Powershell 遍历哈希表的多维数组以查找匹配项并组合两个数组中的值

【问题标题】:Powershell Iterate through multidimensional array of hashtables to find a match and combine values from both arraysPowershell 遍历哈希表的多维数组以查找匹配项并组合两个数组中的值
【发布时间】:2021-08-18 19:13:24
【问题描述】:

我需要合并来自 2 个 JSON 的值:

如果警报 ID 匹配,我需要创建结构,该结构将从两个 json 中获取数据

匹配结果应如下所示:

$array = @()
$hashtable = @{}
$hashtable.AlertID (does not matter what JSON is it from)
$hashtable.Tags (from JSON 1)
$hashtable.IncidentName (from JSON2)
$hashtable.IncidentID (from JSON2)
$array += $hashtable

如果这将使用 c 样式的 powershell 循环来完成,我会更喜欢。

c 风格 for loop = for ($x = 0; $x -array.count; $x++)

JSON 1:

[
    {
        "Status":  "Active",
        "IncidentId":  "3",
        "tags":  "SINC0008009",
        "AlertId":  [
                        "da637563185629568182_-638872186",
                        "da637563185631732095_1120592736",
                        "da637563185706412029_-614525914",
                        "da637563185760439486_-276692370",
                        "da637563185856325888_-1949235651",
                        "da637563186785996176_2128073884",
                        "da637563186789897000_1239551047",
                        "da637563186806513555_1512241399",
                        "da637563193194338043_-244132089"
                    ],
        "severity":  "Medium"
    },
    {
        "Status":  "Active",
        "IncidentId":  "4",
        "tags":  "SINC0008008",
        "AlertId":  [
                        "da637643650725801726_1735022501",
                        "da637643650741237104_1473290917",
                        "da637643650748739479_-40211355",
                        "da637643652767933265_-1887823168",
                        "da637643670830160376_-443360743"
                    ],
        "severity":  "Medium"
    },
    {
        "Status":  "Active",
        "IncidentId":  "2",
        "tags":  null,
        "AlertId":  [
                        "caD76232A5-F386-3C5D-94CD-7C82A7F778DC"
                    ],
        "severity":  "Medium"
    },
    {
        "Status":  "Active",
        "IncidentId":  "1",
        "tags":  null,
        "AlertId":  [
                        "ca6534FF45-D62A-3FB7-BD6B-FF5029C553DB"
                    ],
        "severity":  "Medium"
    }
]

JSON 2:

{
  "value": [
    {
      "incidentId": 3,
      "incidentName": "Multi-stage incident involving Initial access & Discovery on one endpoint",
      "status": "Active",
      "severity": "Medium",
      "tags": ["SINC0000001"],
      "comments": [],
      "alerts": [
        {
          "alertId": "da637563185629568182_-638872186",
          "incidentId": 3,
          "description": "A suspicious PowerShell activity was observed on the machine. ",
          "status": "New",
          "severity": "Medium",
          "devices": [
            {
              "deviceDnsName": "xxxxx"
            }
          ],
          "entities": [
            {
              "entityType": "User",
              "accountName": "xxxxxx",
              "userPrincipalName": "xxx@xx.xx"
            },
            {
              "entityType": "Process"
            },
            {
              "entityType": "Process",
              "verdict": "Suspicious"
            },
            {
              "entityType": "File"
            }
          ]
        },
        {
          "alertId": "da637563185631732095_1120592736",
          "incidentId": 3,
          "devices": [
            {
              "osPlatform": "Windows10",
              "version": "1909"
            }
          ],
          "entities": [
            {
              "entityType": "User",
              "remediationStatus": "None"
            }
          ]
        }
      ]
    },
    {
      "incidentId": 4,
      "incidentName": "Multi-stage incident involving Initial access & Discovery on one endpoint",
      "status": "Active",
      "severity": "Medium",
      "tags": ["SINC0000002"],
      "comments": [],
      "alerts": [
        {
          "alertId": "da637563185629568182_-638872186",
          "incidentId": 3,
          "description": "A suspicious PowerShell activity was observed on the machine. ",
          "status": "New",
          "severity": "Medium",
          "devices": [
            {
              "deviceDnsName": "xxxxx"
            }
          ],
          "entities": [
            {
              "entityType": "User",
              "accountName": "xxxxxx",
              "userPrincipalName": "xxx@xx.xx"
            },
            {
              "entityType": "Process"
            },
            {
              "entityType": "Process",
              "verdict": "Suspicious"
            },
            {
              "entityType": "File"
            }
          ]
        },
        {
          "alertId": "da637563185631732095_1120592736",
          "incidentId": 3,
          "devices": [
            {
              "osPlatform": "Windows10",
              "version": "1909"
            }
          ],
          "entities": [
            {
              "entityType": "User",
              "remediationStatus": "None"
            }
          ]
        }
      ]
    }  
  ]
}

到目前为止,我一直在研究使用嵌套的 foreach 循环来解决它,但它的行为并不像我想要的那样。我正在寻找 for 循环,因为我可以使用索引。

【问题讨论】:

  • 到目前为止,您尝试了什么?C 循环样式是什么意思?
  • 我依赖于 foreach 循环。这是最新的sn-p,明天我需要在测试环境中试一试。我不能把它放在这里,所以我更新了票的描述。 C 风格的 for 循环是 for($i = 0; $i -le $array.count; $i++) 我需要知道如何使用该循环。
  • 请更新您的问题以描述期望的结果,特别是您遇到困难的方面。
  • 好的,我已经简化了我的问题,提供了输入数据。

标签: powershell multidimensional-array data-structures comparison nested-loops


【解决方案1】:

我认为与其创建一个 Hashtables 数组,不如创建一个 PsCustomObjects 数组,因为这样将结果输出到 console/file/json 会容易得多。

$json1 = Get-Content -Path 'X:\json1.json' -Raw | ConvertFrom-Json
$json2 = Get-Content -Path 'X:\json2.json' -Raw | ConvertFrom-Json

$result = foreach ($incident in $json1) {
    foreach ($alertId in $incident.AlertId) {
        $json2.value | Where-Object { $_.alerts.alertId -eq $alertId } | ForEach-Object {
            # output an object with the wanted properties
            [PsCustomObject]@{
                AlertID      = $alertId          # from json1
                Tags         = $incident.Tags    # from json1
                IncidentName = $_.incidentName   # from json2
                IncidentID   = $_.incidentId     # from json2
            }
        }
    }
}

# output on screen
$result | Format-Table -AutoSize  # or use Out-GridView

# output to new JSON
$result | ConvertTo-Json

# output to CSV file
$result | Export-Csv -Path 'X:\incidents.csv' -NoTypeInformation

使用您的示例,控制台窗口的输出是:

AlertID                         Tags        IncidentName                                                              IncidentID
-------                         ----        ------------                                                              ----------
da637563185629568182_-638872186 SINC0008009 Multi-stage incident involving Initial access & Discovery on one endpoint          3
da637563185629568182_-638872186 SINC0008009 Multi-stage incident involving Initial access & Discovery on one endpoint          4
da637563185631732095_1120592736 SINC0008009 Multi-stage incident involving Initial access & Discovery on one endpoint          3
da637563185631732095_1120592736 SINC0008009 Multi-stage incident involving Initial access & Discovery on one endpoint          4

【讨论】:

  • 在这种情况下,我已接受您的解决方案 + 发布了一个新问题。再次抱歉。
猜你喜欢
  • 2023-04-04
  • 2015-05-25
  • 2014-09-23
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 2013-06-06
  • 2016-01-27
  • 2016-09-03
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode