Skip to main content
adem_netsys
adem_netsys
Explorer III
August 8, 2025
Question

Bulk Indicator

  • August 8, 2025
  • 2 replies
  • 765 views

Hi guys,

 

I am working on a playbook and I need support on something. We get bulk data from a list, we can think of it as a bulk indicator. I am enriching with these IPs (abuseIP, virustotal etc) and in the decision step after reputation, it gives results based on only one IP. How can I overcome this?

    2 replies

    Echumba
    Echumba
    New Member
    August 8, 2025

    Hello ade,

    File Content Content solution pack will help you achieve this 

    https://fortisoar.contenthub.fortinet.com//detail.html?entity=file-content-extraction&version=1.0.3&type=connector

     

    adem_netsys
    adem_netsysAuthor
    Explorer III
    August 8, 2025

    Can we do that with jinja?

    Echumba
    Echumba
    New Member
    August 8, 2025

    Yes, this is possible. You create a set variable step to produce a dictionary of IOC's

     

    Echumba
    Echumba
    New Member
    August 8, 2025

    Hello adem,

    Herein is the guide to solving the problem, the assumption is the bulk ip IOC's are on the excel.

    i) Upload the excel with the Ioc'S/ips on the resources>attachments  modules and save

    11.jpg

    ii) Create a playbook names enrich_ip and add manual start trigger that require no input.

     

    12.jpg

    iii) Using excel connector, >  list sheets > iput file IRI as recordID

    13.jpg

    iv) Using excel connector, read the sheet that contains the IOC's. Define the sheet name as the previous step output

    15.jpg

    v) Using the threat intel connector i.e Virus Total connector loop through the previous step output(List of Extracted ips/IOCs) and get the reputation.

    40.jpg

    vi) locate the Uploaded excel document with IOCs/IPS under resources>attachments

    vii) At the bottom left,locate the created enrich_ip playbook and execute

    20.jpg

    Terms & ConditionsAccessibility statement