Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
Anonymous
Not applicable

Parsing embedded JSON into PowerBI table

‎07-28-2017 08:33 AM

Hi Everyone, 

I have tried to follow the video on http://community.powerbi.com/t5/Desktop/Parsing-Embedded-JSON/m-p/118623/highlight/true#M50071

 

to get embedded json displayed. unfortunately, I am not getting to any results (which probably gives some idea about my Power-BI skill-level) with my json code. I am trying to get the techniques used by the groups from the following JSON Code 

 

{
    "query-continue-offset": 5,
    "query": {
        "printrequests": [
            {
                "label": "",
                "key": "",
                "redi": "",
                "typeid": "_wpg",
                "mode": 2
            },
            {
                "label": "Has technique",
                "key": "Has_technique",
                "redi": "",
                "typeid": "_wpg",
                "mode": 1,
                "format": ""
            }
        ],
        "results": {
            "Group/G0006": {
                "printouts": {
                    "Has technique": [
                        {
                            "fulltext": "Technique/T1003",
                            "fullurl": "https://attack.mitre.org/wiki/Technique/T1003",
                            "namespace": 0,
                            "exists": "1",
                            "displaytitle": "Credential Dumping"
                        },
                        {
                            "fulltext": "Technique/T1036",
                            "fullurl": "https://attack.mitre.org/wiki/Technique/T1036",
                            "namespace": 0,
                            "exists": "1",
                            "displaytitle": "Masquerading"
                        },
                        {
                            "fulltext": "Technique/T1075",
                            "fullurl": "https://attack.mitre.org/wiki/Technique/T1075",
                            "namespace": 0,
                            "exists": "1",
                            "displaytitle": "Pass the Hash"
                        },
                        {
                            "fulltext": "Technique/T1076",
                            "fullurl": "https://attack.mitre.org/wiki/Technique/T1076",
                            "namespace": 0,
                            "exists": "1",
                            "displaytitle": "Remote Desktop Protocol"
                        },
                        {
                            "fulltext": "Technique/T1114",
                            "fullurl": "https://attack.mitre.org/wiki/Technique/T1114",
                            "namespace": 0,
                            "exists": "1",
                            "displaytitle": "Email Collection"
                        },
                        {
                            "fulltext": "Technique/T1064",
                            "fullurl": "https://attack.mitre.org/wiki/Technique/T1064",
                            "namespace": 0,
                            "exists": "1",
                            "displaytitle": "Scripting"
                        },
                        {
                            "fulltext": "Technique/T1059",
                            "fullurl": "https://attack.mitre.org/wiki/Technique/T1059",
                            "namespace": 0,
                            "exists": "1",
                            "displaytitle": "Command-Line Interface"
                        },
                        {
                            "fulltext": "Technique/T1005",
                            "fullurl": "https://attack.mitre.org/wiki/Technique/T1005",
                            "namespace": 0,
                            "exists": "1",
                            "displaytitle": "Data from Local System"
                        },
                        {
                            "fulltext": "Technique/T1002",
                            "fullurl": "https://attack.mitre.org/wiki/Technique/T1002",
                            "namespace": 0,
                            "exists": "1",
                            "displaytitle": "Data Compressed"
                        }
                    ]
                },
                "fulltext": "Group/G0006",
                "fullurl": "https://attack.mitre.org/wiki/Group/G0006",
                "namespace": 0,
                "exists": "1",
                "displaytitle": "Group: APT1, Comment Crew, ..."
            },
            "Group/G0005": {
                "printouts": {
                    "Has technique": []
                },
                "fulltext": "Group/G0005",
                "fullurl": "https://attack.mitre.org/wiki/Group/G0005",
                "namespace": 0,
                "exists": "1",
                "displaytitle": "Group: APT12, IXESHE, ..."
            },
            "Group/G0023": {
                "printouts": {
                    "Has technique": []
                },
                "fulltext": "Group/G0023",
                "fullurl": "https://attack.mitre.org/wiki/Group/G0023",
                "namespace": 0,
                "exists": "1",
                "displaytitle": "Group: APT16"
            },
            "Group/G0025": {
                "printouts": {
                    "Has technique": []
                },
                "fulltext": "Group/G0025",
                "fullurl": "https://attack.mitre.org/wiki/Group/G0025",
                "namespace": 0,
                "exists": "1",
                "displaytitle": "Group: APT17, Deputy Dog"
            },
            "Group/G0026": {
                "printouts": {
                    "Has technique": [
                        {
                            "fulltext": "Technique/T1053",
                            "fullurl": "https://attack.mitre.org/wiki/Technique/T1053",
                            "namespace": 0,
                            "exists": "1",
                            "displaytitle": "Scheduled Task"
                        },
                        {
                            "fulltext": "Technique/T1107",
                            "fullurl": "https://attack.mitre.org/wiki/Technique/T1107",
                            "namespace": 0,
                            "exists": "1",
                            "displaytitle": "File Deletion"
                        },
                        {
                            "fulltext": "Technique/T1133",
                            "fullurl": "https://attack.mitre.org/wiki/Technique/T1133",
                            "namespace": 0,
                            "exists": "1",
                            "displaytitle": "External Remote Services"
                        },
                        {
                            "fulltext": "Technique/T1078",
                            "fullurl": "https://attack.mitre.org/wiki/Technique/T1078",
                            "namespace": 0,
                            "exists": "1",
                            "displaytitle": "Valid Accounts"
                        }
                    ]
                },
                "fulltext": "Group/G0026",
                "fullurl": "https://attack.mitre.org/wiki/Group/G0026",
                "namespace": 0,
                "exists": "1",
                "displaytitle": "Group: APT18, Threat Group-0416, ..."
            }
        },
        "serializer": "SMW\\Serializers\\QueryResultSerializer",
        "version": 2,
        "meta": {
            "hash": "2114733f72ac04384ee95f38b7fea909",
            "count": 5,
            "offset": 0,
            "source": "",
            "time": "0.020588"
        }
    }
}

I get as far as getting the Groups displayed but not the techniques in use. Hopefully somebody can shed some light on this. 

 

regards,

totaldisaster

Labels:
Message 1 of 3
2,131 Views
0
1 ACCEPTED SOLUTION
ImkeF
Community Champion
Community Champion

‎07-28-2017 11:25 AM

Pls check if this delivers what you're after:

let
    Source = Json.Document(<<YourJSON>>),
    query = Source[query],
    results = query[results],
    #"Converted to Table" = Record.ToTable(results),
    #"Expanded Value" = Table.ExpandRecordColumn(#"Converted to Table", "Value", {"printouts", "fulltext", "fullurl", "namespace", "exists", "displaytitle"}, {"printouts", "fulltext", "fullurl", "namespace", "exists", "displaytitle"}),
    #"Expanded printouts" = Table.ExpandRecordColumn(#"Expanded Value", "printouts", {"Has technique"}, {"Has technique"}),
    #"Expanded Has technique" = Table.ExpandListColumn(#"Expanded printouts", "Has technique"),
    #"Expanded Has technique1" = Table.ExpandRecordColumn(#"Expanded Has technique", "Has technique", {"fulltext", "fullurl", "namespace", "exists", "displaytitle"}, {"fulltext.1", "fullurl.1", "namespace.1", "exists.1", "displaytitle.1"})
in
    #"Expanded Has technique1"

 

How to integrate M-code into your solution  -- Check out more PBI- learning resources here

Imke Feldmann (The BIccountant)

If you liked my solution, please give it a thumbs up. And if I did answer your question, please mark this post as a solution. Thanks!

How to integrate M-code into your solution -- How to get your questions answered quickly -- How to provide sample data -- Check out more PBI- learning resources here -- Performance Tipps for M-queries

View solution in original post

Message 2 of 3
2,474 Views
2 REPLIES 2
ImkeF
Community Champion
Community Champion

‎07-28-2017 11:25 AM

Pls check if this delivers what you're after:

let
    Source = Json.Document(<<YourJSON>>),
    query = Source[query],
    results = query[results],
    #"Converted to Table" = Record.ToTable(results),
    #"Expanded Value" = Table.ExpandRecordColumn(#"Converted to Table", "Value", {"printouts", "fulltext", "fullurl", "namespace", "exists", "displaytitle"}, {"printouts", "fulltext", "fullurl", "namespace", "exists", "displaytitle"}),
    #"Expanded printouts" = Table.ExpandRecordColumn(#"Expanded Value", "printouts", {"Has technique"}, {"Has technique"}),
    #"Expanded Has technique" = Table.ExpandListColumn(#"Expanded printouts", "Has technique"),
    #"Expanded Has technique1" = Table.ExpandRecordColumn(#"Expanded Has technique", "Has technique", {"fulltext", "fullurl", "namespace", "exists", "displaytitle"}, {"fulltext.1", "fullurl.1", "namespace.1", "exists.1", "displaytitle.1"})
in
    #"Expanded Has technique1"

 

How to integrate M-code into your solution  -- Check out more PBI- learning resources here

Imke Feldmann (The BIccountant)

If you liked my solution, please give it a thumbs up. And if I did answer your question, please mark this post as a solution. Thanks!

How to integrate M-code into your solution -- How to get your questions answered quickly -- How to provide sample data -- Check out more PBI- learning resources here -- Performance Tipps for M-queries

Message 2 of 3
2,475 Views
Anonymous
Not applicable
In response to ImkeF

‎08-07-2017 01:42 AM

Hello ImKeF,

that was exactly what I was after, thank you very much.

Is it on purpose that PowerBI does not keep the old data set when you update the source?

 

regards

Message 3 of 3
2,097 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All