Tools
Overview
A set of utility actions for data manipulation to power up playbook capabilities.
Actions
DNS Lookup
Description
Performs a DNS lookup using a specified DNS resolver.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
DNS Server | IP Address | N/A | Yes | Specify a single or comma separated DNS servers. |
Example
In this scenario, we’re using Google's public DNS address of 8.8.8.8 to look up external domain entities.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "Entity": "WWW.IRCNET.ORG", "EntityResult": [{"Type": "A", "Response": "176.9.157.114", "DNS Server": "8.8.8.8"}] }
Add Or Update Alert Additional Data
Description
Adds or updates fields in the alert additional data. Results will be shown in a field called “OFFENSE_ID” in the Alerts overview.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
Json Fields | JSON | N/A | Yes | You can enter either free text (for one variable), a string representing a JSON dictionary (Can he nested) |
Example
In this scenario, we’re adding MITRE attack details to the alerts which will be displayed in the alerts overview.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult # of items in dictionary 2 -
JSON Result
{ "dict": {"mitre": " T1059"}, "list": [] }
Attach Playbook to All Case Alerts
Description
Attaches a specific playbook or block to all alerts in a case.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
Playbook Name | String | N/A | Yes | Specify the playbook or block name that will be added to all alerts in a case. |
Example
In this scenario, we’re attaching a playbook called “Phishing playbook” to all alerts in a case.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Attach Playbook to Alert
Description
Attaches a specific playbook or block to the current alert.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
Playbook Name | String | N/A | Yes | Specify the playbook or block name that will be added to all alerts in a case. |
Example
In this scenario, we’re attaching a block called “Containment Block” to the current alerts in the case.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Buffer
Description
Convert a JSON input to a JSON object.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
ResultValue | String | N/A | No | Placeholder value that will be returned as the ScriptResult value. |
JSON | JSON | N/A | No | JSON that will be displayed in the expression builder. |
Example
In this scenario, JSON input value will be displayed in the JSON expression builder to be used for further actions.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult ResultValue parameter input value success -
JSON Result
{ "domain" : "company.com", "domain2" : "company2.com" }
Get Certificate Details
Description
Retrieves certificate details of a given URL.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
Url to check | URL | expired.badssk.com | Yes | Specify the URL to retrieve certificate details from. |
Example
In this scenario, we’re retrieving certificate details from expired.badssl.com site.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "hostname": "expired.badssl.com", "ip": "104.154.89.105", "commonName": "*.badssl.com", "is_self_signed": false, "SAN": [["*.badssl.com", "badssl.com"]], "is_expired": true, "issuer": "COMODO RSA Domain Validation Secure Server CA", "not_valid_before": "04/09/2015", "not_valid_after": "04/12/2015", "days_to_expiration": -2762 }
Get Context Value
Description
Retrieves a value of a context key in a case/alert.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
Scope | Drop down | Alert | Yes | Specify the scope of the key values whether it’s in a case, alert or global. |
Key | String | N/A | Yes | Specify the key. |
Example
In this scenario, we’re retrieving a context value from a key called impact in a case. This action is used along with the “Set Context Value” action that adds the key value pairs to the case/alert.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Context value High
Get Email Templates
Description
Returns all email templates in the system.
Parameters
Parameter Type Default Value Is Mandatory Description Template Type Drop down Standard Yes Specify the template type to return whether standard or HTML. Example
In this scenario, we’re returning all HTML based email templates.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult JSON Result containing HTML code JSON Result shown below -
JSON Result
{ "templates": [{"type": 1, "name": "test 1", "content": "<html>\n <head>\n <style type=\"text/css\"> .title\n\n { color: blue; text-decoration: bold; text-size: 1em; }\n .author\n { color: gray; }\n\n </style>\n </head>\n\n <body>\n <span class=\"title\">La super bonne</span>\n {Text}\n [Case.Id]\n </h1> <br/>\n </body>\n\n </html>", "creatorUserName": "f00942-fa040-4422324-b2c43e-de40fdsff122b9c4", "forMigration": false, "environments": ["Default"], "id": 3, "creationTimeUnixTimeInMs": 1672054127271, "modificationTimeUnixTimeInMs": 1672054127279}] }
Create Entities With Separator
Description
Creates entities and adds them to the alert.
Parameters
Parameter Type Default Value Is Mandatory Description Entities Identifiers String N/A Yes Specify the entity or entities to be added to the alert. Entity Type String N/A Yes Specify the entity type. Is Internal Checkbox Unchecked No Check if the entity supplied is part of an internal network. Entities Separator String , Yes Specify the delimiter used in the entities identifiers field. Enrichment JSON Dropdown JSON No Specify enrichment data in JSON format. PrefixForEnrichment String N/A No Specify the prefix to add to the enrichment data. Example
In this scenario, we’re creating three IP entities and enriching them with a field called “is_suspicious”.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "created": ["0.0.0.0", "0.0.0.1", "0.0.0.2"], "enriched": ["0.0.0.0", "0.0.0.1", "0.0.0.2"], "failed": [] }
Update Case Description
Description
Updates the description of a case.
Parameters
Parameter Type Default Value Is Mandatory Description Case Description String N/A Yes Specify the updated description. Example
In this scenario, we’re updating the description of the case to “This case is related to suspicious logins.“.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Normalize Entity Enrichment
Description
Receives a list of keys from the entity and replaces them.
Parameters
Parameter Type Default Value Is Mandatory Description Normalization Data JSON N/A Yes Specify the JSON in the following format example: [ { "entity_field_name": "AT_fields_Name", "new_name": "InternalEnrichment_Name" }, { "entity_field_name": "AT_fields_Direct-Manager", "new_name": "InternalEnrichment_DirectManager_Name" }, { "entity_field_name": "AT_Manager_fields_Work-Email", "new_name": "InternalEnrichment_DirectManager_Email" } ] Example
In this scenario, we’re replacing the entity key of “is_bad” to “malicious”.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Number of enriched entities 5
Append to Context Value
Description
Appends a value to an existing context property or creates a new context property if it doesn't exist and adds the value.
Parameters
Parameter Type Default Value Is Mandatory Description Key String N/A Yes Specify the context property key Value String N/A Yes Specify the value to append to the context property Delimiter String N/A Yes Specify the delimiter used in the value field. Example
In this scenario, we’re adding values “T1595” and “T1140” to an existing context key of “MITRE”.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Context values T1595, T1140
Create Entity Relationships
Description
Creates a relationship between the supplied entities and the linked entities. If the supplied entities do not exist, it will create them.
Parameters
Parameter Type Default Value Is Mandatory Description Entity Identifier(s) String N/A Yes Create new or use existing entity identifiers or comma-separated list of identifiers. Entity Identifier(s) Type Drop Down User Name Yes Specify the entity type. Connect As Drop Down Source Yes Connect entity identifiers using source, destination, or linked relationships to the target entity identifiers. Target Entity Type Drop Down Address Yes Specify the target entity type to connect the entity identifier(s) to. Target Entity Identifier(s) String N/A No Entities in this comma separated list, of the type from Target Entity Type, will be linked to the entities in the Entities Identifier(s) parameter.
Enrichment JSON JSON N/A No An optional JSON object containing key / value pairs of attributes that can be added to the newly created entities.
Separator Character String N/A No Specify the character to separate the list of entities in Entity Identifiers and/or Target Entity Identifiers by. Defaults to comma. Example
In this scenario, we’re creating a relationship between a user and a URL. In this case, David001 has accessed a URL of example.com.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "Entity": "David001", "EntityResult": {} }
Extract URL Domain
Description
Enriches all entities with a new field "siemplifytools_extracted_domain" containing the extracted domain out of the entity identifier. If the entity has no domain (file hash for example) it will simply not return anything. In addition to entities, the user can specify a list of URLs as a parameter and process them, without enriching, naturally.
Parameters
Parameter Type Default Value Is Mandatory Description Separator String , Yes Specify the separator string to use to separate URLs. URLs String N/A No Specify one or more URLs to extract the domain from. Extract subdomain Checkbox N/A No Specify if you want to extract the subdomain as well. Example
In this scenario, we're extracting the domain from the specified URL.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Number of extracted domains 1 -
JSON Result
{ "Entity": "https://sample.google.com", "EntityResult": {"domain": "sample.google.com", "source_entity_type": "DestinationURL"} }
Check List Subset
Description
Checks if values in one list exist in another list.
Parameters
Parameter Type Default Value Is Mandatory Description Original String N/A Yes Specify the list of items to check against. Json list or comma separated. Subset List N/A Yes Specify the subset list. Json list or comma separated. Example
In this scenario, we’re checking if values 1,2,3 exist in the original list of 1,2,3,4,5 resulting in a true result value.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Add Alert Scoring Information
Description
Adds an entry to the alert scoring database. Alert score is based on the ratio: 5 Low = 1 Medium. 3 Medium = 1 High. 2 High = 1 Critical. Optional tag added to case.
Parameters
Parameter Type Default Value Is Mandatory Description Name String N/A Yes Specify the name of the check being performed on the alert. Description String N/A Yes Specify the description of the check being performed on the alert. Severity String Informational Yes Specify the severity. Category String N/A Yes Specify the category of the check that was performed. Source String N/A No Specify the part of the alert the score was derived from. Example: Files, user, Email. Case Tag String N/A No Specify tags to add to the case. Example
In this scenario, we’re setting the alert score to high due to a suspicious result from VirusTotal.
Action Results
-
Script Result
Script Result Name Value options Example Alert_score Informational, Low, Medium, High, Critical High -
JSON Result
{ "category": "File Enrichment", "score_data": [{"score_name": "File Enrichment", "description": "VT has found a file to be suspicious", "severity": "High", "score": 3, "source": "Virustotal"}], "category_score": 3 }
Get Siemplify Users
Description
Returns list of all users configured in the system.
Parameters
Parameter Type Default Value Is Mandatory Description Hide Disabled Users Checkbox Checked No Specify whether to hide disabled users from the results. Example
In this scenario, we’re returning all users in the system including disabled users.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "siemplifyUsers": [{"permissionGroup": "Admins", "socRole": "@Administrator", "isDisabled": false, "loginIdentifier": "sample@domain.com", "firstName": "John", "lastName": "Doe", "permissionType": 0, "role": 0, "socRoleId": 1, "email": "sample@domain.com", "userName": "0b3423496fc2-0834302-42f33d-8523408-18c087d2347cf1e", "imageBase64": null, "userType": 1, "identityProvider": -1, "providerName": "Internal", "advancedReportsAccess": 0, "accountState": 2, "lastLoginTime": 1679831126656, "previousLoginTime": 1678950002044, "lastPasswordChangeTime": 0, "lastPasswordChangeNotificationTime": 0, "loginWrongPasswordCount": 0, "isDeleted": false, "deletionTimeUnixTimeInMs": 0, "environments": ["*"], "id": 245, "creationTimeUnixTimeInMs": 1675457504856, "modificationTimeUnixTimeInMs": 1674957504856 }
Check Entities Fields In Text
Description
Search for a specific field from each entity in scope (or multiple fields using regex) and compare it with one or more values. The compared values can also go through regex. A match is found if one of the post regex values from the entity enrichment is in one or more values searched in.
Parameters
Parameter Type Default Value Is Mandatory Description SearchInData JSON [ { "Data": "[Event.from]", "RegEx": "(?<=@)[^.]+(?=\\.)" } ] Yes JSON that represents the string(s) you want to search in using this format: [ { "Data": "", "RegEx": "" } ] FieldsInput JSON [ { "RegexForFieldName": "", "FieldName": "body", "RegexForFieldValue": "" }, { "RegexForFieldName": ".*(_url_).*", "FieldName": "", "RegexForFieldValue": "" }, { "RegexForFieldName": "", "FieldName": "body", "RegexForFieldValue": "HostName: (.*?)" } ] Yes A JSON that describes what fields should be tested for [ "RegexForFieldName": “”, "FieldName": "Field name to search",
"RegexForFieldValue": “”}]
ShouldEnrichEntity String domain_matched No If set to <VAL> will also put an enrichment value on the entity to be recognized as "matched” with the value. The key will be <VAL>
IsCaseSensitive Checkbox Unchecked No Specify if the field is case sensitive. Example
In this scenario, we’re checking if an entity with a field name of “malicious” is in the text specified.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Number of findings 0 -
JSON Result
{ "Entity": "EXL88765-AD", "EntityResult": [{"RegexForFieldName": "", "FieldName": "malicious", "RegexForFieldValue": "", "ResultsToSearch": {"val_to_search": [[]], "found_results": [], "num_of_results": 0}}] }
Get Integration Instances
Description
Returns all integration instances for an environment.
Parameters
No parameters applicable.
Example
In this scenario, all integration instances in all environments will be returned.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "instances": [{"identifier": "27dee746-1857-41b7-a722-b99699b8d6c8", "integrationIdentifier": "Tools", "environmentIdentifier": "Default", "instanceName": "Tools_1", "instanceDescription": "test", "isConfigured": true, "isRemote": false, "isSystemDefault": false},{...........}] }
Delay Playbook V2
Description
Temporarily stops a playbook from completing for a specified period of time.
Parameters
Parameter Type Default Value Is Mandatory Description Seconds Integer 0 No Specify amount of seconds to delay playbook for. Minutes Integer 1 No Specify amount of minutes to delay playbook for. Hours Integer 0 No Specify amount of hours to delay playbook for. Days Integer 0 No Specify amount of days to delay playbook for. Cron Expression String N/A No Determines when the playbook should proceed using a cron expression. Will be prioritized over the other parameters. Example
In this scenario, we’re delaying the playbook for 12 and a half hours.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Get Original Alert Json
Description
Returns JSON result of the original alert (raw data).
Parameters
No Parameters Applicable
Example
In this scenario, the original raw json of the alert is returned.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "CreatorUserId": null, "Events": [{"_fields": {"BaseEventIds": "[]", "ParentEventId": -1, "deviceEventClassId": "IRC Connections", "DeviceProduct": "IPS_Product", "StartTime": "1667497096184", "EndTime": "1667497096184"}, "_rawDataFields": {"applicationProtocol": "TCP", "categoryOutcome": "blocked", "destinationAddress": "104.131.182.103", "destinationHostName": "www.ircnet.org", "destinationPort": "770", "destinationProcessName": "MrlCS.sob", "destinationUserName": "XWTTRYzNr1l@gmail.com", "deviceAddress": "0.0.0.0", "deviceEventClassId": "IRC Connections", "deviceHostName": "ckIYC2", "Field_24": "B0:E7:DF:6C:EF:71", "deviceProduct": "IPS_Product", "deviceVendor": "Vendor", "endTime": "1667497110906", "eventId": "0aa16009-57b4-41a3-91ed-81347442ca29", "managerReceiptTime": "1522058997000", "message": "Connection to IRC Server", "name": "IRC Connections", "severity": "8", "sourceAddress": "0.0.0.0", "sourceHostName": "jhon@domain.local", "startTime": "1667497110906", "sourcetype": "Connection to IRC Server"}, "Environment": null, "SourceSystemName": null, "Extensions": []}], "Environment": "Default", "SourceSystemName": "Arcsight", "TicketId": "fab1b5a1-637f-4aed-a94f-c63137307505", "Description": "IRC Connections", "DisplayId": "fab1b5a1-637f-4aed-a94f-c63137307505", "Reason": null, "Name": "IRC Connections", "DeviceVendor": "IPS", "DeviceProduct": "IPS_Product", "StartTime": 1667497110906, "EndTime": 1667497110906, "Type": 1, "Priority": -1, "RuleGenerator": "IRC Connections", "SourceGroupingIdentifier": null, "PlaybookTriggerKeywords": [], "Extensions": [], "Attachments": null, "IsTrimmed": false, "DataType": 1, "SourceType": 1, "SourceSystemUrl": null, "SourceRuleIdentifier": null }
Get Current Time
Description
Returns the current date and time.
Parameters
Parameter Type Default Value Is Mandatory Description Datetime Format String %d/%m/%Y %H:%M Yes Specify the format of the date and time. Example
In this scenario, we’re returning a date and time value using the following format: %d/%m/%Y %H:%M:%S
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Date time value 03/11/2022 20:33:43
Update Alert Score
Description
Updates the alert score by the amount provided.
Parameters
Parameter Type Default Value Is Mandatory Description Input Integer N/A Yes Specify the amount to increment or decrement (negative number) by. Example
In this scenario, we’re decreasing the alert score by 20.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Input Value -20
Add Comment to Entity Log
Description
Adds a comment to the entity log for each entity in score in the Entity Explorer.
Parameters
Parameter Type Default Value Is Mandatory Description User Dropdown @Administrator Yes Specify the user created the comment. Comment String N/A Yes Specify the comment that will be added to the entity log. Example
Action Results
-
Script Result
Script Result Name Value options Example N/A N/A N/A
Re-Attach Playbook
Description
Removes a playbook from a case, deletes any result data in the case from that playbook, and re-attaches the playbook so it will run again. Requires installation of PostgreSQL integration, configured to the Shared Environment with an instance name of Chronicle SOAR. See CSM / Support for additional details.
Parameters
Parameter Type Default Value Is Mandatory Description Playbook Name Dropdown N/A Yes Specify the playbook to re-attach. Example
In this scenario, we’re re-attaching a playbook called attach_playbook_test
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False/Please configure the Chronicle SOAR instance of the PostgreSQL integration. True
Lock Playbook
Description
Pauses the current playbook until all playbooks from the previous alert complete.
Parameters
Parameter Type Default Value Is Mandatory Description Async Action Timeout Integers 1 Day No The timeout for async actions defines the total time permitted for this action (sums up all iterations runtime) Async Polling Interval Integers 1 Hour No Set the duration between each polling attempt during an async action runtime. Example
In this scenario , we’re pausing the current playbook and checking every 30 seconds to see if all playbooks in the previous alert in the case are complete.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Find First Alert
Description
Returns the identifier of the first alert in a given case.
Parameters
No parameters applicable.
Example
In this scenario, it’s returning the alert identifier of the first alert in the case.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Alert Identifier Value IRC CONNECTIONS9A33308C-AC62-4A41-8F73-20529895D567
Look-A-Like Domains
Description
Compares domain entities against the list of domains defined for the environment. If the domains are similar the entity will be marked as suspicious and enriched with the matching domain.
Parameters
No parameters applicable
Example
In this scenario, we’re checking if external domain entities look similar to the domains configured in the domains list in settings.
Action Results
-
Script Result
Script Result Name Value options Example look_a_like_domain_found True/False True -
JSON Result
{ "Entity" : {"EntityResult" : { "look_a_like_domains" : ["outlooks.com"]}} }
Change Case Name
Description
Changes a case name/title.
Parameters
Parameter Type Default Value Is Mandatory Description New Name String N/A No Specify the new name of the case. Only If First Alert Checkbox Unchecked No If checked, will only change the case’s name if the action was executed on the first alert in the case. Example
In this scenario, the title of a case will be changed to “Phishing - Suspicious Email” only if it runs in the first alert.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Spell Check String
Description
Check the input string spelling. It will output the percent accurate, total words, amount of misspelled words, list of each misspelled word and the correction, and a corrected version of the input string.
Parameters
Parameter Type Default Value Is Mandatory Description String String N/A Yes Specify the string that will be checked for misspellings. Example
In this scenario, we’re spell checking the input string “Testing if thsi is a mispelled wodr.”.
Action Results
-
Script Result
Script Result Name Value options Example accuracy_percentage Percentage value 71 -
JSON Result
{ "input_string": "Testing if thsi is a mispelled wodr.", "total_words": 7, "total_misspelled_words": 2, "misspelled_words": [{"misspelled_word": "mispelled", "correction": "misspelled"}, {"misspelled_word": "wodr", "correction": "word"}], "accuracy": 71, "corrected_string": "Testing if thsi is a misspelled word." }
Search Text
Description
Search for the 'Search For' parameter in the input text or loop through the 'Search For Regex' list and find matches in the input text. If there is a match, the action will return true.
Parameters
Parameter Type Default Value Is Mandatory Description Text String N/A Yes Specify the text that will be searched. Search For String N/A No Specify the string to search in the “text” field. Search For Regex String N/A No List of regexes that will be used to search the string. Regex should be wrapped in double quotes. Supports comma delimited list. Case Sensitive Checkbox N/A No Specify whether the search should be case sensitive. Example
In this scenario, we’re checking if the word "malicious" exists in the “Text” field value.
Action Results
-
Script Result
Script Result Name Value options Example match_found True/False True -
JSON Result
{ "matches": [{"search": "malicious", "input": "This IOC is malicious.", "match": true}] }
Set Context Value
Description
Sets a key and value in a specific context. This action is often used with the “Get context Value” action to retrieve the value of the key.
Parameters
Parameter Type Default Value Is Mandatory Description Value String N/A Yes Specify the context value. Key String N/A Yes Specify the context key. Scope Dropdown Alert Yes Specify context assignment scope (Alert, Case, Global). Example
In this scenario, we’re setting a context key of “malicious” to “yes” value.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Create Siemplify Task
Description
Assigns a task to a user or role. The task will be related to the case the action ran on.
Parameters
Parameter Type Default Value Is Mandatory Description Task Title String N/A No Specify the title of the task. SLA (in minutes) Integer 480 Yes Specify the amount of time in minutes the assigned user/role has to respond to the task. Task Content String N/A Yes Specify the details of the task. Assign To Drop Down N/A Yes Specify the user or role that task will be assigned to. Example
In this scenario, a task is created instructing Tier 3 to run a virus scan.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Assign Case To User
Description
Assigns a case to a user.
Parameters
Parameter Type Default Value Is Mandatory Description Case Id String N/A Yes Specify the case id. Use [Case.Id] for the current case. Assign To String @Admin Yes Specify the user to assign a case to. This is the user's ID. Use “Get Siemplify Users” action to retrieve ID for a specific user. Alert Id String Yes Specify the alert id. Use [Alert.Identifier]. Example
In this scenario, we’re assigning the current case to a specific user using their ID.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Get Case Data
Description
Retrieves all data from a case and returns a JSON result. The result includes comments, entity information, insights, playbooks that ran, alert information and events.
Parameters
Parameter Type Default Value Is Mandatory Description Case Id Integer N/A No Specify the case Id to query. If left blank, it will use the current case. Example
In this scenario, we’re retrieving case details from the current case.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "wallData": [{"commentForClient": null, "comment": null, "modificationTimeUnixTimeInMsForClient": 0, "creatorUserId": "8f8er8d6-ee8b-478e-9ee592-cc27e9addda13b", "id": 6357, "type": 5, "caseId": 36902, "isFavorite": false, "modificationTimeUnixTimeInMs": 1680717397165, "creationTimeUnixTimeInMs": 1680717397165, "alertIdentifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE"}, {"actionTriggerType": 0, "integration": "Tools", "executingUser": null, "playbookName": "New Playbook", "playbookIsInDebugMode": true, "status": 5, "actionProvider": "Scripts", "actionIdentifier": "Tools_Get Case Data_1", "actionResult": "Action started", "alertIdentifiers": ["SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE"], "creatorUserId": null, "id": 7677, "type": 3, "caseId": 0, "isFavorite": false, "modificationTimeUnixTimeInMs": 1680717397401, "creationTimeUnixTimeInMs": 1680717397401, "alertIdentifier": null}], "alerts": [{"ticketId": "d21ebvcxzb88-35vc35-46b4-9edd08-063696d7cc092", "status": 0, "identifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE", "hasWorkflows": true, "workflowsStatus": 1, "sourceSystemName": "CrowdStrikeFalcon", "securityEventCards": [{"caseId": 36902, "eventId": "5fde7844-0099-4c5d-a562-63e2d0deb7e5", "alertIdentifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE", "eventName": "CustomIOAWinLowest", "product": "Falcon", "sources": [{"isValid": true, "identifier": "172.30.202.229", "type": "ADDRESS"}, {"isValid": true, "identifier": "EXLAB2019-AD", "type": "HOSTNAME"}, {"isValid": true, "identifier": "E019-AD$", "type": "USERUNIQNAME"}], "destinations": [], "artificats": [{"isValid": true, "identifier": "MPCMDRUN.EXE", "type": "FILENAME"}, {"isValid": true, "identifier": "60D88450B376694DC55EB8F40B0F79580D1DF399A7BDF", "type": "FILEHASH"}], "port": null, "outcome": null, "time": "2023-03-01T19:51:00Z", "deviceEventClassId": "Indicator of Attack", "fields": [{"isHighlight": true, "groupName": "HIGHLIGHTED FIELDS", "hideOptions": false, "items": [{"originalName": "startTime", "name": "Start Time", "value": "1680615463369"}, {"originalName": "endTime", "name": "End Time", "value": "1680615463369"}]}, {"isHighlight": false, "groupName": "Default", "hideOptions": false, "items": [{"originalName": "cid", "name": "cid", "value": "27fe4e4760b8476b2b6650e5a74"}, {"originalName": "created_timestamp", "name": "created_timestamp", "value": "2023-03-01T19:51:11.387187948Z"}........................ }
Wait For Playbook to Complete
Description
Pauses the current playbook until another playbook or block, that is running on the same alert, completes.
Parameters
Parameter Type Default Value Is Mandatory Description Playbook Name String N/A No Specify the name of the block or playbook that you want to complete first. Example
In this scenario, we’re pausing the current playbook until the “investigation block” that’s running on the same alert is complete.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Jobs
Close Cases Based On Search
Description
This job will close all cases based on a search query. The Search Payload is the payload used in the 'CaseSearchEverything' API call. To get an example of this value, go to Search in the UI and open Developer Tools. Search for the cases to delete. Look for the "CaseSearchEverything" api call in DevTools. Copy the JSON payload of the POST request and paste in "Search Payload". The Close Reason should be 0 or 1. 0 = malicious 1 = not malicious. Root Cause comes from Settings -> Case Data -> Case Close Root Cause.
Parameters
Parameter Type Default Value Is Mandatory Description Search Payload JSON N/A No Specify JSON payload to search. Example: {"tags":[],"ruleGenerator":[],"caseSource":[],"stage":[],"environments":[],"assignedUsers":[],"products":[],"ports":[],"categoryOutcomes":[],"status":[],"caseIds":[],"incident":[],"importance":[],"priorities":[],"pageSize":50,"isCaseClosed":false,"title":"","startTime":"2023-01-22T00:00:00.000Z","endTime":"2023-01-22T23:59:59.999Z","requestedPage":0,"timeRangeFilter":1} Close Comment String N/A Yes Specify a close comment. Close Reason String N/A Yes Specify the closure reason. 0 = malicious, 1 = not malicious Root Cause Integer N/A Yes Specify root cause. Root Cause comes from Settings -> Case Data -> Case Close Root Cause. Chronicle SOAR Username String N/A Yes Specify Chronicle SOAR username. Chronicle SOAR Password Password N/A Yes Specify Chronicle SOAR password. -
Script Result