Help
FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
Andy_G
Staff
Staff

Created on ‎06-04-2020 09:01 AM

Article Id 190653

Technical Note: [FortiSOAR / Cybersponse Tricks'n'Tips] Playbook Cheat Sheet

Description

Jinja Expressions in CyOPs. Follow are some examples for using jinja expressions in playbooks. 

Have added some expression, will keep on updating this blog with more examples 



Setting picklist values based on condition

 

{% if vars.result.data.Severity=="P1"%}

{{("Severity" | picklist("Critical"))}}

 

{% elif vars.result.data.DeviceSeverity=="P2"%}

{{("Severity" | picklist("High"))}}

 

{% elif vars.result.data.DeviceSeverity=="P3"%}

{{("Severity" | picklist("Medium"))}}

 

{% elif vars.result.data.DeviceSeverity=="P4"%}

{{("Severity" | picklist("Low"))}}

 

{% else %}

{{("Severity" | picklist("Minimal"))}}  

 

Regex Expression Examples 

If {{vars.message}} is string as "Host Detection alert #123456, start 2018-08-02 05:33:45 UTC, duration 64, direction incoming, host x.x.x.x, signatures (Total Traffic), impact 12.87 Mbps/1.09 Kpps, importance 2, managed_objects ("XYZ_ZZ_ABC"), (parent managed object "nil")"

 

Check out following regex to pull out specific string 

 

{{vars.Message | regex_search(‘(?<=managed_objects )(.*)’)}}   

{{vars.Message | regex_search(‘(?<=signatures )(.*?,)’)}}

{{vars.Message | regex_search( ‘(?<=duration )(\w+)’)}}

{{vars.Message | regex_search(‘(?<=importance )([^,]+)’)}}

{{vars.Message | regex_search( ‘#([^\s]+)’)}}

{{vars.managed_objects | replace(“\”“,”“) | replace(“(”,“”) | replace(“)”,“”) | regex_search(‘(?<=XYZ_ZZ_)([^,]+)(?i)‘) | regex_search(‘(?<=_)([^,]+)’) }}

 

For Loop:

{% for i in vars.offense_list %}

{{vars.new_list.append(i)}} 

{% endfor %}


If Condition:

{% if vars.request.data.offenseitem > 10 %}

{{vars.request.data.name}}

{% elif 5==6 %}

{{vars.request.data}}

{% endif %}


For Loop along with If condition

{% for i in vars.offense_list %}

{ % if i not in vars.request.data% }

{{vars.new_list.append(i)}} 

{% endif %}

{% endfor %}

 

Time Operations


                  Get timestamp   - {{ arrow.get('2013-05-35 12:30:45', 'YYYY-MM-DD HH:mm:ss') }}

                  convert current time into epoch and multiply by 10000 -   {{arrow.utcnow().timestamp*1000 | int | abs}}

                  convert date to epoch time - {{ arrow.Arrow(2017, 3, 30).timestamp}}

 

String Operations


                  Find the length of list or string - {{vars.emails | length }}

                  Replace string -  {{ vars.var_keys.replace("dict_keys(","" ) | replace( ")", "" )}}

 

Code in block:


{% block body %}

{% for key, value in vars.loop_resource.items() %}

                  {{ key }}: {{ value }}

{% endfor %}

{% endblock %}

 

Set variable based on condition:


{% for i in vars.result['hydra:member'] %}

{% set id = i['@id'] %}

{{ vars.inc_fdata.append(id) }}

{%endfor%}


2nd Example


{% for i in vars.result['hydra:member'] %}

{% set id = i['@id'] %}

{% set createDate = i.createDate | string %}

{% set list_item = [id,createDate] %}

{{ vars.inc_fdata.append(list_item) }}

{%endfor%}





535
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.