| Home |
|---|
Note
On a fresh install of FortiSOAR™, Tenant is not a uniqueness constraint for any of the modules. However, when SOAR Framework Solution Pack is upgraded, Tenant is added as a uniqueness constraint in Alerts, Incidents, and Indicators.
SOAR Framework v3.1.0 and later uses the new keystore records instead of old keystore records and legacy global variables for indicator extraction, exclusion, and indicator type mapping.
There may be cases where user-modified playbooks are still reliant on the old keystore records or legacy global variables. This section helps users to edit their user-modified playbooks so as to use the new keystore record.
Important
Configuration changes made through the Indicator Extraction Configuration wizard updates the key store record and not the Global Variables.
Let us consider the playbook Extract Indicators (Alerts) as an example. We will edit this playbook to refer to the new keystore record.
-
Navigate to Automation
Playbooks 
. -
Open the playbook Extract Indicators (Alerts), under the collection 03 - Enrich.
Note
Your playbooks and the corresponding steps to be edited may be different.
-
Edit the step that handles indicator extraction or exclusion. In this example, that step is Get Exclude IOCs List.
The Build Search Query for this step is shown in the following image:
Key Equals
sfsp-indicator-extraction-configuration -
Similar changes may be required in other playbooks, as applicable.
Earlier, the following expression helped retrieve excluded list of IP addresses using global variables:
{{globalVars.ExcludeList_IPs}}Similar expressions retrieved exclude list for other indicator types.
Now, the following expression helps retrieve excluded list of IP addresses using the new keystore record:
{{keystore(key_name="sfsp-indicator-extraction-configuration").jSONValue["IP Address"]}}
| Installation | Configuration | Usage | Contents |
|---|