In order to provide feedback to the user running a playbook we devised a "running log" of sorts for when we run Intelligence Enrichment playbooka against an alert. Although any results found are attached and related to the source alert, this log helps see at a glance what Intel sources were run in addition to when and how many results were found.
When starting the action playbook from the alert you'll need to collect the current value of the "running log" field using a set variables Step. We named ours intelenrichment. And you'll need to grab the source alertID as well.
input_log = {{vars.request.data.records[0].intelenrichment}}
input_alertID = {{vars.request.data.records[0]['@id']}}
NOTE: if you are using a map playbook to iterate through multiple selected input records it will be "{{vars.loop_resource.intelenrichment}}" where the map playbook collection is "{{vars.request.data.records}}". Same goes for the @id field as well.
Next build out your playbook and API calls or connectors. At the end of the playbook (we did it at the end of the action playbook) you can put in a step to "Update Resource".
As you can see it cut off the syntax for the resource. Here it is:
{ "intelenrichmentment": "
<p style='color:LightSeaGreen;'>
<hr>
=== Source: HybridAnalysis ===<br>
== Time: {{arrow.get().to('UTC').format('YYYY-MM-DD HH:mm:ss ZZ')}} ==<br>
== Total of {{vars.event_count_total}} Found, Returned Top {{vars.event_count_returned}} Based on Date == <br>
Added by {{vars.playbook_run_by_firstname}} {{vars.playbook_run_by_lastname}} =
=<br>
</p> <p> Found Results and Inserted Into Intel Search Results </p>
<p> {{vars.input_intelenrichment}} </p>
" }
Fortunately this was incorporated into 4.10 with the addition of Collaborate. This allows the posting of messages for the user, which I believe was introduced in 4.10.1. Its great stuff and effectively replaced my need for this log. But this is a good concept in terms of taking previous data keeping it intact and posting new data, as it can be useful for several other things.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.
There are several variables in here that are likely not being mapped, so lets walk through this.
Hope this helps for some use cases out there, its a good way to troubleshoot from a user without permissions to the running playbooks logs. If there is no log entry in the rich text field, they know the playbook broke or didn't complete somewhere. It can also make an entry when there are Zero results, so the user knows it did complete, but nothing was found. This is likely the most useful use case given there will be no new relationships or fields edited, meaning the user might thing it failed and run the playbook again.