QUESTION

Can the elements in the dictionary returned by alert_context be a list of values or JSON data rather than just a string?

ANSWER

Yes, this is possible. Instead of returning a single string, you can also return a list of strings.

 

Below you can see an example using a detection on Okta logs that sends an alert to Slack.

The alert_context function was defined as shown below:

def alert_context(event):
    return {
        "actor": deep_get(event, "actor", "displayName"),
        "id": deep_get(event, "actor", "id"),
        "message":[deep_get(event,"displayMessage"),event.get("eventType",None)]
    }

The value of the "message" key of the dictionary was set as a list instead of a single value. The alert context that will be delivered is the following:

Alert Context
{
   "actor": <ACTOR_NAME>,
   "id": "00u5m5crdnTG8zRAq5d7",
   "message": [
       "User logout from Okta",
       "user.session.end"
   ]
}

If you want the alert_context function to contain JSON data, then we recommend converting the individual JSON key-value pairs to variables before using them in the alert_context function.

For example, let's suppose that we have the following JSON data in our Python code:

import json
json_data= '{"Name": "John Smith","Contact Number": "000000","Interests":["Swimming", "Reading"]}'

We will parse them using the function json.loads() and the output will be a dictionary similar to the below:

json_output= json.loads(json_data)

{'Name': 'John Smith', 'Contact Number': '000000', 'Interests': ['Swimming', 'Reading']}

If we want to use these values in the alert_context function, then we should first get each individual value as shown below and then append them in the function:

person_name = json_output['Name']
person_number = json_output['Contact Number']
person_interests = json_output['Interests']

def alert_context(event):
    return {
        "name": person_name,
        "number": person_number,
        "interests":person_interests
    }