Populate alert with filehash/filepath etc

Forum|Forum|1 year ago
October 15, 2024
1 reply
747 views

Hello,

I am new to FortiSOAR and need some help understanding how to achieve one of my use cases.

I am getting alerts from Microsoft Defender for Endpoint through Data Ingestion and all is well on that front. However, when an alert that indicates that a suspicious file has been observed I want to add the filename, filehash and so on to the alert with a playbook. This is where I struggle.

I need some pointers to know HOW to get the information from the Sourcedata to populate the alert itself. I have tried by looping through the objects array but I can't get it working.

I can provide screenshots and config if needed.

Thanks in advance

Alexander

FortiSoar

Best answer by alexanderchance

My problem was that the Update record step was not using the correct Record IRI, when I used the actual Record IRI it worked as intended.

alexanderchanceAuthorAnswer

New Member

My problem was that the Update record step was not using the correct Record IRI, when I used the actual Record IRI it worked as intended.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded