Help
FortiSOAR Discussions
shashankkumar
New Contributor II

Created on ‎11-28-2023 10:33 PM

Unable to enrich multiple IPs in VirusTotal.

Hello,

 

I am getting multiple destination IPs under Q-Radar event data payload and I have extracted all of them using regex and stored under key "DestIP" using set variable action.

 

Below is a sample of IPs output I am extracting and storing (have replaced original IPs with 0.0.0.0, here on community portal)

 

"
[
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"0.0.0.0"
]
"

 

Now I want to pass all these IPs at once to virus total and get the reputation score as a result. How should I use the for each loop here and achive this requirement . 

 

Shashank. 

Shashank
Shashank
Labels:
667
0 Kudos
3 REPLIES 3
Stephen_G
Moderator
Moderator

Created on ‎11-30-2023 04:05 AM

Hi shashankkumar,

 

I have moved your thread to the FortiSOAR Community Group's Discussions board, as I think you'll have a better chance of getting an answer here. I hope that helps.

 

Kind regards,

Stephen - Fortinet Community Team
614
rkhune
Staff
Staff

Created on ‎12-17-2023 11:08 PM

You can execute the connector step in a loop to get a reputation for multiple IP Addresses. Please check the attached playbook for guidance.

However, it is recommended to follow the standard flow for indicator enrichment.
  • When creating an alert in your use case, it's advised to include a comma-separated list of IPs in the "Destination IP" field or the list of IPs in the "IP Addresses" field of the alert.
  • This way, the OOB playbooks for indicator extraction and enrichment will automatically create and enrich the indicator records for these IPs and correlate them with the alert.
Playbook - Get Reputation for Multiple IP Addresses.json
530
0 Kudos
MuhammadFaruqi1
New Contributor III

Created on ‎08-13-2024 05:00 AM

Hi Experts! 

I want to add one point for performing IP Reputation of bulk IPs on multiple threat intel platforms. Like, if i want to get the latest reputation of say, 10 IPs, from Virustotal, Fortiguard Threat intel, Kasperksy Threat Intel. (I have already installed and configured the connectors for these threat intel platforms)
Please note that these Ips have added earlier in the SOAR, lets say a month back, as a result of ingestion from SIEM or manually added as a result of a received threat advisory.

 

Regards,

MBF

MFaruqi
MFaruqi
220
0 Kudos
Announcements

Welcome to your new FortiSOAR Community!

View More

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.