Is there any jinja filter or api endpoint to that would return "true" or "false" for the query - "Are all indicators for the alert or incidents , enriched or not ?"
I want to avoid a schedule playbook and looking for inbuilt support to know the enrichment status for all indicators for an alert or incident.
Use-case is that to evaluate a condition whether all Indicators are enriched, without using "find records" step.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Malaya,
What is the context of this playbook?
A. Are you looking to trigger the playbook when the final related indicator has its enrichmentStatus set to "Completed"? In this case, you would need to have a playbook that runs On Update of Indicators when enrichmentStatus changes, that loads all related open alerts and checks their related indicators for Completed.
B. Or are you already in a playbook and you need to check a list of indicators to see if all are Completed? You can use this to return True if all indicators are enriched: `{{ vars.indicatorList | json_query("[?enrichmentStatus.itemValue!=`Completed`]") | length == 0 }}`
C. Or do you have an alert in a playbook and you need to check if the related indicators are enriched? If you don't already have the indicators loaded, you will need to use a Find Record step like this:
And then you will need to check if `{{ vars.result | length == 0 }}`, which will be true if all indicators are enriched.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.