get_similar_cases
Related Concepts: Case Manipulation
This function returns a dictionary of similar cases based on entities, ports, rule generators, and category outcome in the provided time frame.
result = siemplify.get_similar_cases(consider,ports, consider_category_outcome, consider_rule_generator, consider_entity_identifiers, days_to_look_back,case_id=None, end_time_unix_ms=None
Parameters:
Param Name | Param Type | Possible Values | Comments | Mandatory Parameter |
---|---|---|---|---|
case_id | string | 234 | Unique case id | Yes |
consider_ports | boolean | True/False | This will configure whether to use port filter or not. | Yes |
consider_category_outcome | boolean | True/False | This will configure whether to consider category outcome of the events. | Yes |
consider_rule_generator | boolean | True/False | This will configure whether to consider rule generator for the alerts. | Yes |
consider_entity_identifiers | boolean | True/False | This will configure whether to consider entity identifiers for the alerts. | Yes |
days_to_look_back | integer | 365 | This will configure number of days backwards to look for similar cases. | Yes |
end_time_unix_ms | string | 1564214708469 | The provided unix time is in milliseconds. | No |
Return Type
List
Example:
Input: Everything needs to be explicitly provided except case_id and end_time_unix_ms as they can be implicitly extracted from the current case.
Sample Code
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
result = siemplify.get_similar_cases(consider_ports=True,
consider_category_outcome=False,
consider_rule_generator=False,
consider_entity_identifiers=False,
days_to_look_back=30, case_id="234", end_time_unix_ms=None)
Result Behavior
A list of case id similar to the case 234 will be returned.
Result Value
[4, 231]