Help
FortiSOAR Discussions
craig
New Contributor II

Created on ‎01-02-2024 05:26 PM

Assistance with playbook Jinja command

Hi All,

 

Hope everyone had a great xmas and new year break. I'm working on playbook which reads the Threat Intelligence and formats the fields but am getting the validation of the data incorrect. Looking for some advice.

 

Requirement:

For the pattern field below, I'd like to check the first entry, in this case network-traffic and the type is ipv4-addr and if true, then set the variable to the predefined variable of TI_Var_Type_ipv4_addr.

The jinja used is shown below, but the result is \n\n\n\n\n\n\n\n\.

Could you help me with the correct command?

 

Failing Command:

{% for item in vars.input.records[0].pattern %}

{% if item['network-traffic:dst_ref']['type'] == 'ipv4-addr' %}
{{vars.TI_Var_Type_ipv4_addr}}

{% break %}
{# Exit the loop since we found the matching type #}
{% endif %}

{% endfor %}

 

The Pattern:

 

pattern
:
[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '191.101.234.152' AND network-traffic:dst_port = 59623]
350
0 Kudos
3 REPLIES 3
tkanade
Staff
Staff

Created on ‎01-02-2024 08:42 PM Edited on ‎01-02-2024 08:59 PM

Hi, can you provide contents of vars.input.records[0] 

327
0 Kudos
tkanade
Staff
Staff

Created on ‎01-02-2024 08:59 PM

\n\n\n\n\n\n\n\n\. -- indicates number of iterations done by loop and is displayed as output for step executing loop.
As you are setting value for TI_Var_Type_ipv4_addr, you should check if any value set for it. But to set value to  vars.TI_Var_Type_ipv4_addr, you need to do {% set vars.TI_Var_Type_ipv4_addr = item.[<some key>] %} in loop, then when you access {{vars.TI_Var_Type_ipv4}} it will show that value.
If you help me with contents of vars.input.records[0], i can draft a sample playbook

324
dspille
Staff
Staff

Created on ‎01-03-2024 07:35 AM Edited on ‎01-03-2024 07:49 AM

Hey Craig,

 

The issue here based on the info provided seems to be that vars.input.records[0].pattern is a string. Your jinja - {% if item['network-traffic:dst_ref']['type'] == 'ipv4-addr' %} is treating the pattern as if it were a dictionary.  Since your pattern is a string, you will likely want to use a regex pattern to parse out the ipv4 address if type= 'ipv4-addr'

 

This jinja expression works for me in FortiSOAR

{# set default value for dst_ref_value #}
{%- set dst_ref_value = "No IPv4 Found" -%}

{# search string for ipv4-addr pattern #}
{%- set type_match = pattern | regex_search("network-traffic:dst_ref.type = 'ipv4-addr'") -%}

{%- if type_match -%}
    {%- set value_match = pattern | regex_findall("network-traffic:dst_ref.value = '([^']+)'") -%}
    {%- if value_match -%}
        {# parse found group which contains ipv4 addr #}
        {%- set dst_ref_value = value_match[0] -%}
    {%- endif -%}
{%- endif -%}

{{ dst_ref_value }}

 

I am using this JSON - 

{
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '191.101.234.152' AND network-traffic:dst_port = 59623]"
}

 

 




Dylan Spille
Preview file
164 KB
297
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.