FortiSOAR Discussions
shashankkumar
New Contributor

Unable to enrich multiple IPs in VirusTotal.

Hello,

 

I am getting multiple destination IPs under Q-Radar event data payload and I have extracted all of them using regex and stored under key "DestIP" using set variable action.

 

Below is a sample of IPs output I am extracting and storing (have replaced original IPs with 0.0.0.0, here on community portal)

 

"
[
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0"
]
"

 

Now I want to pass all these IPs at once to virus total and get the reputation score as a result. How should I use the for each loop here and achive this requirement . 

 

Shashank. 

Shashank
Shashank
3 REPLIES 3
Stephen_G
Moderator
Moderator

Hi shashankkumar,

 

I have moved your thread to the FortiSOAR Community Group's Discussions board, as I think you'll have a better chance of getting an answer here. I hope that helps.

 

Kind regards,

Stephen - Fortinet Community Team
rkhune
Staff
Staff

You can execute the connector step in a loop to get a reputation for multiple IP Addresses. Please check the attached playbook for guidance.

However, it is recommended to follow the standard flow for indicator enrichment.
  • When creating an alert in your use case, it's advised to include a comma-separated list of IPs in the "Destination IP" field or the list of IPs in the "IP Addresses" field of the alert.
  • This way, the OOB playbooks for indicator extraction and enrichment will automatically create and enrich the indicator records for these IPs and correlate them with the alert.
MuhammadFaruqi1
New Contributor III

Hi Experts! 

I want to add one point for performing IP Reputation of bulk IPs on multiple threat intel platforms. Like, if i want to get the latest reputation of say, 10 IPs, from Virustotal, Fortiguard Threat intel, Kasperksy Threat Intel. (I have already installed and configured the connectors for these threat intel platforms)
Please note that these Ips have added earlier in the SOAR, lets say a month back, as a result of ingestion from SIEM or manually added as a result of a received threat advisory.

 

Regards,

MBF

MFaruqi
MFaruqi