FortiSOAR- Playbook creation for extracting multiple events

Varsha1 · ‎10-12-2023

Hi Team,

Trying to extract multiple events with unique values using Jinja, but it pics up only 1 value based on array we give.

Like example: event_data.0.payload

Attached the screenshot FYR:

Can you please assist how to call arrays of events with unique using Jinja .

srivastavad · ‎10-15-2023

Thanks for reaching out. Here, are some tips:

Step 1: Before using Jinja, you can extract the unique events from your array and organize them in a format that's easier to work with in Jinja. For example, you can use Python to achieve this.

# Assuming event_data is a list of events

unique_events = set(event_data)

# Now, unique_events contains unique event values

Step 2: Pass the pre-processed data to your Jinja template. You can use a dictionary to store this data:

data = {

'unique_events': unique_events

}

Step 3: In your Jinja template, you can loop through the unique events to display them:

<ul>

{% for event in unique_events %}

<li>{{ event }}</li>

{% endfor %}

</ul>

This way, you can loop through the unique events and display them in your output.

Please let us know if this helps!

Varsha1 · ‎10-17-2023

Hi @srivastavad ,

Thank you for the response, I will try this and check.

Thanks & regards,

Varsha

JimHube · ‎10-16-2023

Could you post a bit of the JSON data you have so I can take a look at it and maybe help you a little?

Varsha1 · ‎10-17-2023

[
{
"payload": "{\"AppAccessContext\":{\"ClientAppId\":\"\",\"ClientAppName\":\"00000007-0000-ce00-000000000000\",\"CorrelationId\":\"\"},\"CreationTime\":\"2023-09-25T18:09:02\",\"Id\":\"*****\",\"Operation\":\"FileDetected\",\"OrganizationId\":\"7***********\",\"RecordType\":6,\"UserKey\":\"i:0i.t|00000003-0000-ce00-000000000000|test\",\"UserType\":0,\"Version\":1,\"Workload\":\"OneDrive\",\"ClientIP\":\"*********::100\",\"UserId\":\"test\",\"ApplicationDisplayName\":\"00000007-0000-ce00-000000000000\",\"ApplicationId\":\"00000007-0000-ce00-000000000000\",\"AuthenticationType\":\"OAuth\",\"BrowserName\":\"\",\"BrowserVersion\":\"\",\"CorrelationId\":\"\",\"EventSource\":\"SharePoint\",\"IsManagedDevice\":false,\"ItemType\":\"File\",\"ListId\":\"b376b7e8-30ee-4612-9ad8-0a9ca5eafa17\",\"ListItemUniqueId\":\"c4e3e83d-a6c5-1b128a62f018\",\"Platform\":\"Service\",\"Site\":\"4f084318-060c-4318-9944-e439b654d20f\",\"UserAgent\":\"test\",\"WebId\":\"e51359d5-8868a3759d8d\",\"DeviceDisplayName\":\"*********::100\",\"HighPriorityMediaProcessing\":false,\"ListBaseType\":0,\"ListServerTemplate\":0,\"SourceFileExtension\":\"zip\",\"VirusInfo\":\"JS/Nemucod.TSO#\",\"VirusVendor\":\"Advanced Threat Protection\",\"SiteUrl\":\"https://test_com/\",\"SourceRelativeUrl\":\"Documents/Microsoft Teams Chat Files\",\"SourceFileName\":\"assignments (1).zip\",\"ObjectId\":\"https://test_com//Documents/Microsoft Teams Chat Files/assignments (1).zip\"}",
"sourceip": "10.XX.XX.XX",
"username": "test",
"starttime": 1695665540678,
"Event_Name": "Suspicious",
"Log_Source": "10.XX.XX.XX",
"Category_Name": "Malware Infection",
"destinationip": "20.43.XXX.XXX"
},
{
"payload": "{\"AppAccessContext\":{\"ClientAppId\":\"\",\"ClientAppName\":\"00000007-0000-000000000000\",\"CorrelationId\":\"*****\"},\"CreationTime\":\"2023-09-25T18:09:02\",\"Id\":\"******\",\"Operation\":\"FileDetected\",\"OrganizationId\":\"*****\",\"RecordType\":6,\"UserKey\":\"i:0i.t|00000003-0000-ce00-000000000000|test\",\"UserType\":0,\"Version\":1,\"Workload\":\"OneDrive\",\"ClientIP\":\"*******:100\",\"UserId\":\"test\",\"ApplicationDisplayName\":\"00000007-0000-ce00-000000000000\",\"ApplicationId\":\"00000007-0000-ce00-000000000000\",\"AuthenticationType\":\"OAuth\",\"BrowserName\":\"\",\"BrowserVersion\":\"\",\"CorrelationId\":\"4afbdda0-2000-9551-9d83894da0ac\",\"EventSource\":\"SharePoint\",\"IsManagedDevice\":false,\"ItemType\":\"File\",\"ListId\":\"b376b7e8-30ee-4612-9ad8-0a9ca5eafa17\",\"ListItemUniqueId\":\"c4e3e83d-a6c5-1b128a62f018\",\"Platform\":\"Service\",\"Site\":\"4f084318-060c-4318-9944-e439b654d20f\",\"UserAgent\":\"test\",\"WebId\":\"e51359d5-68a3759d8d\",\"DeviceDisplayName\":\"***::100\",\"HighPriorityMediaProcessing\":false,\"ListBaseType\":0,\"ListServerTemplate\":0,\"SourceFileExtension\":\"zip\",\"VirusInfo\":\"JS/Nemucod.TSO#\",\"VirusVendor\":\"Advanced Threat Protection\",\"SiteUrl\":\"https://test_com///\",\"SourceRelativeUrl\":\"Documents/Microsoft Teams Chat Files\",\"SourceFileName\":\"assignments (1).zip\",\"ObjectId\":\"https://test_com///Documents/Microsoft Teams Chat Files/assignments (1).zip\"}",
"sourceip": "10.XX.XX.XX",
"username": "test",
"starttime": 1695665539307,
"Event_Name": "File",
"Log_Source": "test",
"Category_Name": "Malware Infection",
"destinationip": "20.43.XXX.XXX"
}
]

Varsha1 · ‎10-17-2023

Hi @JimHube , I have shared the JSON. I need to have 2 event data to be called within same template.

Thanks & regards,

Varsha

JimHube · ‎10-20-2023

Hi Varsha,

Sorry about the delay. Can you tell me what you're looking for here? Your message states "Can you please assist how to call arrays of events with unique using Jinja" but also "I need to have 2 event data to be called within same template." I'm not certain what you're trying to get out of this JSON. Can you tell me the response you'd like the template to generate when it's working using the JSON you provided? Once I understand what you're looking for, I can work on getting you the right template or at least show you how to get what you need.