Unable to enrich multiple IPs in VirusTotal.

shashankkumar · ‎11-28-2023

Hello,

I am getting multiple destination IPs under Q-Radar event data payload and I have extracted all of them using regex and stored under key "DestIP" using set variable action.

Below is a sample of IPs output I am extracting and storing (have replaced original IPs with 0.0.0.0, here on community portal)

"
[
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0"
]
"

Now I want to pass all these IPs at once to virus total and get the reputation score as a result. How should I use the for each loop here and achive this requirement .

Shashank.

Stephen_G · ‎11-30-2023

Hi shashankkumar,

I have moved your thread to the FortiSOAR Community Group's Discussions board, as I think you'll have a better chance of getting an answer here. I hope that helps.

Kind regards,

Stephen - Fortinet Community Team

rkhune · ‎12-17-2023

You can execute the connector step in a loop to get a reputation for multiple IP Addresses. Please check the attached playbook for guidance.

However, it is recommended to follow the standard flow for indicator enrichment.

When creating an alert in your use case, it's advised to include a comma-separated list of IPs in the "Destination IP" field or the list of IPs in the "IP Addresses" field of the alert.
This way, the OOB playbooks for indicator extraction and enrichment will automatically create and enrich the indicator records for these IPs and correlate them with the alert.