Help
FortiSOAR Discussions
STyler
New Contributor

Created on ‎07-11-2024 08:15 AM

Iterating through an array with a simple loop

Good Afternoon Team,

 

I'm new to FortiSoar and I'm hoping for a bit of enlightenment. I'm intending to pull in data from the Securonix connector and the default Query Violations playbook that came with it. The flow of data is all set up and appears fully functional, I'm just having trouble looping through it to create alerts based on the results.

 

The "query violations" step will pull in a few dozen events, held in an array. My intention is for each of these events to form its own alert and have fields populated based off of the event data.

 

For example, the following line will (correctly) pull in the policyname field of the first event in the array.

 

{{vars.steps.Query_Violations.data.events[0].policyname}}

 

And then I'd like to repeat that for other appropriate fields. That all works fine for the first event, but then I intend to iterate on to the next event in the array. At this point, things fall apart. In most languages I'm familiar with, I could replace that "0" with a variable - let's say "i" and loop through the array to get all of the events. I haven't been able to replicate that here and I assume that I am missing something simple. I've been able to make "i" match the correct number, via both forming a list based off of a similar discussion on this board, declaring it directly as a specific number and a few other convoluted methods - but even if "i" matches a valid number, the field will always fail to be read correctly if anything other than a number is present.

 

Examples of non-working attempts:

{{vars.steps.Query_Violations.data.events[i].policyname}}

{{vars.steps.Query_Violations.data.events[vars.i].policyname}}

 

With no progress on the variable front, I also attempted to try from the opposite direction, to see if a "for each" would treat each part of the array as if it was the [0] record with: for each {{vars.steps.Query_Violations.data.events}} - as you would expect, this just created a few dozen alerts for the event at [0] in the array.

 

I'm sure I'm missing something obvious as this seems like the simplest, most trivial use of a loop possible - any help is greatly appreciated.

290
0 Kudos
1 REPLY 1
sahirrao
Staff
Staff

Created on ‎07-14-2024 11:52 PM

Hi 

Yes, you can iterate {{vars.steps.Query_Violations.data.events}} in "for each" of the "Create Record" step in the playbook and map the "Alert" record field, like name, which will be mapped as {{vars.item.policyname}} and so on.

247
0 Kudos
Announcements

Welcome to your new FortiSOAR Community!

View More

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.