FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
Article Id 285170

This article describes how to exclude IPs/domains in the FortiSOAR UI using Global Variables.

Scope FortiSOAR 5.x, 6.x, 7.x.

Excluding management IPs during alert correlation and other security processes is important because these IP addresses are typically used for monitoring and managing network devices. Including them in correlation can lead to false positives, as legitimate management activities may trigger alerts. By excluding management IPs, security teams can focus on real threats and reduce noise in monitoring and detection systems, improving the accuracy and effectiveness of their security operations.


Global Variables in FortiSOAR are system-wide data containers that store values for use across different playbooks, scripts, or integrations. These variables provide a convenient way to share and access information universally, streamlining workflow automation and enhancing data consistency and efficiency within the FortiSOAR platform.


In this example, global variables have already been defined in FortiSOAR to exclude IP addresses, URLs, and domains.


To configure these variables, follow these steps:



  1. Navigate to the Playbook designer page and click on 'Tools' -> 'Global Variables'.
  2. In the Global Variables Page, search for the 'Exclude_IPs' variable.
  3. Update the whitelisted or excluded IP addresses, separating them with commas, and then save the changes.