This function checks whether a given alert will be overflowed during the case ingestion in Siemplify system. Siemplify has a builtin overflow prevention mechanism, based on multiple parameters, i.e: alert identifier, ingestion time, alert name and etc. An overflowed alert will not be ingested to the Siemplify system, but marked as an overflow alert. This function allows to determine whether a given alert with certain parameters will be marked as an overflow during ingestion process or not.

is_overflowed_alert(environment, alert_identifier, ingestion_time=SiemplifyUtils.unix_now(), original_file_path=None, original_file_content=None, alert_name=None, product=None, source_ip=None, source_host=None, destination_ip=None, destination_host=None)

Parameters

Param Name Param Type Possible Values Comments Mandatory Parameter
environment string Siemplify, Apple The environment of the alert. Environment can be created in the Siemplify settings Yes
alert_identifier string 123123 Unique alert identifier Yes
ingestion_time long Current Unix Time If not provided, defaults to current time (UNIX time format). Yes
original_file_path string Path to the file containing the alert’s original raw data
No
original_file_content string Content of the file containing the alert’s original raw data
No
alert_name string The name of the alert
No
product string McAfee ESM, QRadar The product name for the device that generated the alert No
source_ip string 10.0.0.13, 192.168.0.13 Source IP address associated with the alert No
source_host string source@company.local, source.company.local The source host address associated with the alert No
destination_ip string 10.0.0.31, 192.168.0.31 Destination IP address associated with the alert No
destination_host string remote.company.local Destination host address associated with the alert No

Return Type

Boolean 

Example

Sample code
from SiemplifyConnectors import SiemplifyConnectorExecution
siemplify = SiemplifyConnectorExecution()
siemplify.is_overflowed_alert(environment, alert_identifier, ingestion_time=SiemplifyUtils.unix_now(), original_file_path, original_file_content, alert_name, product, source_ip, source_host, destination_ip, destination_host)
Result Behavior
True if the alert will be overflowed during ingestion process, otherwise False. 
Result Value
True/False