Overview

A set of utility actions for data manipulation to power up playbook capabilities.

Actions

DNS Lookup

Description

Performs a DNS lookup using a specified DNS resolver.

Parameters

Parameter Type Default Value Is Mandatory Description
DNS Server IP Address N/A Yes Specify a single or comma separated DNS servers.

Example

In this scenario, we’re using Google's public DNS address of 8.8.8.8 to look up external domain entities.

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True
  • JSON Result
    {
    "Entity": "WWW.IRCNET.ORG",
     "EntityResult": [{"Type": "A", "Response": "176.9.157.114", "DNS Server": "8.8.8.8"}]
    }

Add Or Update Alert Additional Data

Description

Adds or updates fields in the alert additional data. Results will be shown in a field called “OFFENSE_ID” in the Alerts overview.

Parameters

Parameter Type Default Value Is Mandatory Description
Json Fields JSON N/A Yes You can enter either free text (for one variable), a string representing a JSON dictionary (Can he nested)

Example

In this scenario, we’re adding MITRE attack details to the alerts which will be displayed in the alerts overview.

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult # of items in dictionary 2
  • JSON Result
    {
    "dict": {"mitre": " T1059"}, "list": []
    }

Attach Playbook to All Case Alerts

Description

Attaches a specific playbook or block to all alerts in a case.

Parameters

Parameter Type Default Value Is Mandatory Description
Playbook Name String N/A Yes Specify the playbook or block name that will be added to all alerts in a case.

Example

In this scenario, we’re attaching a playbook called “Phishing playbook” to all alerts in a case.

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True

Attach Playbook to Alert

Description

Attaches a specific playbook or block to the current alert.

Parameters

Parameter Type Default Value Is Mandatory Description
Playbook Name String N/A Yes Specify the playbook or block name that will be added to all alerts in a case.

Example

In this scenario, we’re attaching a block called “Containment Block” to the current alerts in the case.

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True

Buffer

Description

Convert a JSON input to a JSON object.

Parameters

Parameter Type Default Value Is Mandatory Description
ResultValue String N/A No Placeholder value that will be returned as the ScriptResult value.
JSON JSON N/A No JSON that will be displayed in the expression builder.

Example

In this scenario, JSON input value will be displayed in the JSON expression builder to be used for further actions.

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult ResultValue parameter input value success
  • JSON Result
    {
    "domain" : "company.com",
    "domain2" : "company2.com"
    }

Get Certificate Details

Description

Retrieves certificate details of a given URL.

Parameters

Parameter Type Default Value Is Mandatory Description
Url to check URL expired.badssk.com Yes Specify the URL to retrieve certificate details from.

Example

In this scenario, we’re retrieving certificate details from expired.badssl.com site.

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True
  • JSON Result
    {
    "hostname": "expired.badssl.com",
     "ip": "104.154.89.105", 
    "commonName": "*.badssl.com",
     "is_self_signed": false, 
    "SAN": [["*.badssl.com", "badssl.com"]], 
    "is_expired": true, 
    "issuer": "COMODO RSA Domain Validation Secure Server CA", 
    "not_valid_before": "04/09/2015", 
    "not_valid_after": "04/12/2015", 
    "days_to_expiration": -2762
    }

Get Context Value

Description

Retrieves a value of a context key in a case/alert.

Parameters

Parameter Type Default Value Is Mandatory Description
Scope Drop down Alert Yes Specify the scope of the key values whether it’s in a case, alert or global.
Key String N/A Yes Specify the key.

Example

In this scenario, we’re retrieving a context value from a key called impact in a case. This action is used along with the “Set Context Value” action that adds the key value pairs to the case/alert.

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult Context value High



    Get Email Templates

    Description

    Returns all email templates in the system.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Template Type Drop down Standard Yes Specify the template type to return whether standard or HTML.

    Example

    In this scenario, we’re returning all HTML based email templates.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult JSON Result containing HTML code JSON Result shown below
    • JSON Result
      {
      "templates": [{"type": 1, "name": "test 1", "content": "<html>\n    <head>\n    <style type=\"text/css\"> .title\n\n    { color: blue; text-decoration: bold; text-size: 1em; }\n    .author\n    { color: gray; }\n\n    </style>\n    </head>\n\n    <body>\n    <span class=\"title\">La super bonne</span>\n    {Text}\n    [Case.Id]\n    </h1> <br/>\n    </body>\n\n    </html>", "creatorUserName": "f00942-fa040-4422324-b2c43e-de40fdsff122b9c4", "forMigration": false, "environments": ["Default"], "id": 3, "creationTimeUnixTimeInMs": 1672054127271, "modificationTimeUnixTimeInMs": 1672054127279}]
      }

    Create Entities With Separator

    Description

    Creates entities and adds them to the alert.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Entities Identifiers String N/A Yes Specify the entity or entities to be added to the alert.
    Entity Type String N/A Yes Specify the entity type.
    Is Internal Checkbox Unchecked No Check if the entity supplied is part of an internal network.
    Entities Separator String , Yes Specify the delimiter used in the entities identifiers field.
    Enrichment JSON Dropdown JSON No Specify enrichment data in JSON format.
    PrefixForEnrichment String N/A No Specify the prefix to add to the enrichment data.

    Example

    In this scenario, we’re creating three IP entities and enriching them with a field called “is_suspicious”.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True
    • JSON Result
      {
      "created": ["0.0.0.0", "0.0.0.1", "0.0.0.2"], 
      "enriched": ["0.0.0.0", "0.0.0.1", "0.0.0.2"],
      "failed": []
      }

    Update Case Description

    Description

    Updates the description of a case.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Case Description String N/A Yes Specify the updated description.

    Example

    In this scenario, we’re updating the description of the case to “This case is related to suspicious logins.“.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True

    Normalize Entity Enrichment

    Description

    Receives a list of keys from the entity and replaces them.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Normalization Data JSON N/A Yes Specify the JSON in the following format example: [ { "entity_field_name": "AT_fields_Name", "new_name": "InternalEnrichment_Name" }, { "entity_field_name": "AT_fields_Direct-Manager", "new_name": "InternalEnrichment_DirectManager_Name" }, { "entity_field_name": "AT_Manager_fields_Work-Email", "new_name": "InternalEnrichment_DirectManager_Email" } ]

    Example

    In this scenario, we’re replacing the entity key of “is_bad” to “malicious”.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult Number of enriched entities 5

    Append to Context Value

    Description

    Appends a value to an existing context property or creates a new context property if it doesn't exist and adds the value.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Key String N/A Yes Specify the context property key
    Value String N/A Yes Specify the value to append to the context property
    Delimiter String N/A Yes Specify the delimiter used in the value field.

    Example

    In this scenario, we’re adding values “T1595” and “T1140” to an existing context key of “MITRE”.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult Context values T1595, T1140

    Create Entity Relationships

    Description

    Creates a relationship between the supplied entities and the linked entities. If the supplied entities do not exist, it will create them.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Entity Identifier(s) String N/A Yes Create new or use existing entity identifiers or comma-separated list of identifiers.
    Entity Identifier(s) Type Drop Down User Name Yes Specify the entity type.
    Connect As Drop Down Source Yes Connect entity identifiers using source, destination, or linked relationships to the target entity identifiers.
    Target Entity Type Drop Down Address Yes Specify the target entity type to connect the entity identifier(s) to.
    Target Entity Identifier(s) String N/A No Entities in this comma separated list, of

    the type from Target Entity Type, will be linked to the entities in the Entities Identifier(s) parameter.

    Enrichment JSON JSON N/A No An optional JSON object containing key /

    value pairs of attributes that can be added to the newly created entities.

    Separator Character String N/A No Specify the character to separate the list of entities in Entity Identifiers and/or Target Entity Identifiers by. Defaults to comma.

    Example

    In this scenario, we’re creating a relationship between a user and a URL. In this case, David001 has accessed a URL of example.com.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True
    • JSON Result
      {
      "Entity": "David001", "EntityResult": {}
      }

    Extract URL Domain

    Description

    Enriches all entities with a new field "siemplifytools_extracted_domain" containing the extracted domain out of the entity identifier. If the entity has no domain (file hash for example) it will simply not return anything. In addition to entities, the user can specify a list of URLs as a parameter and process them, without enriching, naturally.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Separator String , Yes Specify the separator string to use to separate URLs.
    URLs String N/A No Specify one or more URLs to extract the domain from.
    Extract subdomain Checkbox N/A No Specify if you want to extract the subdomain as well.

    Example

    In this scenario, we're extracting the domain from the specified URL.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult Number of extracted domains 1
    • JSON Result
      {
      "Entity": "https://sample.google.com", "EntityResult": {"domain": "sample.google.com", "source_entity_type": "DestinationURL"}
      }

    Check List Subset

    Description

    Checks if values in one list exist in another list.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Original String N/A Yes Specify the list of items to check against. Json list or comma separated.
    Subset List N/A Yes Specify the subset list. Json list or comma separated.

    Example

    In this scenario, we’re checking if values 1,2,3 exist in the original list of 1,2,3,4,5 resulting in a true result value.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True

    Add Alert Scoring Information

    Description

    Adds an entry to the alert scoring database. Alert score is based on the ratio: 5 Low = 1 Medium. 3 Medium = 1 High. 2 High = 1 Critical. Optional tag added to case.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Name String N/A Yes Specify the name of the check being performed on the alert.
    Description String N/A Yes Specify the description of the check being performed on the alert.
    Severity String Informational Yes Specify the severity.
    Category String N/A Yes Specify the category of the check that was performed.
    Source String N/A No Specify the part of the alert the score was derived from. Example: Files, user, Email.
    Case Tag String N/A No Specify tags to add to the case.

    Example

    In this scenario, we’re setting the alert score to high due to a suspicious result from VirusTotal.

    Action Results

    • Script Result
      Script Result Name Value options Example
      Alert_score Informational, Low, Medium, High, Critical High
    • JSON Result
      {
      "category": "File Enrichment",
       "score_data": [{"score_name": "File Enrichment", "description": "VT has found a file to be suspicious", "severity": "High", "score": 3, "source": "Virustotal"}],
       "category_score": 3
      }

    Get Siemplify Users

    Description

    Returns list of all users configured in the system.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Hide Disabled Users Checkbox Checked No Specify whether to hide disabled users from the results.

    Example

    In this scenario, we’re returning all users in the system including disabled users.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True
    • JSON Result
      {
      "siemplifyUsers": [{"permissionGroup": "Admins", "socRole": "@Administrator", "isDisabled": false, "loginIdentifier": "sample@domain.com", "firstName": "John", "lastName": "Doe", "permissionType": 0, "role": 0, "socRoleId": 1, "email": "sample@domain.com", "userName": "0b3423496fc2-0834302-42f33d-8523408-18c087d2347cf1e", "imageBase64": null, "userType": 1, "identityProvider": -1, "providerName": "Internal", "advancedReportsAccess": 0, "accountState": 2, "lastLoginTime": 1679831126656, "previousLoginTime": 1678950002044, "lastPasswordChangeTime": 0, "lastPasswordChangeNotificationTime": 0, "loginWrongPasswordCount": 0, "isDeleted": false, "deletionTimeUnixTimeInMs": 0, "environments": ["*"], "id": 245, "creationTimeUnixTimeInMs": 1675457504856, "modificationTimeUnixTimeInMs": 1674957504856
      }

    Check Entities Fields In Text

    Description

    Search for a specific field from each entity in scope (or multiple fields using regex) and compare it with one or more values. The compared values can also go through regex. A match is found if one of the post regex values from the entity enrichment is in one or more values searched in.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    SearchInData JSON [ { "Data": "[Event.from]", "RegEx": "(?<=@)[^.]+(?=\\.)" } ] Yes JSON that represents the string(s) you want to search in using this format: [ { "Data": "", "RegEx": "" } ]
    FieldsInput JSON [ { "RegexForFieldName": "", "FieldName": "body", "RegexForFieldValue": "" }, { "RegexForFieldName": ".*(_url_).*", "FieldName": "", "RegexForFieldValue": "" }, { "RegexForFieldName": "", "FieldName": "body", "RegexForFieldValue": "HostName: (.*?)" } ] Yes A JSON that describes what fields should be tested for [ "RegexForFieldName": “”,

    "FieldName": "Field name to search",

    "RegexForFieldValue": “”}]

    ShouldEnrichEntity String domain_matched No If set to <VAL> will also put an enrichment value on the entity to be recognized as "matched” with the value.

    The key will be <VAL>

    IsCaseSensitive Checkbox Unchecked No Specify if the field is case sensitive.

    Example

    In this scenario, we’re checking if an entity with a field name of “malicious” is in the text specified.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult Number of findings 0
    • JSON Result
      {
      "Entity": "EXL88765-AD", "EntityResult": [{"RegexForFieldName": "", "FieldName": "malicious", "RegexForFieldValue": "", "ResultsToSearch": {"val_to_search": [[]], "found_results": [], "num_of_results": 0}}]
      }

    Get Integration Instances 

    Description

    Returns all integration instances for an environment.

    Parameters

    No parameters applicable.

    Example

    In this scenario, all integration instances in all environments will be returned.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True
    • JSON Result
      {
      "instances": [{"identifier": "27dee746-1857-41b7-a722-b99699b8d6c8", "integrationIdentifier": "Tools", "environmentIdentifier": "Default", "instanceName": "Tools_1", "instanceDescription": "test", "isConfigured": true, "isRemote": false, "isSystemDefault": false},{...........}]
      }

    Delay Playbook V2

    Description

    Temporarily stops a playbook from completing for a specified period of time.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Seconds Integer 0 No Specify amount of seconds to delay playbook for.
    Minutes Integer 1 No Specify amount of minutes to delay playbook for.
    Hours Integer 0 No Specify amount of hours to delay playbook for.
    Days Integer 0 No Specify amount of days to delay playbook for.
    Cron Expression String N/A No Determines when the playbook should proceed using a cron expression. Will be prioritized over the other parameters.

    Example

    In this scenario, we’re delaying the playbook for 12 and a half hours.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True

    Get Original Alert Json

    Description

    Returns JSON result of the original alert (raw data).

    Parameters

    No Parameters Applicable

    Example

    In this scenario, the original raw json of the alert is returned.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True
    • JSON Result
      {
      "CreatorUserId": null, "Events": [{"_fields": {"BaseEventIds": "[]", "ParentEventId": -1, "deviceEventClassId": "IRC Connections", "DeviceProduct": "IPS_Product", "StartTime": "1667497096184", "EndTime": "1667497096184"}, "_rawDataFields": {"applicationProtocol": "TCP", "categoryOutcome": "blocked", "destinationAddress": "104.131.182.103", "destinationHostName": "www.ircnet.org", "destinationPort": "770", "destinationProcessName": "MrlCS.sob", "destinationUserName": "XWTTRYzNr1l@gmail.com", "deviceAddress": "0.0.0.0", "deviceEventClassId": "IRC Connections", "deviceHostName": "ckIYC2", "Field_24": "B0:E7:DF:6C:EF:71", "deviceProduct": "IPS_Product", "deviceVendor": "Vendor", "endTime": "1667497110906", "eventId": "0aa16009-57b4-41a3-91ed-81347442ca29", "managerReceiptTime": "1522058997000", "message": "Connection to IRC Server", "name": "IRC Connections", "severity": "8", "sourceAddress": "0.0.0.0", "sourceHostName": "jhon@domain.local", "startTime": "1667497110906", "sourcetype": "Connection to IRC Server"}, "Environment": null, "SourceSystemName": null, "Extensions": []}], "Environment": "Default", "SourceSystemName": "Arcsight", "TicketId": "fab1b5a1-637f-4aed-a94f-c63137307505", "Description": "IRC Connections", "DisplayId": "fab1b5a1-637f-4aed-a94f-c63137307505", "Reason": null, "Name": "IRC Connections", "DeviceVendor": "IPS", "DeviceProduct": "IPS_Product", "StartTime": 1667497110906, "EndTime": 1667497110906, "Type": 1, "Priority": -1, "RuleGenerator": "IRC Connections", "SourceGroupingIdentifier": null, "PlaybookTriggerKeywords": [], "Extensions": [], "Attachments": null, "IsTrimmed": false, "DataType": 1, "SourceType": 1, "SourceSystemUrl": null, "SourceRuleIdentifier": null
      }

    Get Current Time

    Description

    Returns the current date and time.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Datetime Format String %d/%m/%Y %H:%M Yes Specify the format of the date and time.

    Example

    In this scenario, we’re returning a date and time value using the following format: %d/%m/%Y %H:%M:%S

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult Date time value 03/11/2022 20:33:43

    Update Alert Score

    Description

    Updates the alert score by the amount provided.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Input Integer N/A Yes Specify the amount to increment or decrement (negative number) by.

    Example

    In this scenario, we’re decreasing the alert score by 20.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult Input Value -20

    Add Comment to Entity Log

    Description

    Adds a comment to the entity log for each entity in score in the Entity Explorer.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    User Dropdown @Administrator Yes Specify the user created the comment.
    Comment String N/A Yes Specify the comment that will be added to the entity log.

    Example

    Action Results

    • Script Result
      Script Result Name Value options Example
      N/A N/A N/A

    Re-Attach Playbook

    Description

    Removes a playbook from a case, deletes any result data in the case from that playbook, and re-attaches the playbook so it will run again. Requires installation of PostgreSQL integration, configured to the Shared Environment with an instance name of Chronicle SOAR. See CSM / Support for additional details.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Playbook Name Dropdown N/A Yes Specify the playbook to re-attach.

    Example

    In this scenario, we’re re-attaching a playbook called attach_playbook_test

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False/Please configure the Chronicle SOAR instance of the PostgreSQL integration. True

    Lock Playbook

    Description

    Pauses the current playbook until all playbooks from the previous alert complete.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Async Action Timeout Integers 1 Day No The timeout for async actions defines the total time permitted for this action (sums up all iterations runtime)
    Async Polling Interval Integers 1 Hour No Set the duration between each polling attempt during an async action runtime.

    Example

    In this scenario , we’re pausing the current playbook and checking every 30 seconds to see if all playbooks in the previous alert in the case are complete.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True

    Find First Alert 

    Description

    Returns the identifier of the first alert in a given case.

    Parameters

    No parameters applicable.

    Example

    In this scenario, it’s returning the alert identifier of the first alert in the case.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult Alert Identifier Value IRC CONNECTIONS9A33308C-AC62-4A41-8F73-20529895D567

    Look-A-Like Domains

    Description

    Compares domain entities against the list of domains defined for the environment. If the domains are similar the entity will be marked as suspicious and enriched with the matching domain.

    Parameters

    No parameters applicable

    Example

    In this scenario, we’re checking if external domain entities look similar to the domains configured in the domains list in settings.

    Action Results

    • Script Result
      Script Result Name Value options Example
      look_a_like_domain_found True/False True
    • JSON Result
      {
      "Entity" : {"EntityResult" : { "look_a_like_domains" : ["outlooks.com"]}}
      }

    Change Case Name

    Description

    Changes a case name/title.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    New Name String N/A No Specify the new name of the case.
    Only If First Alert Checkbox Unchecked No If checked, will only change the case’s name if the action was executed on the first alert in the case.

    Example

    In this scenario, the title of a case will be changed to “Phishing - Suspicious Email” only if it runs in the first alert.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True

    Spell Check String

    Description

    Check the input string spelling. It will output the percent accurate, total words, amount of misspelled words, list of each misspelled word and the correction, and a corrected version of the input string.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    String String N/A Yes Specify the string that will be checked for misspellings.

    Example

    In this scenario, we’re spell checking the input string “Testing if thsi is a mispelled wodr.”.

    Action Results

    • Script Result
      Script Result Name Value options Example
      accuracy_percentage Percentage value 71
    • JSON Result
      {
      "input_string": "Testing if thsi is a mispelled wodr.", "total_words": 7, "total_misspelled_words": 2, "misspelled_words": [{"misspelled_word": "mispelled", "correction": "misspelled"}, {"misspelled_word": "wodr", "correction": "word"}], "accuracy": 71, "corrected_string": "Testing if thsi is a misspelled word."
      }

    Search Text

    Description

    Search for the 'Search For' parameter in the input text or loop through the 'Search For Regex' list and find matches in the input text. If there is a match, the action will return true.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Text String N/A Yes Specify the text that will be searched.
    Search For String N/A No Specify the string to search in the “text” field.
    Search For Regex String N/A No List of regexes that will be used to search the string. Regex should be wrapped in double quotes. Supports comma delimited list.
    Case Sensitive Checkbox N/A No Specify whether the search should be case sensitive.

    Example

    In this scenario, we’re checking if the word "malicious" exists in the “Text” field value.

    Action Results

    • Script Result
      Script Result Name Value options Example
      match_found True/False True
    • JSON Result
      {
      "matches": [{"search": "malicious", "input": "This IOC is malicious.", "match": true}]
      }

    Set Context Value

    Description

    Sets a key and value in a specific context. This action is often used with the “Get context Value” action to retrieve the value of the key.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Value String N/A Yes Specify the context value.
    Key String N/A Yes Specify the context key.
    Scope Dropdown Alert Yes Specify context assignment scope (Alert, Case, Global).

    Example

    In this scenario, we’re setting a context key of “malicious” to “yes” value.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True

    Create Siemplify Task

    Description

    Assigns a task to a user or role. The task will be related to the case the action ran on.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Task Title String N/A No Specify the title of the task.
    SLA (in minutes) Integer 480 Yes Specify the amount of time in minutes the assigned user/role has to respond to the task.
    Task Content String N/A Yes Specify the details of the task.
    Assign To Drop Down N/A Yes Specify the user or role that task will be assigned to.

    Example

    In this scenario, a task is created instructing Tier 3 to run a virus scan.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True

    Assign Case To User

    Description

    Assigns a case to a user.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Case Id String N/A Yes Specify the case id. Use [Case.Id] for the current case.
    Assign To String @Admin Yes Specify the user to assign a case to. This is the user's ID. Use “Get Siemplify Users” action to retrieve ID for a specific user.
    Alert Id String
    Yes Specify the alert id. Use [Alert.Identifier].

    Example

    In this scenario, we’re assigning the current case to a specific user using their ID.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True

    Get Case Data

    Description

    Retrieves all data from a case and returns a JSON result. The result includes comments, entity information, insights, playbooks that ran, alert information and events.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Case Id Integer N/A No Specify the case Id to query. If left blank, it will use the current case.

    Example

    In this scenario, we’re retrieving case details from the current case.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True
    • JSON Result
      {
      "wallData": [{"commentForClient": null, "comment": null, "modificationTimeUnixTimeInMsForClient": 0, "creatorUserId": "8f8er8d6-ee8b-478e-9ee592-cc27e9addda13b", "id": 6357, "type": 5, "caseId": 36902, "isFavorite": false, "modificationTimeUnixTimeInMs": 1680717397165, "creationTimeUnixTimeInMs": 1680717397165, "alertIdentifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE"}, {"actionTriggerType": 0, "integration": "Tools", "executingUser": null, "playbookName": "New Playbook", "playbookIsInDebugMode": true, "status": 5, "actionProvider": "Scripts", "actionIdentifier": "Tools_Get Case Data_1", "actionResult": "Action started", "alertIdentifiers": ["SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE"], "creatorUserId": null, "id": 7677, "type": 3, "caseId": 0, "isFavorite": false, "modificationTimeUnixTimeInMs": 1680717397401, "creationTimeUnixTimeInMs": 1680717397401, "alertIdentifier": null}], "alerts": [{"ticketId": "d21ebvcxzb88-35vc35-46b4-9edd08-063696d7cc092", "status": 0, "identifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE", "hasWorkflows": true, "workflowsStatus": 1, "sourceSystemName": "CrowdStrikeFalcon", "securityEventCards": [{"caseId": 36902, "eventId": "5fde7844-0099-4c5d-a562-63e2d0deb7e5", "alertIdentifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE", "eventName": "CustomIOAWinLowest", "product": "Falcon", "sources": [{"isValid": true, "identifier": "172.30.202.229", "type": "ADDRESS"}, {"isValid": true, "identifier": "EXLAB2019-AD", "type": "HOSTNAME"}, {"isValid": true, "identifier": "E019-AD$", "type": "USERUNIQNAME"}], "destinations": [], "artificats": [{"isValid": true, "identifier": "MPCMDRUN.EXE", "type": "FILENAME"}, {"isValid": true, "identifier": "60D88450B376694DC55EB8F40B0F79580D1DF399A7BDF", "type": "FILEHASH"}], "port": null, "outcome": null, "time": "2023-03-01T19:51:00Z", "deviceEventClassId": "Indicator of Attack", "fields": [{"isHighlight": true, "groupName": "HIGHLIGHTED FIELDS", "hideOptions": false, "items": [{"originalName": "startTime", "name": "Start Time", "value": "1680615463369"}, {"originalName": "endTime", "name": "End Time", "value": "1680615463369"}]}, {"isHighlight": false, "groupName": "Default", "hideOptions": false, "items": [{"originalName": "cid", "name": "cid", "value": "27fe4e4760b8476b2b6650e5a74"}, {"originalName": "created_timestamp", "name": "created_timestamp", "value": "2023-03-01T19:51:11.387187948Z"}........................
      }

    Wait For Playbook to Complete

    Description

    Pauses the current playbook until another playbook or block, that is running on the same alert, completes.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Playbook Name String N/A No Specify the name of the block or playbook that you want to complete first.

    Example

    In this scenario, we’re pausing the current playbook until the “investigation block” that’s running on the same alert is complete.

    Action Results

    • Script Result
      Script Result Name Value options Example
      ScriptResult True/False True

    Jobs

    Description

    This job will close all cases based on a search query. The Search Payload is the payload used in the 'CaseSearchEverything' API call. To get an example of this value, go to Search in the UI and open Developer Tools. Search for the cases to delete. Look for the "CaseSearchEverything" api call in DevTools. Copy the JSON payload of the POST request and paste in "Search Payload". The Close Reason should be 0 or 1. 0 = malicious 1 = not malicious. Root Cause comes from Settings -> Case Data -> Case Close Root Cause.

    Parameters

    Parameter Type Default Value Is Mandatory Description
    Search Payload JSON N/A No Specify JSON payload to search. Example: {"tags":[],"ruleGenerator":[],"caseSource":[],"stage":[],"environments":[],"assignedUsers":[],"products":[],"ports":[],"categoryOutcomes":[],"status":[],"caseIds":[],"incident":[],"importance":[],"priorities":[],"pageSize":50,"isCaseClosed":false,"title":"","startTime":"2023-01-22T00:00:00.000Z","endTime":"2023-01-22T23:59:59.999Z","requestedPage":0,"timeRangeFilter":1}
    Close Comment String N/A Yes Specify a close comment.
    Close Reason String N/A Yes Specify the closure reason. 0 = malicious, 1 = not malicious
    Root Cause Integer N/A Yes Specify root cause. Root Cause comes from Settings -> Case Data -> Case Close Root Cause.
    Chronicle SOAR Username String N/A Yes Specify Chronicle SOAR username.
    Chronicle SOAR Password Password N/A Yes Specify Chronicle SOAR password.