FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
jankit6
Staff
Staff
Article Id 363497
Description This article describes how to fix invalid pattern issues while consuming the Threat Feeds using the TAXII protocol.
Scope FortiSOAR, Threat Intel Management Solution Pack version <= 1.2.2.
Solution

'Fortinet FortiGuard Threat Intelligence' data ingestion gets configured automatically while installing the 'Threat Intel Management' solution pack on the FortiSOAR system.

 

As a result, 'Fortinet FortiGuard Threat Intelligence' data ingestions playbooks get created which contain a jinja value '{{vars.item.pattern | toJSON}}' This leads to incorrect characters being added to the pattern field when creating the 'Threat Intel Feeds' record in FortiSOAR.

 

Follow the below steps to fix this:

 

  1. Navigate to Automation -> Playbooks -> Enable 'Include System Collection' -> Search for 'Fortinet FortiGuard Threat Intelligence'.

  2. Select the below collection:

    Fortinet FortiGuard Threat Intelligence 3.1.0 config2Ingestion(e02562a9-a719-4081-ac83-3dfebbb66422)(2)

  3. Edit '-> FortiGuard Threat Intelligence -> Fetch and Create' playbook.

  4. Edit the 'Create Record' step -> Replace the jinja as below in the pattern field -> Save the playbook.

    Pattern: {{vars.item.pattern}}

 

10.132.255.142_playbooks_collections_e02562a9-a719-4081-ac83-3dfebbb66422.png

 

Screenshot_136.png