Hello,
I am experiencing an issue related to the use of Data Tables for data enrichment in SOAR. Currently, we have several tables containing IP addresses along with their corresponding hostnames (and in some cases, additional information such as VLAN or other attributes).
The goal is to query these tables using the “Is Value In Data Table” action, so that when searching for an IP address, the associated values from the corresponding columns are returned. However, a limitation arises because we need to query three different Data Tables simultaneously, each with different structures and fields.
The expected output would be something like:
- IP (hostname, vlan) if associated information exists
- IP only, if no match is found
Additionally, we encounter issues when multiple IPs are present in the same alert. The output does not preserve the relationship between each IP and its corresponding hostname, instead returning an aggregated result such as:
ip1, ip2, ip3, hostname1, hostname2, hostname3, which makes it difficult to interpret.
Is there a recommended way to perform this type of enrichment while preserving the relationship between each IP and its attributes (either using this method or an alternative approach)? Has anyone faced a similar scenario and can share best practices?
Thank you in advance.