Split the json file and check for duplicate ID

Questions
1

I am trying to do some automation on the alerts that i get in dfir-iris.
I was able to get all the alerts in the json file.

Screenshot 2024-09-11 at 8.06.00 PM
Screenshot 2024-09-11 at 8.06.00 PM2960×1700 413 KB

I want to get each alert and fetch the information from the alert and if it is matches the rule then i need to merge the alert and update. But i am not sure how to fetch each alert in a incremental way.

Information on your n8n setup

  • n8n version: 1.57.0
  • Database (default: SQLite): postgres
  • n8n EXECUTIONS_PROCESS setting (default: own, main): own
  • Running n8n via (Docker, npm, n8n cloud, desktop app):Docker
  • Ubuntu
2

Welcome to the community @Mahesh_Tata !

Tip for sharing information

Pasting your n8n workflow

Ensure to copy your n8n workflow and paste it in the code block, that is in between the pairs of triple backticks, which also could be achieved by clicking </> (preformatted text) in the editor and pasting in your workflow.

```
<your workflow>
```

That implies to any JSON output you would like to share with us.

If I understood you right the below demo workflow should give you an idea how to

  1. get hold of the alerts in the array coming from DFIR-IRIS
  2. de-duplicate based on the alert ID

If the duplicates have different IDs but nonetheless are duplicates based on some other properties, use those properties (could be more than one) instead.

3

Thank you @ihortom for the sharing the information.

Screenshot 2024-09-12 at 6.12.49 AM
Screenshot 2024-09-12 at 6.12.49 AM990×330 25.1 KB

My issue i will be getting the alert_id from the DFIR and should pick the alert id and check if the alert is new and do some action and go the next alert , It is kind of incremental loop , and if the alert id is not found it should wait till the alert id is found. I have one more issue if you see i am getting only 10 alert in a page but i am not able to move he 2 page.

4

The DFIR-IRIS HTTP Request node comes with pagination functionality which is described in HTTP Request | n8n Docs. The Alerts API describes what page attributes are included in the response body.

I assume you are utilizing /alerts/filter endpoint. The doc specifies the following

Filter alerts. This endpoint uses paging. Each response contains a total, last_page, current_page and next_page information to fetch the next results.

You have to leverage those properties with the pagination functionality to retrieve all the alerts.

I expect to see something like this.

image
image1000×1048 68.2 KB

Note that I base my answer on some assumptions and guesses as I have no access to IRIS service to test it. Therefore I do not know for sure how the response body looks like. I’m just pointing you in the right direction. Hopefully it helps.

5

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.