Shortcut to know all the co-related indicators for an Alert or Incidents are "Enriched"

malayamanas_FTNT · ‎11-29-2023

Is there any jinja filter or api endpoint to that would return "true" or "false" for the query - "Are all indicators for the alert or incidents , enriched or not ?"

I want to avoid a schedule playbook and looking for inbuilt support to know the enrichment status for all indicators for an alert or incident.

Use-case is that to evaluate a condition whether all Indicators are enriched, without using "find records" step.

MALAYA MANAS PANDA
Professional Services Consultant

ccarsey · ‎12-20-2023

Hi Malaya,

What is the context of this playbook?

A. Are you looking to trigger the playbook when the final related indicator has its enrichmentStatus set to "Completed"? In this case, you would need to have a playbook that runs On Update of Indicators when enrichmentStatus changes, that loads all related open alerts and checks their related indicators for Completed.

B. Or are you already in a playbook and you need to check a list of indicators to see if all are Completed? You can use this to return True if all indicators are enriched: `{{ vars.indicatorList | json_query("[?enrichmentStatus.itemValue!=`Completed`]") | length == 0 }}`

C. Or do you have an alert in a playbook and you need to check if the related indicators are enriched? If you don't already have the indicators loaded, you will need to use a Find Record step like this:

And then you will need to check if `{{ vars.result | length == 0 }}`, which will be true if all indicators are enriched.

Chris

Principal Software Development Engineer - FortiSOAR