Hi,
I have a data that looks like this
$data
timestamp : 1645423991999
entities : {@{type=policyRule; label=[GIT] Administrative activity from a non-corporate IP address;
id=5e9d64458a22bee70209f290; policyType=AUDIT}, @{type=account; label=Jon Doe (Admin);
id=73890295-8ad0-445a-8033-93d86ce3e699; em=john.doe@tenant .com;
pa=john.doe@tenant .com; entityType=2; saas=11161; inst=0}, @{type=user;
label=john.doe@tenant .com; id=john.doe@tenant .com}, @{type=service;
label=Okta PSA Int; id=10999}...}
audits : {993106399_10980_1e48ae8d-92dd-11ec-9d82-818dd0912bc8}
title : [GIT] Administrative activity from a non-corporate IP address
description : Activity policy 'Administrative activity from a non-corporate IP address' was triggered
by 'Jon Doe (Admin) (john.doe@tenant .com)'
contextId : bc1b92b9-5dc9-49be-995b-c97eb515a1d3
threatScore : 35
threatScoreReasoning : {@{template=UEBA_ALERTS_SEVERITY_LEVEL_EVIDENCE; parameters=}}
intent : {0}
statusValue : 0
severityValue : 1
resolutionStatusValue : 0
idValue : 15728641
isSystemAlert : False
URL : https://tenant.com.portal.cloudappsecurity.com/#/alerts/62132d79668e595c124eb021
And I wanted to rewrite this array and export it as a new CSV that should have additional information:
timestamp : 1645423991999 (converted to simple format like mm-dd-yy hh:mm if possible.
entities : {@{type=policyRule; label=[GIT] Administrative activity from a non-corporate IP address;
id=5e9d64458a22bee70209f290; policyType=AUDIT}, @{type=account; label=Jon Doe (Admin);
id=73890295-8ad0-445a-8033-93d86ce3e699; em=john.doe@tenant .com;
pa=john.doe@tenant .com; entityType=2; saas=11161; inst=0}, @{type=user;
label=john.doe@tenant .com; id=john.doe@tenant .com}, @{type=service;
label=Okta PSA Int; id=10999}...}
audits : {993106399_10980_1e48ae8d-92dd-11ec-9d82-818dd0912bc8}
title : [GIT] Administrative activity from a non-corporate IP address
description : Activity policy 'Administrative activity from a non-corporate IP address' was triggered
by 'Jon Doe (Admin) (john.doe@tenant .com)'
contextId : bc1b92b9-5dc9-49be-995b-c97eb515a1d3
threatScore : 35
threatScoreReasoning : {@{template=UEBA_ALERTS_SEVERITY_LEVEL_EVIDENCE; parameters=}}
intent : {0}
statusValue : 0
severityValue : 1
resolutionStatusValue : 0
idValue : 15728641
isSystemAlert : False
URL : https://tenant.com.portal.cloudappsecurity.com/#/alerts/62132d79668e595c124eb021
Domain: EMEA
I was thinking of doing this
$data | export-csv c:\temp\data.csv ->>>>>>>>>>>>>>>>>>>>>>>>>how can I get rid of system.object under the column entities, etc...I exporting this as a raw data reference.
hash.csv is a file containing key and value id=73890295 = EMEA
$hash = @{}
import-csv c:\temp\hash.csv | foreach-object{
$hash[$.ID] = $.domain}
importing my data
import-csv c:\temp\data.csv | foreach-object {
$_ | add-member noteproperty 'Domain' ""
if ($hash.containskey($.entities?)){ ->>>>>>>>>>>>>>>>>>>>>>>>>>>>>I don't know how to pull this value id=73890295
$.domain = $hash[$.entities?]
}
$ } |export-csv c:\temp\newdata.csv
"Domain" = EMEA ->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>This is from my Hash.