Skip to main content
craig
craig
Explorer
January 3, 2024
Question

Assistance with playbook Jinja command

  • January 3, 2024
  • 3 replies
  • 2049 views

Hi All,

 

Hope everyone had a great xmas and new year break. I'm working on playbook which reads the Threat Intelligence and formats the fields but am getting the validation of the data incorrect. Looking for some advice.

 

Requirement:

For the pattern field below, I'd like to check the first entry, in this case network-traffic and the type is ipv4-addr and if true, then set the variable to the predefined variable of TI_Var_Type_ipv4_addr.

The jinja used is shown below, but the result is \n\n\n\n\n\n\n\n\.

Could you help me with the correct command?

 

Failing Command:

{% for item in vars.input.records[0].pattern %}

{% if item['network-traffic:dst_ref']['type'] == 'ipv4-addr' %}
{{vars.TI_Var_Type_ipv4_addr}}

{% break %}
{# Exit the loop since we found the matching type #}
{% endif %}

{% endfor %}

 

The Pattern:

 

pattern
:
[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '191.101.234.152' AND network-traffic:dst_port = 59623]

    3 replies

    tkanade
    Staff
    tkanade
    Staff
    January 3, 2024

    Hi, can you provide contents of vars.input.records[0] 

    tkanade
    Staff
    tkanade
    Staff
    January 3, 2024

    \n\n\n\n\n\n\n\n\. -- indicates number of iterations done by loop and is displayed as output for step executing loop.
    As you are setting value for TI_Var_Type_ipv4_addr, you should check if any value set for it. But to set value to  vars.TI_Var_Type_ipv4_addr, you need to do {% set vars.TI_Var_Type_ipv4_addr = item.[<some key>] %} in loop, then when you access {{vars.TI_Var_Type_ipv4}} it will show that value.
    If you help me with contents of vars.input.records[0], i can draft a sample playbook

    dspille
    Staff
    dspille
    Staff
    January 3, 2024

    Hey Craig,

     

    The issue here based on the info provided seems to be that vars.input.records[0].pattern is a string. Your jinja - {% if item['network-traffic:dst_ref']['type'] == 'ipv4-addr' %} is treating the pattern as if it were a dictionary.  Since your pattern is a string, you will likely want to use a regex pattern to parse out the ipv4 address if type= 'ipv4-addr'

     

    This jinja expression works for me in FortiSOAR

    {# set default value for dst_ref_value #} {%- set dst_ref_value = "No IPv4 Found" -%}  {# search string for ipv4-addr pattern #} {%- set type_match = pattern | regex_search("network-traffic:dst_ref.type = 'ipv4-addr'") -%}  {%- if type_match -%}     {%- set value_match = pattern | regex_findall("network-traffic:dst_ref.value = '([^']+)'") -%}     {%- if value_match -%}         {# parse found group which contains ipv4 addr #}         {%- set dst_ref_value = value_match[0] -%}     {%- endif -%} {%- endif -%}  {{ dst_ref_value }}

     

    I am using this JSON - 

    {
    "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '191.101.234.152' AND network-traffic:dst_port = 59623]"
    }

     

     




      Terms & ConditionsCookie settingsAccessibility statement