Tools

Supported in:

Overview

A set of utility actions for data manipulation to power up playbook capabilities.

Actions

DNS Lookup

Description

Performs a DNS lookup using a specified DNS resolver.

Parameters

Parameter Type Default Value Is Mandatory Description
DNS Server IP Address N/A Yes Specify a single or comma separated DNS servers.

Example

In this scenario, we’re using Google's public DNS address of 8.8.8.8 to look up external domain entities.

toolsnew1

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True
  • JSON Result
    {
    "Entity": "WWW.EXAMPLE.ORG",
     "EntityResult": [{"Type": "A", "Response": "176.9.157.114", "DNS Server": "8.8.8.8"}]
    }

Add Or Update Alert Additional Data

Description

Adds or updates fields in the alert additional data. Results will be shown in a field called “OFFENSE_ID” in the Alerts overview.

Parameters

Parameter Type Default Value Is Mandatory Description
Json Fields JSON N/A Yes You can enter either free text (for one variable), a string representing a JSON dictionary (Can he nested)

Example

In this scenario, we’re adding MITRE attack details to the alerts which will be displayed in the alerts overview.

tools1

tools2

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult # of items in dictionary 2
  • JSON Result
    {
    "dict": {"mitre": " T1059"}, "list": []
    }

Attach Playbook to All Case Alerts

Description

Attaches a specific playbook or block to all alerts in a case.

Parameters

Parameter Type Default Value Is Mandatory Description
Playbook Name String N/A Yes Specify the playbook or block name that will be added to all alerts in a case.

Example

In this scenario, we’re attaching a playbook called “Phishing playbook” to all alerts in a case.

tools3

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True

Attach Playbook to Alert

Description

Attaches a specific playbook or block to the current alert.

Parameters

Parameter Type Default Value Is Mandatory Description
Playbook Name String N/A Yes Specify the playbook or block name that will be added to all alerts in a case.

Example

In this scenario, we’re attaching a block called “Containment Block” to the current alerts in the case.

tools4

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True

Buffer

Description

Convert a JSON input to a JSON object.

Parameters

Parameter Type Default Value Is Mandatory Description
ResultValue String N/A No Placeholder value that will be returned as the ScriptResult value.
JSON JSON N/A No JSON that will be displayed in the expression builder.

Example

In this scenario, JSON input value will be displayed in the JSON expression builder to be used for further actions.

tools5-buffer

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult ResultValue parameter input value success
  • JSON Result
    {
    "domain" : "company.com",
    "domain2" : "company2.com"
    }

Get Certificate Details

Description

Retrieves certificate details of a given URL.

Parameters

Parameter Type Default Value Is Mandatory Description
Url to check URL expired.badssk.com Yes Specify the URL to retrieve certificate details from.

Example

In this scenario, we’re retrieving certificate details from expired.badssl.com site.

tools6

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True
  • JSON Result
    {
    "hostname": "expired.badssl.com",
     "ip": "104.154.89.105", 
    "commonName": "*.badssl.com",
     "is_self_signed": false, 
    "SAN": [["*.badssl.com", "badssl.com"]], 
    "is_expired": true, 
    "issuer": "EXAMPLE CA", 
    "not_valid_before": "04/09/2015", 
    "not_valid_after": "04/12/2015", 
    "days_to_expiration": -2762
    }

Get Context Value

Description

Retrieves a value of a context key in a case or an alert.

Parameters

Parameter Type Default Value Is Mandatory Description
Scope Drop down Alert Yes Specify the scope of the key values whether it’s in a case, alert or global.
Key String N/A Yes Specify the key.

Example

In this scenario, we’re retrieving a context value from a key called impact in a case. This action is used along with the “Set Context Value” action that adds the key value pairs to the case or alert.

tools7

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult Context value High



Get Email Templates

Description

Returns all email templates in the system.

Parameters

Parameter Type Default Value Is Mandatory Description
Template Type Drop down Standard Yes Specify the template type to return whether standard or HTML.

Example

In this scenario, we’re returning all HTML based email templates.

tools8

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult JSON Result containing HTML code JSON Result shown below
  • JSON Result
    {
    "templates": [{"type": 1, "name": "test 1", "content": "<html>\n    <head>\n    <style type=\"text/css\"> .title\n\n    { color: blue; text-decoration: bold; text-size: 1em; }\n    .author\n    { color: gray; }\n\n    </style>\n    </head>\n\n    <body>\n    <span class=\"title\">La super bonne</span>\n    {Text}\n    [Case.Id]\n    </h1> <br/>\n    </body>\n\n    </html>", "creatorUserName": "f00942-fa040-4422324-b2c43e-de40fdsff122b9c4", "forMigration": false, "environments": ["Default"], "id": 3, "creationTimeUnixTimeInMs": 1672054127271, "modificationTimeUnixTimeInMs": 1672054127279}]
    }

Create Entities With Separator

Description

Creates entities and adds them to the alert.

Parameters

Parameter Type Default Value Is Mandatory Description
Entities Identifiers String N/A Yes Specify the entity or entities to be added to the alert.
Entity Type String N/A Yes Specify the entity type.
Is Internal Checkbox Unselected No Check if the entity supplied is part of an internal network.
Entities Separator String , Yes Specify the delimiter used in the entities identifiers field.
Enrichment JSON Dropdown JSON No Specify enrichment data in JSON format.
PrefixForEnrichment String N/A No Specify the prefix to add to the enrichment data.

Example

In this scenario, we’re creating three IP entities and enriching them with a field called “is_suspicious”.

tools9

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True
  • JSON Result
    {
    "created": ["0.0.0.0", "0.0.0.1", "0.0.0.2"], 
    "enriched": ["0.0.0.0", "0.0.0.1", "0.0.0.2"],
    "failed": []
    }

Update Case Description

Description

Updates the description of a case.

Parameters

Parameter Type Default Value Is Mandatory Description
Case Description String N/A Yes Specify the updated description.

Example

In this scenario, we’re updating the description of the case to “This case is related to suspicious logins.“.

tools10

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True

Normalize Entity Enrichment

Description

Receives a list of keys from the entity and replaces them.

Parameters

Parameter Type Default Value Is Mandatory Description
Normalization Data JSON N/A Yes Specify the JSON in the following format example: [ { "entity_field_name": "AT_fields_Name", "new_name": "InternalEnrichment_Name" }, { "entity_field_name": "AT_fields_Direct-Manager", "new_name": "InternalEnrichment_DirectManager_Name" }, { "entity_field_name": "AT_Manager_fields_Work-Email", "new_name": "InternalEnrichment_DirectManager_Email" } ]

Example

In this scenario, we’re replacing the entity key of “is_bad” to “malicious”.

tools11

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult Number of enriched entities 5

Append to Context Value

Description

Appends a value to an existing context property or creates a new context property if it doesn't exist and adds the value.

Parameters

Parameter Type Default Value Is Mandatory Description
Key String N/A Yes Specify the context property key
Value String N/A Yes Specify the value to append to the context property
Delimiter String N/A Yes Specify the delimiter used in the value field.

Example

In this scenario, we’re adding values “T1595” and “T1140” to an existing context key of “MITRE”.

tools12

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult Context values T1595, T1140

Create Entity Relationships

Description

Creates a relationship between the supplied entities and the linked entities. If the supplied entities do not exist, it will create them.

Parameters

Parameter Type Default Value Is Mandatory Description
Entity Identifier(s) String N/A Yes Create new or use existing entity identifiers or comma-separated list of identifiers.
Entity Identifier(s) Type Drop Down User Name Yes Specify the entity type.
Connect As Drop Down Source Yes Connect entity identifiers using source, destination, or linked relationships to the target entity identifiers.
Target Entity Type Drop Down Address Yes Specify the target entity type to connect the entity identifier(s) to.
Target Entity Identifier(s) String N/A No Entities in this comma separated list, of

the type from Target Entity Type, will be linked to the entities in the Entities Identifier(s) parameter.

Enrichment JSON JSON N/A No An optional JSON object containing key /

value pairs of attributes that can be added to the newly created entities.

Separator Character String N/A No Specify the character to separate the list of entities in Entity Identifiers and/or Target Entity Identifiers by. Defaults to comma.

Example

In this scenario, we’re creating a relationship between a user and a URL. In this case, Bola001 has accessed a URL of example.com.

tools13

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True
  • JSON Result
    {
    "Entity": "Bola001", "EntityResult": {}
    }

Extract URL Domain

Description

Enriches all entities with a new field "siemplifytools_extracted_domain" containing the extracted domain out of the entity identifier. If the entity has no domain (file hash for example) it will simply not return anything. In addition to entities, the user can specify a list of URLs as a parameter and process them, without enriching, naturally.

Parameters

Parameter Type Default Value Is Mandatory Description
Separator String , Yes Specify the separator string to use to separate URLs.
URLs String N/A No Specify one or more URLs to extract the domain from.
Extract subdomain Checkbox N/A No Specify if you want to extract the subdomain as well.

Example

In this scenario, we're extracting the domain from the specified URL.

tools14

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult Number of extracted domains 1
  • JSON Result
    {
    "Entity": "https://sample.google.com", "EntityResult": {"domain": "sample.google.com", "source_entity_type": "DestinationURL"}
    }

Check List Subset

Description

Checks if values in one list exist in another list.

Parameters

Parameter Type Default Value Is Mandatory Description
Original String N/A Yes Specify the list of items to check against. Json list or comma separated.
Subset List N/A Yes Specify the subset list. Json list or comma separated.

Example

In this scenario, we’re checking if values 1,2,3 exist in the original list of 1,2,3,4,5 resulting in a true result value.

tools15

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True

Add Alert Scoring Information

Description

Adds an entry to the alert scoring database. Alert score is based on the ratio: 5 Low = 1 Medium. 3 Medium = 1 High. 2 High = 1 Critical. Optional tag added to case.

Parameters

Parameter Type Default Value Is Mandatory Description
Name String N/A Yes Specify the name of the check being performed on the alert.
Description String N/A Yes Specify the description of the check being performed on the alert.
Severity String Informational Yes Specify the severity.
Category String N/A Yes Specify the category of the check that was performed.
Source String N/A No Specify the part of the alert the score was derived from. Example: Files, user, Email.
Case Tag String N/A No Specify tags to add to the case.

Example

In this scenario, we’re setting the alert score to high due to a suspicious result from VirusTotal.

tools16

Action Results

  • Script Result
    Script Result Name Value options Example
    Alert_score Informational, Low, Medium, High, Critical High
  • JSON Result
    {
    "category": "File Enrichment",
     "score_data": [{"score_name": "File Enrichment", "description": "VT has found a file to be suspicious", "severity": "High", "score": 3, "source": "VirusTotal"}],
     "category_score": 3
    }

Get Siemplify Users

Description

Returns list of all users configured in the system.

Parameters

Parameter Type Default Value Is Mandatory Description
Hide Disabled Users Checkbox Selected No Specify whether to hide disabled users from the results.

Example

In this scenario, we’re returning all users in the system including disabled users.

tools17

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True
  • JSON Result
    {
    "siemplifyUsers": [{"permissionGroup": "Admins", "socRole": "@Administrator", "isDisabled": false, "loginIdentifier": "sample@domain.com", "firstName": "John", "lastName": "Doe", "permissionType": 0, "role": 0, "socRoleId": 1, "email": "sample@domain.com", "userName": "0b3423496fc2-0834302-42f33d-8523408-18c087d2347cf1e", "imageBase64": null, "userType": 1, "identityProvider": -1, "providerName": "Internal", "advancedReportsAccess": 0, "accountState": 2, "lastLoginTime": 1679831126656, "previousLoginTime": 1678950002044, "lastPasswordChangeTime": 0, "lastPasswordChangeNotificationTime": 0, "loginWrongPasswordCount": 0, "isDeleted": false, "deletionTimeUnixTimeInMs": 0, "environments": ["*"], "id": 245, "creationTimeUnixTimeInMs": 1675457504856, "modificationTimeUnixTimeInMs": 1674957504856
    }

Check Entities Fields In Text

Description

Search for a specific field from each entity in scope (or multiple fields using regex) and compare it with one or more values. The compared values can also go through regex. A match is found if one of the post regex values from the entity enrichment is in one or more values searched in.

Parameters

Parameter Type Default Value Is Mandatory Description
SearchInData JSON [ { "Data": "[Event.from]", "RegEx": "(?<=@)[^.]+(?=\\.)" } ] Yes JSON that represents the string(s) you want to search in using this format: [ { "Data": "", "RegEx": "" } ]
FieldsInput JSON [ { "RegexForFieldName": "", "FieldName": "body", "RegexForFieldValue": "" }, { "RegexForFieldName": ".*(_url_).*", "FieldName": "", "RegexForFieldValue": "" }, { "RegexForFieldName": "", "FieldName": "body", "RegexForFieldValue": "HostName: (.*?)" } ] Yes A JSON that describes what fields should be tested for [ "RegexForFieldName": “”,

"FieldName": "Field name to search",

"RegexForFieldValue": “”}]

ShouldEnrichEntity String domain_matched No If set to <VAL> will also put an enrichment value on the entity to be recognized as "matched” with the value.

The key will be <VAL>

IsCaseSensitive Checkbox Unselected No Specify if the field is case sensitive.

Example

In this scenario, we’re checking if an entity with a field name of “malicious” is in the text specified.

tools18

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult Number of findings 0
  • JSON Result
    {
    "Entity": "EXL88765-AD", "EntityResult": [{"RegexForFieldName": "", "FieldName": "malicious", "RegexForFieldValue": "", "ResultsToSearch": {"val_to_search": [[]], "found_results": [], "num_of_results": 0}}]
    }

Get Integration Instances

Description

Returns all integration instances for an environment.

Parameters

No parameters applicable.

Example

In this scenario, all integration instances in all environments will be returned.

tools19

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True
  • JSON Result
    {
    "instances": [{"identifier": "27dee746-1857-41b7-a722-b99699b8d6c8", "integrationIdentifier": "Tools", "environmentIdentifier": "Default", "instanceName": "Tools_1", "instanceDescription": "test", "isConfigured": true, "isRemote": false, "isSystemDefault": false},{...........}]
    }

Delay Playbook V2

Description

Temporarily stops a playbook from completing for a specified period of time.

Parameters

Parameter Type Default Value Is Mandatory Description
Seconds Integer 0 No Specify amount of seconds to delay playbook for.
Minutes Integer 1 No Specify amount of minutes to delay playbook for.
Hours Integer 0 No Specify amount of hours to delay playbook for.
Days Integer 0 No Specify amount of days to delay playbook for.
Cron Expression String N/A No Determines when the playbook should proceed using a cron expression. Will be prioritized over the other parameters.

Example

In this scenario, we’re delaying the playbook for 12 and a half hours.

tools20

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True

Get Original Alert Json

Description

Returns JSON result of the original alert (raw data).

Parameters

No Parameters Applicable

Example

In this scenario, the original raw json of the alert is returned.

tools21

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True
  • JSON Result
    {
    "CreatorUserId": null, "Events": [{"_fields": {"BaseEventIds": "[]", "ParentEventId": -1, "deviceEventClassId": "IRC Connections", "DeviceProduct": "IPS_Product", "StartTime": "1667497096184", "EndTime": "1667497096184"}, "_rawDataFields": {"applicationProtocol": "TCP", "categoryOutcome": "blocked", "destinationAddress": "104.131.182.103", "destinationHostName": "www.ircnet.org", "destinationPort": "770", "destinationProcessName": "MrlCS.sob", "destinationUserName": "XWTTRYzNr1l@gmail.com", "deviceAddress": "0.0.0.0", "deviceEventClassId": "IRC Connections", "deviceHostName": "ckIYC2", "Field_24": "B0:E7:DF:6C:EF:71", "deviceProduct": "IPS_Product", "deviceVendor": "Vendor", "endTime": "1667497110906", "eventId": "0aa16009-57b4-41a3-91ed-81347442ca29", "managerReceiptTime": "1522058997000", "message": "Connection to IRC Server", "name": "IRC Connections", "severity": "8", "sourceAddress": "0.0.0.0", "sourceHostName": "jhon@domain.local", "startTime": "1667497110906", "sourcetype": "Connection to IRC Server"}, "Environment": null, "SourceSystemName": null, "Extensions": []}], "Environment": "Default", "SourceSystemName": "Arcsight", "TicketId": "fab1b5a1-637f-4aed-a94f-c63137307505", "Description": "IRC Connections", "DisplayId": "fab1b5a1-637f-4aed-a94f-c63137307505", "Reason": null, "Name": "IRC Connections", "DeviceVendor": "IPS", "DeviceProduct": "IPS_Product", "StartTime": 1667497110906, "EndTime": 1667497110906, "Type": 1, "Priority": -1, "RuleGenerator": "IRC Connections", "SourceGroupingIdentifier": null, "PlaybookTriggerKeywords": [], "Extensions": [], "Attachments": null, "IsTrimmed": false, "DataType": 1, "SourceType": 1, "SourceSystemUrl": null, "SourceRuleIdentifier": null
    }

Get Current Time

Description

Returns the current date and time.

Parameters

Parameter Type Default Value Is Mandatory Description
Datetime Format String %d/%m/%Y %H:%M Yes Specify the format of the date and time.

Example

In this scenario, we’re returning a date and time value using the following format: %d/%m/%Y %H:%M:%S

tools22

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult Date time value 03/11/2022 20:33:43

Update Alert Score

Description

Updates the alert score by the amount provided.

Parameters

Parameter Type Default Value Is Mandatory Description
Input Integer N/A Yes Specify the amount to increment or decrement (negative number) by.

Example

In this scenario, we’re decreasing the alert score by 20.

tools23

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult Input Value -20

Add Comment to Entity Log

Description

Adds a comment to the entity log for each entity in score in the Entity Explorer.

Parameters

Parameter Type Default Value Is Mandatory Description
User Dropdown @Administrator Yes Specify the user created the comment.
Comment String N/A Yes Specify the comment that will be added to the entity log.

Example

tools24

Action Results

  • Script Result
    Script Result Name Value options Example
    N/A N/A N/A

Re-Attach Playbook

Description

Removes a playbook from a case, deletes any result data in the case from that playbook, and re-attaches the playbook so it will run again. Requires installation of PostgreSQL integration, configured to the Shared Environment with an instance name of Chronicle SOAR. See CSM / Support for additional details.

Parameters

Parameter Type Default Value Is Mandatory Description
Playbook Name Dropdown N/A Yes Specify the playbook to re-attach.

Example

In this scenario, we’re re-attaching a playbook called attach_playbook_test

tools25

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False/Please configure the Chronicle SOAR instance of the PostgreSQL integration. True

Lock Playbook

Description

Pauses the current playbook until all playbooks from the previous alert complete.

Parameters

Parameter Type Default Value Is Mandatory Description
Async Action Timeout Integers 1 Day No The timeout for async actions defines the total time permitted for this action (sums up all iterations runtime)
Async Polling Interval Integers 1 Hour No Set the duration between each polling attempt during an async action runtime.

Example

In this scenario , we’re pausing the current playbook and checking every 30 seconds to see if all playbooks in the previous alert in the case are complete.

tools26

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True

Find First Alert

Description

Returns the identifier of the first alert in a given case.

Parameters

No parameters applicable.

Example

In this scenario, it’s returning the alert identifier of the first alert in the case.

tools27

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult Alert Identifier Value IRC CONNECTIONS9A33308C-AC62-4A41-8F73-20529895D567

Look-A-Like Domains

Description

Compares domain entities against the list of domains defined for the environment. If the domains are similar the entity will be marked as suspicious and enriched with the matching domain.

Parameters

No parameters applicable

Example

In this scenario, we’re checking if external domain entities look similar to the domains configured in the domains list in settings.

tools28

Action Results

  • Script Result
    Script Result Name Value options Example
    look_a_like_domain_found True/False True
  • JSON Result
    {
    "Entity" : {"EntityResult" : { "look_a_like_domains" : ["outlooks.com"]}}
    }

Change Case Name

Description

Changes a case name or title.

Parameters

Parameter Type Default Value Is Mandatory Description
New Name String N/A No Specify the new name of the case.
Only If First Alert Checkbox Unselected No If selected, will only change the case’s name if the action was executed on the first alert in the case.

Example

In this scenario, the title of a case will be changed to “Phishing - Suspicious Email” only if it runs in the first alert.

tools29

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True

Spell Check String

Description

Check the input string spelling. It will output the percent accurate, total words, amount of misspelled words, list of each misspelled word and the correction, and a corrected version of the input string.

Parameters

Parameter Type Default Value Is Mandatory Description
String String N/A Yes Specify the string that will be checked for misspellings.

Example

In this scenario, we’re spell checking the input string “Testing if this is a mispelled wodr.”.

tools30

Action Results

  • Script Result
    Script Result Name Value options Example
    accuracy_percentage Percentage value 71
  • JSON Result
    {"input_string": "Testing if this is a mispelled wodr.", "total_words": 7, "total_misspelled_words": 2, "misspelled_words": [{"misspelled_word": "mispelled", "correction": "misspelled"}, {"misspelled_word": "wodr", "correction": "word"}], "accuracy": 71, "corrected_string": "Testing if this is a misspelled word."}

Search Text

Description

Search for the 'Search For' parameter in the input text or loop through the 'Search For Regex' list and find matches in the input text. If there is a match, the action will return true.

Parameters

Parameter Type Default Value Is Mandatory Description
Text String N/A Yes Specify the text that will be searched.
Search For String N/A No Specify the string to search in the “text” field.
Search For Regex String N/A No List of regexes that will be used to search the string. Regex should be wrapped in double quotes. Supports comma delimited list.
Case Sensitive Checkbox N/A No Specify whether the search should be case sensitive.

Example

In this scenario, we’re checking if the word "malicious" exists in the “Text” field value.

tools31

Action Results

  • Script Result
    Script Result Name Value options Example
    match_found True/False True
  • JSON Result
    {
    "matches": [{"search": "malicious", "input": "This IOC is malicious.", "match": true}]
    }

Set Context Value

Description

Sets a key and value in a specific context. This action is often used with the “Get context Value” action to retrieve the value of the key.

Parameters

Parameter Type Default Value Is Mandatory Description
Value String N/A Yes Specify the context value.
Key String N/A Yes Specify the context key.
Scope Dropdown Alert Yes Specify context assignment scope (Alert, Case, Global).

Example

In this scenario, we’re setting a context key of “malicious” to “yes” value.

tools32

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True

Create Siemplify Task

Description

Assigns a task to a user or role. The task will be related to the case the action ran on.

Parameters

Parameter Type Default Value Is Mandatory Description
Task Title String N/A No Specify the title of the task.
SLA (in minutes) Integer 480 Yes Specify the amount of time in minutes the assigned user/role has to respond to the task.
Task Content String N/A Yes Specify the details of the task.
Assign To Drop Down N/A Yes Specify the user or role that task will be assigned to.

Example

In this scenario, a task is created instructing Tier 3 to run a virus scan.

tools33

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True

Assign Case To User

Description

Assigns a case to a user.

Parameters

Parameter Type Default Value Is Mandatory Description
Case Id String N/A Yes Specify the case id. Use [Case.Id] for the current case.
Assign To String @Admin Yes Specify the user to assign a case to. This is the user's ID. Use “Get Siemplify Users” action to retrieve ID for a specific user.
Alert Id String
Yes Specify the alert id. Use [Alert.Identifier].

Example

In this scenario, we’re assigning the current case to a specific user using their ID.

tools34

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True

Get Case Data

Description

Retrieves all data from a case and returns a JSON result. The result includes comments, entity information, insights, playbooks that ran, alert information and events.

Parameters

Parameter Type Default Value Is Mandatory Description
Case Id Integer N/A No Specify the case Id to query. If left blank, it will use the current case.

Example

In this scenario, we’re retrieving case details from the current case.

tools35

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True
  • JSON Result
    {
    "wallData": [{"commentForClient": null, "comment": null, "modificationTimeUnixTimeInMsForClient": 0, "creatorUserId": "8f8er8d6-ee8b-478e-9ee592-cc27e9addda13b", "id": 6357, "type": 5, "caseId": 36902, "isFavorite": false, "modificationTimeUnixTimeInMs": 1680717397165, "creationTimeUnixTimeInMs": 1680717397165, "alertIdentifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE"}, {"actionTriggerType": 0, "integration": "Tools", "executingUser": null, "playbookName": "New Playbook", "playbookIsInDebugMode": true, "status": 5, "actionProvider": "Scripts", "actionIdentifier": "Tools_Get Case Data_1", "actionResult": "Action started", "alertIdentifiers": ["SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE"], "creatorUserId": null, "id": 7677, "type": 3, "caseId": 0, "isFavorite": false, "modificationTimeUnixTimeInMs": 1680717397401, "creationTimeUnixTimeInMs": 1680717397401, "alertIdentifier": null}], "alerts": [{"ticketId": "d21ebvcxzb88-35vc35-46b4-9edd08-063696d7cc092", "status": 0, "identifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE", "hasWorkflows": true, "workflowsStatus": 1, "sourceSystemName": "CrowdStrikeFalcon", "securityEventCards": [{"caseId": 36902, "eventId": "5fde7844-0099-4c5d-a562-63e2d0deb7e5", "alertIdentifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE", "eventName": "CustomIOAWinLowest", "product": "Falcon", "sources": [{"isValid": true, "identifier": "172.30.202.229", "type": "ADDRESS"}, {"isValid": true, "identifier": "EXLAB2019-AD", "type": "HOSTNAME"}, {"isValid": true, "identifier": "E019-AD$", "type": "USERUNIQNAME"}], "destinations": [], "artificats": [{"isValid": true, "identifier": "MPCMDRUN.EXE", "type": "FILENAME"}, {"isValid": true, "identifier": "60D88450B376694DC55EB8F40B0F79580D1DF399A7BDF", "type": "FILEHASH"}], "port": null, "outcome": null, "time": "2023-03-01T19:51:00Z", "deviceEventClassId": "Indicator of Attack", "fields": [{"isHighlight": true, "groupName": "HIGHLIGHTED FIELDS", "hideOptions": false, "items": [{"originalName": "startTime", "name": "Start Time", "value": "1680615463369"}, {"originalName": "endTime", "name": "End Time", "value": "1680615463369"}]}, {"isHighlight": false, "groupName": "Default", "hideOptions": false, "items": [{"originalName": "cid", "name": "cid", "value": "27fe4e4760b8476b2b6650e5a74"}, {"originalName": "created_timestamp", "name": "created_timestamp", "value": "2023-03-01T19:51:11.387187948Z"}........................
    }

Wait For Playbook to Complete

Description

Pauses the current playbook until another playbook or block, that is running on the same alert, completes.

Parameters

Parameter Type Default Value Is Mandatory Description
Playbook Name String N/A No Specify the name of the block or playbook that you want to complete first.

Example

In this scenario, we’re pausing the current playbook until the “investigation block” that’s running on the same alert is complete.

tools36

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True

Convert Into Simulated Case

Description

Converts a case into a simulated case that can be loaded into the platform.

Parameters

Parameter Type Default Value Is Mandatory Description
Push to Simulated Cases Checkbox Unselected No If selected, the case is added to the available simulated cases list.
Save JSON as Case Wall File Checkbox Selected No If selected, a JSON file which represents the case is saved to the case wall to be downloaded.
Override Alert Name String Empty No Specify a new alert name to be used. This parameter supersedes the Full Path Name parameter if selected.
Full path name Checkbox Unselected No If selected, use the alert name as source_product_eventtype —for example, QRadar_WinEventLog:Security_Remote fail login. This parameter is ignored if Override Alert Name is set.

Example

In this example, a case is converted to a simulated case using "Risky Sign On" as the alert name, which will be displayed as one of the available simulated cases in the homescreen.

convertsimcase1

convertsimcase2

Action Results

  • Script Result
    Script Result Name Value options Example
    ScriptResult True/False True
  • JSON Result
    {
      "cases": [
        {
          "CreatorUserId": null,
          "Events": [
            {
              "_fields": {
                "BaseEventIds": "[]",
                "ParentEventId": -1,
                "DeviceProduct": "WinEventLog:Security",
                "StartTime": "1689266169689",
                "EndTime": "1689266169689"
              },
              "_rawDataFields": {
                "sourcetype": "Failed login",
                "starttime": "1689702001439",
                "endtime": "1689702001439"
              },
              "Environment": null,
              "SourceSystemName": null,
              "Extensions": []
            }
          ],
          "Environment": "default",
          "SourceSystemName": "QRadar",
          "TicketId": "de2e3913-e4d8-4060-ae2b-1c81ee64ba47",
          "Description": "This case created by SPLUNK query ",
          "DisplayId": "de2e3913-e4d8-4060-ae2b-1c81ee64ba47",
          "Reason": null,
          "Name": "Risky Sign On",
          "DeviceVendor": "WIN-24TBDNRMSVB",
          "DeviceProduct": "WinEventLog:Security",
          "StartTime": 1689702001439,
          "EndTime": 1689702001439,
          "Type": 1,
          "Priority": -1,
          "RuleGenerator": "Remote Failed login",
          "SourceGroupingIdentifier": null,
          "PlaybookTriggerKeywords": [],
          "Extensions": [
            {
              "Key": "KeyName",
              "Value": "TCS"
            }
          ],
          "Attachments": null,
          "IsTrimmed": false,
          "DataType": 1,
          "SourceType": 1,
          "SourceSystemUrl": null,
          "SourceRuleIdentifier": null,
          "SiemAlertId": null,
          "__CorrelationId": "7efd38feaea247ad9f5ea8d907e4387c"
        }
      ]
    }
    

Jobs

Description

This job will close all cases based on a search query. The Search Payload is the payload used in the 'CaseSearchEverything' API call. To get an example of this value, go to Search in the UI and open Developer Tools. Search for the cases to delete. Look for the "CaseSearchEverything" api call in DevTools. Copy the JSON payload of the POST request and paste in "Search Payload". The Close Reason should be 0 or 1. 0 = malicious 1 = not malicious. Root Cause comes from Settings -> Case Data -> Case Close Root Cause.

Parameters

Parameter Type Default Value Is Mandatory Description
Search Payload JSON N/A No Specify JSON payload to search. Example: {"tags":[],"ruleGenerator":[],"caseSource":[],"stage":[],"environments":[],"assignedUsers":[],"products":[],"ports":[],"categoryOutcomes":[],"status":[],"caseIds":[],"incident":[],"importance":[],"priorities":[],"pageSize":50,"isCaseClosed":false,"title":"","startTime":"2023-01-22T00:00:00.000Z","endTime":"2023-01-22T23:59:59.999Z","requestedPage":0,"timeRangeFilter":1}
Close Comment String N/A Yes Specify a close comment.
Close Reason String N/A Yes Specify the closure reason. 0 = malicious, 1 = not malicious
Root Cause Integer N/A Yes Specify root cause. Root Cause comes from Settings -> Case Data -> Case Close Root Cause.
Chronicle SOAR Username String N/A Yes Specify Chronicle SOAR username.
Chronicle SOAR Password Password N/A Yes Specify Chronicle SOAR password.