Tools
Overview
A set of utility actions for data manipulation to power up playbook capabilities.
Actions
DNS Lookup
Description
Performs a DNS lookup using a specified DNS resolver.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| DNS Server | IP Address | N/A | Yes | Specify a single or comma separated DNS servers. |
Example
In this scenario, we’re using Google's public DNS address of 8.8.8.8 to look up external domain entities.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "Entity": "WWW.EXAMPLE.ORG", "EntityResult": [{"Type": "A", "Response": "176.9.157.114", "DNS Server": "8.8.8.8"}] }
Add Or Update Alert Additional Data
Description
Adds or updates fields in the alert additional data. Results will be shown in a field called “OFFENSE_ID” in the Alerts overview.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Json Fields | JSON | N/A | Yes | You can enter either free text (for one variable), a string representing a JSON dictionary (Can he nested) |
Example
In this scenario, we’re adding MITRE attack details to the alerts which will be displayed in the alerts overview.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult # of items in dictionary 2 -
JSON Result
{ "dict": {"mitre": " T1059"}, "list": [] }
Attach Playbook to All Case Alerts
Description
Attaches a specific playbook or block to all alerts in a case.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Playbook Name | String | N/A | Yes | Specify the playbook or block name that will be added to all alerts in a case. |
Example
In this scenario, we’re attaching a playbook called “Phishing playbook” to all alerts in a case.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Attach Playbook to Alert
Description
Attaches a specific playbook or block to the current alert.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Playbook Name | String | N/A | Yes | Specify the playbook or block name that will be added to all alerts in a case. |
Example
In this scenario, we’re attaching a block called “Containment Block” to the current alerts in the case.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Buffer
Description
Convert a JSON input to a JSON object.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| ResultValue | String | N/A | No | Placeholder value that will be returned as the ScriptResult value. |
| JSON | JSON | N/A | No | JSON that will be displayed in the expression builder. |
Example
In this scenario, JSON input value will be displayed in the JSON expression builder to be used for further actions.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult ResultValue parameter input value success -
JSON Result
{ "domain" : "company.com", "domain2" : "company2.com" }
Get Certificate Details
Description
Retrieves certificate details of a given URL.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Url to check | URL | expired.badssk.com | Yes | Specify the URL to retrieve certificate details from. |
Example
In this scenario, we’re retrieving certificate details from expired.badssl.com site.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "hostname": "expired.badssl.com", "ip": "104.154.89.105", "commonName": "*.badssl.com", "is_self_signed": false, "SAN": [["*.badssl.com", "badssl.com"]], "is_expired": true, "issuer": "EXAMPLE CA", "not_valid_before": "04/09/2015", "not_valid_after": "04/12/2015", "days_to_expiration": -2762 }
Get Context Value
Description
Retrieves a value of a context key in a case or an alert.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Scope | Drop down | Alert | Yes | Specify the scope of the key values whether it’s in a case, alert or global. |
| Key | String | N/A | Yes | Specify the key. |
Example
In this scenario, we’re retrieving a context value from a key called impact in a case. This action is used along with the “Set Context Value” action that adds the key value pairs to the case or alert.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Context value High
Get Email Templates
Description
Returns all email templates in the system.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Template Type | Drop down | Standard | Yes | Specify the template type to return whether standard or HTML. |
Example
In this scenario, we’re returning all HTML based email templates.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult JSON Result containing HTML code JSON Result shown below -
JSON Result
{ "templates": [{"type": 1, "name": "test 1", "content": "<html>\n <head>\n <style type=\"text/css\"> .title\n\n { color: blue; text-decoration: bold; text-size: 1em; }\n .author\n { color: gray; }\n\n </style>\n </head>\n\n <body>\n <span class=\"title\">La super bonne</span>\n {Text}\n [Case.Id]\n </h1> <br/>\n </body>\n\n </html>", "creatorUserName": "f00942-fa040-4422324-b2c43e-de40fdsff122b9c4", "forMigration": false, "environments": ["Default"], "id": 3, "creationTimeUnixTimeInMs": 1672054127271, "modificationTimeUnixTimeInMs": 1672054127279}] }
Create Entities With Separator
Description
Creates entities and adds them to the alert.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Entities Identifiers | String | N/A | Yes | Specify the entity or entities to be added to the alert. |
| Entity Type | String | N/A | Yes | Specify the entity type. |
| Is Internal | Checkbox | Unselected | No | Check if the entity supplied is part of an internal network. |
| Entities Separator | String | , | Yes | Specify the delimiter used in the entities identifiers field. |
| Enrichment JSON | Dropdown | JSON | No | Specify enrichment data in JSON format. |
| PrefixForEnrichment | String | N/A | No | Specify the prefix to add to the enrichment data. |
Example
In this scenario, we’re creating three IP entities and enriching them with a field called “is_suspicious”.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "created": ["0.0.0.0", "0.0.0.1", "0.0.0.2"], "enriched": ["0.0.0.0", "0.0.0.1", "0.0.0.2"], "failed": [] }
Update Case Description
Description
Updates the description of a case.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Case Description | String | N/A | Yes | Specify the updated description. |
Example
In this scenario, we’re updating the description of the case to “This case is related to suspicious logins.“.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Normalize Entity Enrichment
Description
Receives a list of keys from the entity and replaces them.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Normalization Data | JSON | N/A | Yes | Specify the JSON in the following format example: [ { "entity_field_name": "AT_fields_Name", "new_name": "InternalEnrichment_Name" }, { "entity_field_name": "AT_fields_Direct-Manager", "new_name": "InternalEnrichment_DirectManager_Name" }, { "entity_field_name": "AT_Manager_fields_Work-Email", "new_name": "InternalEnrichment_DirectManager_Email" } ] |
Example
In this scenario, we’re replacing the entity key of “is_bad” to “malicious”.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Number of enriched entities 5
Append to Context Value
Description
Appends a value to an existing context property or creates a new context property if it doesn't exist and adds the value.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Key | String | N/A | Yes | Specify the context property key |
| Value | String | N/A | Yes | Specify the value to append to the context property |
| Delimiter | String | N/A | Yes | Specify the delimiter used in the value field. |
Example
In this scenario, we’re adding values “T1595” and “T1140” to an existing context key of “MITRE”.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Context values T1595, T1140
Create Entity Relationships
Description
Creates a relationship between the supplied entities and the linked entities. If the supplied entities do not exist, it will create them.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Entity Identifier(s) | String | N/A | Yes | Create new or use existing entity identifiers or comma-separated list of identifiers. |
| Entity Identifier(s) Type | Drop Down | User Name | Yes | Specify the entity type. |
| Connect As | Drop Down | Source | Yes | Connect entity identifiers using source, destination, or linked relationships to the target entity identifiers. |
| Target Entity Type | Drop Down | Address | Yes | Specify the target entity type to connect the entity identifier(s) to. |
| Target Entity Identifier(s) | String | N/A | No |
Entities in this comma separated list, of
the type from Target Entity Type, will be linked to the entities in the Entities Identifier(s) parameter. |
| Enrichment JSON | JSON | N/A | No |
An optional JSON object containing key /
value pairs of attributes that can be added to the newly created entities. |
| Separator Character | String | N/A | No | Specify the character to separate the list of entities in Entity Identifiers and/or Target Entity Identifiers by. Defaults to comma. |
Example
In this scenario, we’re creating a relationship between a user and a URL. In this case, Bola001 has accessed a URL of example.com.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "Entity": "Bola001", "EntityResult": {} }
Extract URL Domain
Description
Enriches all entities with a new field "siemplifytools_extracted_domain" containing the extracted domain out of the entity identifier. If the entity has no domain (file hash for example) it will simply not return anything. In addition to entities, the user can specify a list of URLs as a parameter and process them, without enriching, naturally.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Separator | String | , | Yes | Specify the separator string to use to separate URLs. |
| URLs | String | N/A | No | Specify one or more URLs to extract the domain from. |
| Extract subdomain | Checkbox | N/A | No | Specify if you want to extract the subdomain as well. |
Example
In this scenario, we're extracting the domain from the specified URL.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Number of extracted domains 1 -
JSON Result
{ "Entity": "https://sample.google.com", "EntityResult": {"domain": "sample.google.com", "source_entity_type": "DestinationURL"} }
Check List Subset
Description
Checks if values in one list exist in another list.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Original | String | N/A | Yes | Specify the list of items to check against. Json list or comma separated. |
| Subset | List | N/A | Yes | Specify the subset list. Json list or comma separated. |
Example
In this scenario, we’re checking if values 1,2,3 exist in the original list of 1,2,3,4,5 resulting in a true result value.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Add Alert Scoring Information
Description
Adds an entry to the alert scoring database. Alert score is based on the ratio: 5 Low = 1 Medium. 3 Medium = 1 High. 2 High = 1 Critical. Optional tag added to case.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Name | String | N/A | Yes | Specify the name of the check being performed on the alert. |
| Description | String | N/A | Yes | Specify the description of the check being performed on the alert. |
| Severity | String | Informational | Yes | Specify the severity. |
| Category | String | N/A | Yes | Specify the category of the check that was performed. |
| Source | String | N/A | No | Specify the part of the alert the score was derived from. Example: Files, user, Email. |
| Case Tag | String | N/A | No | Specify tags to add to the case. |
Example
In this scenario, we’re setting the alert score to high due to a suspicious result from VirusTotal.
Action Results
-
Script Result
Script Result Name Value options Example Alert_score Informational, Low, Medium, High, Critical High -
JSON Result
{ "category": "File Enrichment", "score_data": [{"score_name": "File Enrichment", "description": "VT has found a file to be suspicious", "severity": "High", "score": 3, "source": "VirusTotal"}], "category_score": 3 }
Get Siemplify Users
Description
Returns list of all users configured in the system.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Hide Disabled Users | Checkbox | Selected | No | Specify whether to hide disabled users from the results. |
Example
In this scenario, we’re returning all users in the system including disabled users.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "siemplifyUsers": [{"permissionGroup": "Admins", "socRole": "@Administrator", "isDisabled": false, "loginIdentifier": "sample@domain.com", "firstName": "John", "lastName": "Doe", "permissionType": 0, "role": 0, "socRoleId": 1, "email": "sample@domain.com", "userName": "0b3423496fc2-0834302-42f33d-8523408-18c087d2347cf1e", "imageBase64": null, "userType": 1, "identityProvider": -1, "providerName": "Internal", "advancedReportsAccess": 0, "accountState": 2, "lastLoginTime": 1679831126656, "previousLoginTime": 1678950002044, "lastPasswordChangeTime": 0, "lastPasswordChangeNotificationTime": 0, "loginWrongPasswordCount": 0, "isDeleted": false, "deletionTimeUnixTimeInMs": 0, "environments": ["*"], "id": 245, "creationTimeUnixTimeInMs": 1675457504856, "modificationTimeUnixTimeInMs": 1674957504856 }
Check Entities Fields In Text
Description
Search for a specific field from each entity in scope (or multiple fields using regex) and compare it with one or more values. The compared values can also go through regex. A match is found if one of the post regex values from the entity enrichment is in one or more values searched in.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| SearchInData | JSON | [ { "Data": "[Event.from]", "RegEx": "(?<=@)[^.]+(?=\\.)" } ] | Yes | JSON that represents the string(s) you want to search in using this format: [ { "Data": "", "RegEx": "" } ] |
| FieldsInput | JSON | [ { "RegexForFieldName": "", "FieldName": "body", "RegexForFieldValue": "" }, { "RegexForFieldName": ".*(_url_).*", "FieldName": "", "RegexForFieldValue": "" }, { "RegexForFieldName": "", "FieldName": "body", "RegexForFieldValue": "HostName: (.*?)" } ] | Yes |
A JSON that describes what fields should be tested for [
"RegexForFieldName": “”,
"FieldName": "Field name to search", "RegexForFieldValue": “”}] |
| ShouldEnrichEntity | String | domain_matched | No |
If set to <VAL> will also put an enrichment value on the
entity to be recognized as "matched” with the value.
The key will be <VAL> |
| IsCaseSensitive | Checkbox | Unselected | No | Specify if the field is case sensitive. |
Example
In this scenario, we’re checking if an entity with a field name of “malicious” is in the text specified.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Number of findings 0 -
JSON Result
{ "Entity": "EXL88765-AD", "EntityResult": [{"RegexForFieldName": "", "FieldName": "malicious", "RegexForFieldValue": "", "ResultsToSearch": {"val_to_search": [[]], "found_results": [], "num_of_results": 0}}] }
Get Integration Instances
Description
Returns all integration instances for an environment.
Parameters
No parameters applicable.
Example
In this scenario, all integration instances in all environments will be returned.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "instances": [{"identifier": "27dee746-1857-41b7-a722-b99699b8d6c8", "integrationIdentifier": "Tools", "environmentIdentifier": "Default", "instanceName": "Tools_1", "instanceDescription": "test", "isConfigured": true, "isRemote": false, "isSystemDefault": false},{...........}] }
Delay Playbook V2
Description
Temporarily stops a playbook from completing for a specified period of time.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Seconds | Integer | 0 | No | Specify amount of seconds to delay playbook for. |
| Minutes | Integer | 1 | No | Specify amount of minutes to delay playbook for. |
| Hours | Integer | 0 | No | Specify amount of hours to delay playbook for. |
| Days | Integer | 0 | No | Specify amount of days to delay playbook for. |
| Cron Expression | String | N/A | No | Determines when the playbook should proceed using a cron expression. Will be prioritized over the other parameters. |
Example
In this scenario, we’re delaying the playbook for 12 and a half hours.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Get Original Alert Json
Description
Returns JSON result of the original alert (raw data).
Parameters
No Parameters Applicable
Example
In this scenario, the original raw json of the alert is returned.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "CreatorUserId": null, "Events": [{"_fields": {"BaseEventIds": "[]", "ParentEventId": -1, "deviceEventClassId": "IRC Connections", "DeviceProduct": "IPS_Product", "StartTime": "1667497096184", "EndTime": "1667497096184"}, "_rawDataFields": {"applicationProtocol": "TCP", "categoryOutcome": "blocked", "destinationAddress": "104.131.182.103", "destinationHostName": "www.ircnet.org", "destinationPort": "770", "destinationProcessName": "MrlCS.sob", "destinationUserName": "XWTTRYzNr1l@gmail.com", "deviceAddress": "0.0.0.0", "deviceEventClassId": "IRC Connections", "deviceHostName": "ckIYC2", "Field_24": "B0:E7:DF:6C:EF:71", "deviceProduct": "IPS_Product", "deviceVendor": "Vendor", "endTime": "1667497110906", "eventId": "0aa16009-57b4-41a3-91ed-81347442ca29", "managerReceiptTime": "1522058997000", "message": "Connection to IRC Server", "name": "IRC Connections", "severity": "8", "sourceAddress": "0.0.0.0", "sourceHostName": "jhon@domain.local", "startTime": "1667497110906", "sourcetype": "Connection to IRC Server"}, "Environment": null, "SourceSystemName": null, "Extensions": []}], "Environment": "Default", "SourceSystemName": "Arcsight", "TicketId": "fab1b5a1-637f-4aed-a94f-c63137307505", "Description": "IRC Connections", "DisplayId": "fab1b5a1-637f-4aed-a94f-c63137307505", "Reason": null, "Name": "IRC Connections", "DeviceVendor": "IPS", "DeviceProduct": "IPS_Product", "StartTime": 1667497110906, "EndTime": 1667497110906, "Type": 1, "Priority": -1, "RuleGenerator": "IRC Connections", "SourceGroupingIdentifier": null, "PlaybookTriggerKeywords": [], "Extensions": [], "Attachments": null, "IsTrimmed": false, "DataType": 1, "SourceType": 1, "SourceSystemUrl": null, "SourceRuleIdentifier": null }
Get Current Time
Description
Returns the current date and time.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Datetime Format | String | %d/%m/%Y %H:%M | Yes | Specify the format of the date and time. |
Example
In this scenario, we’re returning a date and time value using the following format: %d/%m/%Y %H:%M:%S
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Date time value 03/11/2022 20:33:43
Update Alert Score
Description
Updates the alert score by the amount provided.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Input | Integer | N/A | Yes | Specify the amount to increment or decrement (negative number) by. |
Example
In this scenario, we’re decreasing the alert score by 20.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Input Value -20
Add Comment to Entity Log
Description
Adds a comment to the entity log for each entity in score in the Entity Explorer.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| User | Dropdown | @Administrator | Yes | Specify the user created the comment. |
| Comment | String | N/A | Yes | Specify the comment that will be added to the entity log. |
Example
Action Results
-
Script Result
Script Result Name Value options Example N/A N/A N/A
Re-Attach Playbook
Description
Removes a playbook from a case, deletes any result data in the case from that playbook, and re-attaches the playbook so it will run again. Requires installation of PostgreSQL integration, configured to the Shared Environment with an instance name of Chronicle SOAR. See CSM / Support for additional details.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Playbook Name | Dropdown | N/A | Yes | Specify the playbook to re-attach. |
Example
In this scenario, we’re re-attaching a playbook called attach_playbook_test
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False/Please configure the Chronicle SOAR instance of the PostgreSQL integration. True
Lock Playbook
Description
Pauses the current playbook until all playbooks from the previous alert complete.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Async Action Timeout | Integers | 1 Day | No | The timeout for async actions defines the total time permitted for this action (sums up all iterations runtime) |
| Async Polling Interval | Integers | 1 Hour | No | Set the duration between each polling attempt during an async action runtime. |
Example
In this scenario , we’re pausing the current playbook and checking every 30 seconds to see if all playbooks in the previous alert in the case are complete.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Find First Alert
Description
Returns the identifier of the first alert in a given case.
Parameters
No parameters applicable.
Example
In this scenario, it’s returning the alert identifier of the first alert in the case.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Alert Identifier Value IRC CONNECTIONS9A33308C-AC62-4A41-8F73-20529895D567
Look-A-Like Domains
Description
Compares domain entities against the list of domains defined for the environment. If the domains are similar the entity will be marked as suspicious and enriched with the matching domain.
Parameters
No parameters applicable
Example
In this scenario, we’re checking if external domain entities look similar to the domains configured in the domains list in settings.
Action Results
-
Script Result
Script Result Name Value options Example look_a_like_domain_found True/False True -
JSON Result
{ "Entity" : {"EntityResult" : { "look_a_like_domains" : ["outlooks.com"]}} }
Change Case Name
Description
Changes a case name or title.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| New Name | String | N/A | No | Specify the new name of the case. |
| Only If First Alert | Checkbox | Unselected | No | If selected, will only change the case’s name if the action was executed on the first alert in the case. |
Example
In this scenario, the title of a case will be changed to “Phishing - Suspicious Email” only if it runs in the first alert.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Spell Check String
Description
Check the input string spelling. It will output the percent accurate, total words, amount of misspelled words, list of each misspelled word and the correction, and a corrected version of the input string.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| String | String | N/A | Yes | Specify the string that will be checked for misspellings. |
Example
In this scenario, we’re spell checking the input string “Testing if this is a mispelled wodr.”.
Action Results
-
Script Result
Script Result Name Value options Example accuracy_percentage Percentage value 71 -
JSON Result
{"input_string": "Testing if this is a mispelled wodr.", "total_words": 7, "total_misspelled_words": 2, "misspelled_words": [{"misspelled_word": "mispelled", "correction": "misspelled"}, {"misspelled_word": "wodr", "correction": "word"}], "accuracy": 71, "corrected_string": "Testing if this is a misspelled word."}
Search Text
Description
Search for the 'Search For' parameter in the input text or loop through the 'Search For Regex' list and find matches in the input text. If there is a match, the action will return true.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Text | String | N/A | Yes | Specify the text that will be searched. |
| Search For | String | N/A | No | Specify the string to search in the “text” field. |
| Search For Regex | String | N/A | No | List of regexes that will be used to search the string. Regex should be wrapped in double quotes. Supports comma delimited list. |
| Case Sensitive | Checkbox | N/A | No | Specify whether the search should be case sensitive. |
Example
In this scenario, we’re checking if the word "malicious" exists in the “Text” field value.
Action Results
-
Script Result
Script Result Name Value options Example match_found True/False True -
JSON Result
{ "matches": [{"search": "malicious", "input": "This IOC is malicious.", "match": true}] }
Set Context Value
Description
Sets a key and value in a specific context. This action is often used with the “Get context Value” action to retrieve the value of the key.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Value | String | N/A | Yes | Specify the context value. |
| Key | String | N/A | Yes | Specify the context key. |
| Scope | Dropdown | Alert | Yes | Specify context assignment scope (Alert, Case, Global). |
Example
In this scenario, we’re setting a context key of “malicious” to “yes” value.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Create Siemplify Task
Description
Assigns a task to a user or role. The task will be related to the case the action ran on.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Task Title | String | N/A | No | Specify the title of the task. |
| SLA (in minutes) | Integer | 480 | Yes | Specify the amount of time in minutes the assigned user/role has to respond to the task. |
| Task Content | String | N/A | Yes | Specify the details of the task. |
| Assign To | Drop Down | N/A | Yes | Specify the user or role that task will be assigned to. |
Example
In this scenario, a task is created instructing Tier 3 to run a virus scan.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Assign Case To User
Description
Assigns a case to a user.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Case Id | String | N/A | Yes | Specify the case id. Use [Case.Id] for the current case. |
| Assign To | String | @Admin | Yes | Specify the user to assign a case to. This is the user's ID. Use “Get Siemplify Users” action to retrieve ID for a specific user. |
| Alert Id | String | Yes | Specify the alert id. Use [Alert.Identifier]. |
Example
In this scenario, we’re assigning the current case to a specific user using their ID.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Get Case Data
Description
Retrieves all data from a case and returns a JSON result. The result includes comments, entity information, insights, playbooks that ran, alert information and events.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Case Id | Integer | N/A | No | Specify the case Id to query. If left blank, it will use the current case. |
Example
In this scenario, we’re retrieving case details from the current case.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "wallData": [{"commentForClient": null, "comment": null, "modificationTimeUnixTimeInMsForClient": 0, "creatorUserId": "8f8er8d6-ee8b-478e-9ee592-cc27e9addda13b", "id": 6357, "type": 5, "caseId": 36902, "isFavorite": false, "modificationTimeUnixTimeInMs": 1680717397165, "creationTimeUnixTimeInMs": 1680717397165, "alertIdentifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE"}, {"actionTriggerType": 0, "integration": "Tools", "executingUser": null, "playbookName": "New Playbook", "playbookIsInDebugMode": true, "status": 5, "actionProvider": "Scripts", "actionIdentifier": "Tools_Get Case Data_1", "actionResult": "Action started", "alertIdentifiers": ["SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE"], "creatorUserId": null, "id": 7677, "type": 3, "caseId": 0, "isFavorite": false, "modificationTimeUnixTimeInMs": 1680717397401, "creationTimeUnixTimeInMs": 1680717397401, "alertIdentifier": null}], "alerts": [{"ticketId": "d21ebvcxzb88-35vc35-46b4-9edd08-063696d7cc092", "status": 0, "identifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE", "hasWorkflows": true, "workflowsStatus": 1, "sourceSystemName": "CrowdStrikeFalcon", "securityEventCards": [{"caseId": 36902, "eventId": "5fde7844-0099-4c5d-a562-63e2d0deb7e5", "alertIdentifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE", "eventName": "CustomIOAWinLowest", "product": "Falcon", "sources": [{"isValid": true, "identifier": "172.30.202.229", "type": "ADDRESS"}, {"isValid": true, "identifier": "EXLAB2019-AD", "type": "HOSTNAME"}, {"isValid": true, "identifier": "E019-AD$", "type": "USERUNIQNAME"}], "destinations": [], "artificats": [{"isValid": true, "identifier": "MPCMDRUN.EXE", "type": "FILENAME"}, {"isValid": true, "identifier": "60D88450B376694DC55EB8F40B0F79580D1DF399A7BDF", "type": "FILEHASH"}], "port": null, "outcome": null, "time": "2023-03-01T19:51:00Z", "deviceEventClassId": "Indicator of Attack", "fields": [{"isHighlight": true, "groupName": "HIGHLIGHTED FIELDS", "hideOptions": false, "items": [{"originalName": "startTime", "name": "Start Time", "value": "1680615463369"}, {"originalName": "endTime", "name": "End Time", "value": "1680615463369"}]}, {"isHighlight": false, "groupName": "Default", "hideOptions": false, "items": [{"originalName": "cid", "name": "cid", "value": "27fe4e4760b8476b2b6650e5a74"}, {"originalName": "created_timestamp", "name": "created_timestamp", "value": "2023-03-01T19:51:11.387187948Z"}........................ }
Wait For Playbook to Complete
Description
Pauses the current playbook until another playbook or block, that is running on the same alert, completes.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Playbook Name | String | N/A | No | Specify the name of the block or playbook that you want to complete first. |
Example
In this scenario, we’re pausing the current playbook until the “investigation block” that’s running on the same alert is complete.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True
Convert Into Simulated Case
Description
Converts a case into a simulated case that can be loaded into the platform.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Push to Simulated Cases | Checkbox | Unselected | No | If selected, the case is added to the available simulated cases list. |
| Save JSON as Case Wall File | Checkbox | Selected | No | If selected, a JSON file which represents the case is saved to the case wall to be downloaded. |
| Override Alert Name | String | Empty | No | Specify a new alert name to be used. This parameter supersedes the Full Path Name parameter if selected. |
| Full path name | Checkbox | Unselected | No | If selected, use the alert name as source_product_eventtype
—for example, QRadar_WinEventLog:Security_Remote fail login.
This parameter is ignored if Override Alert Name is set.
|
Example
In this example, a case is converted to a simulated case using "Risky Sign On" as the alert name, which will be displayed as one of the available simulated cases in the homescreen.
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "cases": [ { "CreatorUserId": null, "Events": [ { "_fields": { "BaseEventIds": "[]", "ParentEventId": -1, "DeviceProduct": "WinEventLog:Security", "StartTime": "1689266169689", "EndTime": "1689266169689" }, "_rawDataFields": { "sourcetype": "Failed login", "starttime": "1689702001439", "endtime": "1689702001439" }, "Environment": null, "SourceSystemName": null, "Extensions": [] } ], "Environment": "default", "SourceSystemName": "QRadar", "TicketId": "de2e3913-e4d8-4060-ae2b-1c81ee64ba47", "Description": "This case created by SPLUNK query", "DisplayId": "de2e3913-e4d8-4060-ae2b-1c81ee64ba47", "Reason": null, "Name": "Risky Sign On", "DeviceVendor": "WIN-24TBDNRMSVB", "DeviceProduct": "WinEventLog:Security", "StartTime": 1689702001439, "EndTime": 1689702001439, "Type": 1, "Priority": -1, "RuleGenerator": "Remote Failed login", "SourceGroupingIdentifier": null, "PlaybookTriggerKeywords": [], "Extensions": [ { "Key": "KeyName", "Value": "TCS" } ], "Attachments": null, "IsTrimmed": false, "DataType": 1, "SourceType": 1, "SourceSystemUrl": null, "SourceRuleIdentifier": null, "SiemAlertId": null, "__CorrelationId": "7efd38feaea247ad9f5ea8d907e4387c" } ] }
Jobs
Close Cases Based On Search
Description
This job will close all cases based on a search query. The Search Payload is the payload used in the 'CaseSearchEverything' API call. To get an example of this value, go to Search in the UI and open Developer Tools. Search for the cases to delete. Look for the "CaseSearchEverything" api call in DevTools. Copy the JSON payload of the POST request and paste in "Search Payload". The Close Reason should be 0 or 1. 0 = malicious 1 = not malicious. Root Cause comes from Settings -> Case Data -> Case Close Root Cause.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
| Search Payload | JSON | N/A | No | Specify JSON payload to search. Example: {"tags":[],"ruleGenerator":[],"caseSource":[],"stage":[],"environments":[],"assignedUsers":[],"products":[],"ports":[],"categoryOutcomes":[],"status":[],"caseIds":[],"incident":[],"importance":[],"priorities":[],"pageSize":50,"isCaseClosed":false,"title":"","startTime":"2023-01-22T00:00:00.000Z","endTime":"2023-01-22T23:59:59.999Z","requestedPage":0,"timeRangeFilter":1} |
| Close Comment | String | N/A | Yes | Specify a close comment. |
| Close Reason | String | N/A | Yes | Specify the closure reason. 0 = malicious, 1 = not malicious |
| Root Cause | Integer | N/A | Yes | Specify root cause. Root Cause comes from Settings -> Case Data -> Case Close Root Cause. |
| Chronicle SOAR Username | String | N/A | Yes | Specify Chronicle SOAR username. |
| Chronicle SOAR Password | Password | N/A | Yes | Specify Chronicle SOAR password. |