Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Agora
- Engage Services
- The EPSP Platform
- The ETSP Platform
- Finland
- FortiCare Service Development
- FortiGate-VM on Azure
- FortiGate-VM on AWS
- FortiGate CNF (All Marketplaces)
- FortiWeb Cloud (All Marketplaces)
- Fortinet for SAP
- FortiSIEM
- FortiSOAR
- KCS
- Lacework
- Super User
- Engage Services
- The EPSP Platform
- The ETSP Platform
- Finland
- FortiCare Service Development
- FortiGate-VM on Azure
- FortiGate-VM on AWS
- FortiGate CNF (All Marketplaces)
- FortiWeb Cloud (All Marketplaces)
- Fortinet for SAP
- FortiSIEM
- FortiSOAR
- KCS
- Lacework
- Super User
- Agora
- Blogs
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Agora
- Engage Services
- The EPSP Platform
- The ETSP Platform
- Finland
- FortiCare Service Development
- FortiGate-VM on Azure
- FortiGate-VM on AWS
- FortiGate CNF (All Marketplaces)
- FortiWeb Cloud (All Marketplaces)
- Fortinet for SAP
- FortiSIEM
- FortiSOAR
- KCS
- Lacework
- Super User
- Engage Services
- The EPSP Platform
- The ETSP Platform
- Finland
- FortiCare Service Development
- FortiGate-VM on Azure
- FortiGate-VM on AWS
- FortiGate CNF (All Marketplaces)
- FortiWeb Cloud (All Marketplaces)
- Fortinet for SAP
- FortiSIEM
- FortiSOAR
- KCS
- Lacework
- Super User
- Agora
- Blogs
FortiSOAR Discussions
- Fortinet Community
- Community Groups
- FortiSOAR
- Discussions
- Bulk Indicator
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bulk Indicator
Hi guys,
I am working on a playbook and I need support on something. We get bulk data from a list, we can think of it as a bulk indicator. I am enriching with these IPs (abuseIP, virustotal etc) and in the decision step after reputation, it gives results based on only one IP. How can I overcome this?
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ade,
File Content Content solution pack will help you achieve this
Evans Chumba
Evans Chumba
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can we do that with jinja?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, this is possible. You create a set variable step to produce a dictionary of IOC's
Evans Chumba
Evans Chumba
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For example, I uploaded 5 ips in the indicator, but when enriching, it takes the first ip and misses the other 4 ips. I have to include them all in the reputation. I want to solve this.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you adem for the clarity,
You need to loop through all indicators.
Evans Chumba
Evans Chumba
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello adem,
Herein is the guide to solving the problem, the assumption is the bulk ip IOC's are on the excel.
i) Upload the excel with the Ioc'S/ips on the resources>attachments modules and save
ii) Create a playbook names enrich_ip and add manual start trigger that require no input.
iii) Using excel connector, > list sheets > iput file IRI as recordID
iv) Using excel connector, read the sheet that contains the IOC's. Define the sheet name as the previous step output
v) Using the threat intel connector i.e Virus Total connector loop through the previous step output(List of Extracted ips/IOCs) and get the reputation.
vi) locate the Uploaded excel document with IOCs/IPS under resources>attachments
vii) At the bottom left,locate the created enrich_ip playbook and execute
Evans Chumba
Evans Chumba
Labels
-
FortiSoar
71 -
Connector
8 -
FortiSOAR v7.x
6 -
FortiSOAR v7.6
5 -
SOAR
5 -
playbooks
3 -
Jinja
3 -
Schedule
2 -
FortiSOAR 7.5
2 -
Threat Intel Management
2 -
FortiSOAR 7.4.0
2 -
Data Ingestion
1 -
Forcepoint
1 -
alert
1 -
HybridAnalysis
1 -
poonvert
1 -
Queued Workflow
1 -
FortiSOAR v7.4.x
1 -
Update Record Correlations
1 -
CMDB
1 -
crowdstrike
1 -
ution
1 -
enrichement
1 -
RegionalSOC
1 -
queue and shift management
1 -
Artificial intelligence
1 -
Microsoft Exchange Connector
1 -
Staging
1 -
External Postgresql DB
1 -
Vault
1 -
secret management
1 -
secrets
1 -
Content-Hub
1 -
FortiSOAR Awards
1 -
fields
1 -
related modules
1 -
templates
1 -
FortiSOAR 7.3.x
1 -
FortiSIEM
1 -
FortiGuard
1 -
FortiWeb
1 -
FortiEDR
1 -
upgrade
1 -
Machine Learning
1 -
performance
1 -
Azure
1 -
Admin Access
1 -
License
1 -
Arrow
1 -
Time
1 -
Trial
1 -
FortiSOAR v7.2.x
1 -
ClickHouse
1 -
Upgrading FortiSOAR
1 -
Playbook
1 -
People
1 -
TAXII
1 -
SOC
1 -
secops
1 -
FortiSASE
1 -
C
1 -
Asset
1 -
Threat feed
1 -
indicators
1 -
FortiAnalyzer
1 -
loops
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.