csirtgadgets / csirtg-smrt-v1

the fastest way to consume threat intelligence.
http://csirtgadgets.org
Mozilla Public License 2.0
28 stars 20 forks source link

Allow envelope to support multiple layers #290

Closed mdavis332 closed 4 years ago

mdavis332 commented 4 years ago

some APIs that return json objects with the useful data nested layers deep (apwg /mal_ip, i'm looking at you) do not seem to currently work with json parser. Add ability for envelope to peel back Matryoshka doll envelopes, e.g.:

{ 
  '_meta': 'some garbage', 
  '_links': 'other stuff', 
  '_embedded': {
    'mal_ips': [ 'finally the good stuff', 'oh yeah' ] 
  } 
}

rule.yml:

...
envelope:
  - _embedded
  - _mal_ips
...