassian.com/t5/Automation-articles/Update-Create-lookup-table-action-improvements/ba-p/2427798
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.