Tools

Supported in:

Google SecOps SOAR

Overview

A set of utility actions for data manipulation to power up playbook capabilities.

Actions

DNS Lookup

Description

Performs a DNS lookup using a specified DNS resolver.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
DNS Server	IP Address	N/A	Yes	Specify a single or comma separated DNS servers.

Example

In this scenario, we’re using Google's public DNS address of 8.8.8.8 to look up external domain entities.

Action Results

Script Result

Script Result Name Value options Example

ScriptResult True/False True

JSON Result

{
"Entity": "WWW.EXAMPLE.ORG",
 "EntityResult": [{"Type": "A", "Response": "176.9.157.114", "DNS Server": "8.8.8.8"}]
}

Add Or Update Alert Additional Data

Description

Adds or updates fields in the alert additional data. Results will be shown in a field called “OFFENSE_ID” in the Alerts overview.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Json Fields	JSON	N/A	Yes	You can enter either free text (for one variable), a string representing a JSON dictionary (Can he nested)

Example

In this scenario, we’re adding MITRE attack details to the alerts which will be displayed in the alerts overview.

Action Results

Script Result

Script Result Name Value options Example

ScriptResult # of items in dictionary 2

JSON Result

{
"dict": {"mitre": " T1059"}, "list": []
}

Attach Playbook to All Case Alerts

Description

Attaches a specific playbook or block to all alerts in a case.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Playbook Name	String	N/A	Yes	Specify the playbook or block name that will be added to all alerts in a case.

Example

In this scenario, we’re attaching a playbook called “Phishing playbook” to all alerts in a case.

Action Results

Script Result

Script Result Name Value options Example

ScriptResult True/False True

Attach Playbook to Alert

Description

Attaches a specific playbook or block to the current alert.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Playbook Name	String	N/A	Yes	Specify the playbook or block name that will be added to all alerts in a case.

Example

In this scenario, we’re attaching a block called “Containment Block” to the current alerts in the case.

Action Results

Script Result

Script Result Name Value options Example

ScriptResult True/False True

Buffer

Description

Convert a JSON input to a JSON object.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
ResultValue	String	N/A	No	Placeholder value that will be returned as the ScriptResult value.
JSON	JSON	N/A	No	JSON that will be displayed in the expression builder.

Example

In this scenario, JSON input value will be displayed in the JSON expression builder to be used for further actions.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	ResultValue parameter input value	success

JSON Result

{
"domain" : "company.com",
"domain2" : "company2.com"
}

Get Certificate Details

Description

Retrieves certificate details of a given URL.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Url to check	URL	expired.badssk.com	Yes	Specify the URL to retrieve certificate details from.

Example

In this scenario, we’re retrieving certificate details from expired.badssl.com site.

Action Results

Script Result

Script Result Name Value options Example

ScriptResult True/False True

JSON Result

{
"hostname": "expired.badssl.com",
 "ip": "104.154.89.105", 
"commonName": "*.badssl.com",
 "is_self_signed": false, 
"SAN": [["*.badssl.com", "badssl.com"]], 
"is_expired": true, 
"issuer": "EXAMPLE CA", 
"not_valid_before": "04/09/2015", 
"not_valid_after": "04/12/2015", 
"days_to_expiration": -2762
}

Get Context Value

Description

Retrieves a value of a context key in a case or an alert.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Scope	Drop down	Alert	Yes	Specify the scope of the key values whether it’s in a case, alert or global.
Key	String	N/A	Yes	Specify the key.

Example

In this scenario, we’re retrieving a context value from a key called impact in a case. This action is used along with the “Set Context Value” action that adds the key value pairs to the case or alert.

Action Results

Script Result

Script Result Name Value options Example

ScriptResult Context value High

Get Email Templates

Description

Returns all email templates in the system.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Template Type	Drop down	Standard	Yes	Specify the template type to return whether standard or HTML.

Example

In this scenario, we’re returning all HTML based email templates.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	JSON Result containing HTML code	JSON Result shown below

JSON Result

{
"templates": [{"type": 1, "name": "test 1", "content": "<html>\n    <head>\n    <style type=\"text/css\"> .title\n\n    { color: blue; text-decoration: bold; text-size: 1em; }\n    .author\n    { color: gray; }\n\n    </style>\n    </head>\n\n    <body>\n    <span class=\"title\">La super bonne</span>\n    {Text}\n    [Case.Id]\n    </h1> <br/>\n    </body>\n\n    </html>", "creatorUserName": "f00942-fa040-4422324-b2c43e-de40fdsff122b9c4", "forMigration": false, "environments": ["Default"], "id": 3, "creationTimeUnixTimeInMs": 1672054127271, "modificationTimeUnixTimeInMs": 1672054127279}]
}

Create Entities With Separator

Description

Creates entities and adds them to the alert.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Entities Identifiers	String	N/A	Yes	Specify the entity or entities to be added to the alert.
Entity Type	String	N/A	Yes	Specify the entity type.
Is Internal	Checkbox	Unselected	No	Check if the entity supplied is part of an internal network.
Entities Separator	String	,	Yes	Specify the delimiter used in the entities identifiers field.
Enrichment JSON	Dropdown	JSON	No	Specify enrichment data in JSON format.
PrefixForEnrichment	String	N/A	No	Specify the prefix to add to the enrichment data.

Example

In this scenario, we’re creating three IP entities and enriching them with a field called “is_suspicious”.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

JSON Result

{
"created": ["0.0.0.0", "0.0.0.1", "0.0.0.2"], 
"enriched": ["0.0.0.0", "0.0.0.1", "0.0.0.2"],
"failed": []
}

Update Case Description

Description

Updates the description of a case.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Case Description	String	N/A	Yes	Specify the updated description.

Example

In this scenario, we’re updating the description of the case to “This case is related to suspicious logins.“.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

Normalize Entity Enrichment

Description

Receives a list of keys from the entity and replaces them.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Normalization Data	JSON	N/A	Yes	Specify the JSON in the following format example: [ { "entity_field_name": "AT_fields_Name", "new_name": "InternalEnrichment_Name" }, { "entity_field_name": "AT_fields_Direct-Manager", "new_name": "InternalEnrichment_DirectManager_Name" }, { "entity_field_name": "AT_Manager_fields_Work-Email", "new_name": "InternalEnrichment_DirectManager_Email" } ]

Example

In this scenario, we’re replacing the entity key of “is_bad” to “malicious”.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	Number of enriched entities	5

Append to Context Value

Description

Appends a value to an existing context property or creates a new context property if it doesn't exist and adds the value.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Key	String	N/A	Yes	Specify the context property key
Value	String	N/A	Yes	Specify the value to append to the context property
Delimiter	String	N/A	Yes	Specify the delimiter used in the value field.

Example

In this scenario, we’re adding values “T1595” and “T1140” to an existing context key of “MITRE”.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	Context values	T1595, T1140

Create Entity Relationships

Description

Creates a relationship between the supplied entities and the linked entities. If the supplied entities do not exist, it will create them.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Entity Identifier(s)	String	N/A	Yes	Create new or use existing entity identifiers or comma-separated list of identifiers.
Entity Identifier(s) Type	Drop Down	User Name	Yes	Specify the entity type.
Connect As	Drop Down	Source	Yes	Connect entity identifiers using source, destination, or linked relationships to the target entity identifiers.
Target Entity Type	Drop Down	Address	Yes	Specify the target entity type to connect the entity identifier(s) to.
Target Entity Identifier(s)	String	N/A	No	Entities in this comma separated list, of the type from Target Entity Type, will be linked to the entities in the Entities Identifier(s) parameter.
Enrichment JSON	JSON	N/A	No	An optional JSON object containing key / value pairs of attributes that can be added to the newly created entities.
Separator Character	String	N/A	No	Specify the character to separate the list of entities in Entity Identifiers and/or Target Entity Identifiers by. Defaults to comma.

Example

In this scenario, we’re creating a relationship between a user and a URL. In this case, Bola001 has accessed a URL of example.com.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

JSON Result

{
"Entity": "Bola001", "EntityResult": {}
}

Extract URL Domain

Description

Enriches all entities with a new field "siemplifytools_extracted_domain" containing the extracted domain out of the entity identifier. If the entity has no domain (file hash for example) it will simply not return anything. In addition to entities, the user can specify a list of URLs as a parameter and process them, without enriching, naturally.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Separator	String	,	Yes	Specify the separator string to use to separate URLs.
URLs	String	N/A	No	Specify one or more URLs to extract the domain from.
Extract subdomain	Checkbox	N/A	No	Specify if you want to extract the subdomain as well.

Example

In this scenario, we're extracting the domain from the specified URL.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	Number of extracted domains	1

JSON Result

{
"Entity": "https://sample.google.com", "EntityResult": {"domain": "sample.google.com", "source_entity_type": "DestinationURL"}
}

Check List Subset

Description

Checks if values in one list exist in another list.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Original	String	N/A	Yes	Specify the list of items to check against. Json list or comma separated.
Subset	List	N/A	Yes	Specify the subset list. Json list or comma separated.

Example

In this scenario, we’re checking if values 1,2,3 exist in the original list of 1,2,3,4,5 resulting in a true result value.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

Add Alert Scoring Information

Description

Adds an entry to the alert scoring database. Alert score is based on the ratio: 5 Low = 1 Medium. 3 Medium = 1 High. 2 High = 1 Critical. Optional tag added to case.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Name	String	N/A	Yes	Specify the name of the check being performed on the alert.
Description	String	N/A	Yes	Specify the description of the check being performed on the alert.
Severity	String	Informational	Yes	Specify the severity.
Category	String	N/A	Yes	Specify the category of the check that was performed.
Source	String	N/A	No	Specify the part of the alert the score was derived from. Example: Files, user, Email.
Case Tag	String	N/A	No	Specify tags to add to the case.

Example

In this scenario, we’re setting the alert score to high due to a suspicious result from VirusTotal.

Action Results

Script Result

Script Result Name	Value options	Example
Alert_score	Informational, Low, Medium, High, Critical	High

JSON Result

{
"category": "File Enrichment",
 "score_data": [{"score_name": "File Enrichment", "description": "VT has found a file to be suspicious", "severity": "High", "score": 3, "source": "VirusTotal"}],
 "category_score": 3
}

Get Siemplify Users

Description

Returns list of all users configured in the system.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Hide Disabled Users	Checkbox	Selected	No	Specify whether to hide disabled users from the results.

Example

In this scenario, we’re returning all users in the system including disabled users.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

JSON Result

{
"siemplifyUsers": [{"permissionGroup": "Admins", "socRole": "@Administrator", "isDisabled": false, "loginIdentifier": "sample@domain.com", "firstName": "John", "lastName": "Doe", "permissionType": 0, "role": 0, "socRoleId": 1, "email": "sample@domain.com", "userName": "0b3423496fc2-0834302-42f33d-8523408-18c087d2347cf1e", "imageBase64": null, "userType": 1, "identityProvider": -1, "providerName": "Internal", "advancedReportsAccess": 0, "accountState": 2, "lastLoginTime": 1679831126656, "previousLoginTime": 1678950002044, "lastPasswordChangeTime": 0, "lastPasswordChangeNotificationTime": 0, "loginWrongPasswordCount": 0, "isDeleted": false, "deletionTimeUnixTimeInMs": 0, "environments": ["*"], "id": 245, "creationTimeUnixTimeInMs": 1675457504856, "modificationTimeUnixTimeInMs": 1674957504856
}

Check Entities Fields In Text

Description

Search for a specific field from each entity in scope (or multiple fields using regex) and compare it with one or more values. The compared values can also go through regex. A match is found if one of the post regex values from the entity enrichment is in one or more values searched in.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
SearchInData	JSON	[ { "Data": "[Event.from]", "RegEx": "(?<=@)[^.]+(?=\\.)" } ]	Yes	JSON that represents the string(s) you want to search in using this format: [ { "Data": "", "RegEx": "" } ]
FieldsInput	JSON	[ { "RegexForFieldName": "", "FieldName": "body", "RegexForFieldValue": "" }, { "RegexForFieldName": ".(_url_).", "FieldName": "", "RegexForFieldValue": "" }, { "RegexForFieldName": "", "FieldName": "body", "RegexForFieldValue": "HostName: (.*?)" } ]	Yes	A JSON that describes what fields should be tested for [ "RegexForFieldName": “”, "FieldName": "Field name to search", "RegexForFieldValue": “”}]
ShouldEnrichEntity	String	domain_matched	No	If set to <VAL> will also put an enrichment value on the entity to be recognized as "matched” with the value. The key will be <VAL>
IsCaseSensitive	Checkbox	Unselected	No	Specify if the field is case sensitive.

Example

In this scenario, we’re checking if an entity with a field name of “malicious” is in the text specified.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	Number of findings	0

JSON Result

{
"Entity": "EXL88765-AD", "EntityResult": [{"RegexForFieldName": "", "FieldName": "malicious", "RegexForFieldValue": "", "ResultsToSearch": {"val_to_search": [[]], "found_results": [], "num_of_results": 0}}]
}

Get Integration Instances

Description

Returns all integration instances for an environment.

Parameters

No parameters applicable.

Example

In this scenario, all integration instances in all environments will be returned.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

JSON Result

{
"instances": [{"identifier": "27dee746-1857-41b7-a722-b99699b8d6c8", "integrationIdentifier": "Tools", "environmentIdentifier": "Default", "instanceName": "Tools_1", "instanceDescription": "test", "isConfigured": true, "isRemote": false, "isSystemDefault": false},{...........}]
}

Delay Playbook V2

Description

Temporarily stops a playbook from completing for a specified period of time.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Seconds	Integer	0	No	Specify amount of seconds to delay playbook for.
Minutes	Integer	1	No	Specify amount of minutes to delay playbook for.
Hours	Integer	0	No	Specify amount of hours to delay playbook for.
Days	Integer	0	No	Specify amount of days to delay playbook for.
Cron Expression	String	N/A	No	Determines when the playbook should proceed using a cron expression. Will be prioritized over the other parameters.

Example

In this scenario, we’re delaying the playbook for 12 and a half hours.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

Get Original Alert Json

Description

Returns JSON result of the original alert (raw data).

Parameters

No Parameters Applicable

Example

In this scenario, the original raw json of the alert is returned.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

JSON Result

{
"CreatorUserId": null, "Events": [{"_fields": {"BaseEventIds": "[]", "ParentEventId": -1, "deviceEventClassId": "IRC Connections", "DeviceProduct": "IPS_Product", "StartTime": "1667497096184", "EndTime": "1667497096184"}, "_rawDataFields": {"applicationProtocol": "TCP", "categoryOutcome": "blocked", "destinationAddress": "104.131.182.103", "destinationHostName": "www.ircnet.org", "destinationPort": "770", "destinationProcessName": "MrlCS.sob", "destinationUserName": "XWTTRYzNr1l@gmail.com", "deviceAddress": "0.0.0.0", "deviceEventClassId": "IRC Connections", "deviceHostName": "ckIYC2", "Field_24": "B0:E7:DF:6C:EF:71", "deviceProduct": "IPS_Product", "deviceVendor": "Vendor", "endTime": "1667497110906", "eventId": "0aa16009-57b4-41a3-91ed-81347442ca29", "managerReceiptTime": "1522058997000", "message": "Connection to IRC Server", "name": "IRC Connections", "severity": "8", "sourceAddress": "0.0.0.0", "sourceHostName": "jhon@domain.local", "startTime": "1667497110906", "sourcetype": "Connection to IRC Server"}, "Environment": null, "SourceSystemName": null, "Extensions": []}], "Environment": "Default", "SourceSystemName": "Arcsight", "TicketId": "fab1b5a1-637f-4aed-a94f-c63137307505", "Description": "IRC Connections", "DisplayId": "fab1b5a1-637f-4aed-a94f-c63137307505", "Reason": null, "Name": "IRC Connections", "DeviceVendor": "IPS", "DeviceProduct": "IPS_Product", "StartTime": 1667497110906, "EndTime": 1667497110906, "Type": 1, "Priority": -1, "RuleGenerator": "IRC Connections", "SourceGroupingIdentifier": null, "PlaybookTriggerKeywords": [], "Extensions": [], "Attachments": null, "IsTrimmed": false, "DataType": 1, "SourceType": 1, "SourceSystemUrl": null, "SourceRuleIdentifier": null
}

Get Current Time

Description

Returns the current date and time.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Datetime Format	String	%d/%m/%Y %H:%M	Yes	Specify the format of the date and time.

Example

In this scenario, we’re returning a date and time value using the following format: %d/%m/%Y %H:%M:%S

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	Date time value	03/11/2022 20:33:43

Update Alert Score

Description

Updates the alert score by the amount provided.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Input	Integer	N/A	Yes	Specify the amount to increment or decrement (negative number) by.

Example

In this scenario, we’re decreasing the alert score by 20.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	Input Value	-20

Add Comment to Entity Log

Description

Adds a comment to the entity log for each entity in score in the Entity Explorer.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
User	Dropdown	@Administrator	Yes	Specify the user created the comment.
Comment	String	N/A	Yes	Specify the comment that will be added to the entity log.

Example

Action Results

Script Result

Script Result Name	Value options	Example
N/A	N/A	N/A

Re-Attach Playbook

Description

Removes a playbook from a case, deletes any result data in the case from that playbook, and re-attaches the playbook so it will run again. Requires installation of PostgreSQL integration, configured to the Shared Environment with an instance name of Chronicle SOAR. See CSM / Support for additional details.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Playbook Name	Dropdown	N/A	Yes	Specify the playbook to re-attach.

Example

In this scenario, we’re re-attaching a playbook called attach_playbook_test

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False/Please configure the Chronicle SOAR instance of the PostgreSQL integration.	True

Lock Playbook

Description

Pauses the current playbook until all playbooks from the previous alert complete.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Async Action Timeout	Integers	1 Day	No	The timeout for async actions defines the total time permitted for this action (sums up all iterations runtime)
Async Polling Interval	Integers	1 Hour	No	Set the duration between each polling attempt during an async action runtime.

Example

In this scenario , we’re pausing the current playbook and checking every 30 seconds to see if all playbooks in the previous alert in the case are complete.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

Find First Alert

Description

Returns the identifier of the first alert in a given case.

Parameters

No parameters applicable.

Example

In this scenario, it’s returning the alert identifier of the first alert in the case.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	Alert Identifier Value	IRC CONNECTIONS9A33308C-AC62-4A41-8F73-20529895D567

Look-A-Like Domains

Description

Compares domain entities against the list of domains defined for the environment. If the domains are similar the entity will be marked as suspicious and enriched with the matching domain.

Parameters

No parameters applicable

Example

In this scenario, we’re checking if external domain entities look similar to the domains configured in the domains list in settings.

Action Results

Script Result

Script Result Name	Value options	Example
look_a_like_domain_found	True/False	True

JSON Result

{
"Entity" : {"EntityResult" : { "look_a_like_domains" : ["outlooks.com"]}}
}

Change Case Name

Description

Changes a case name or title.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
New Name	String	N/A	No	Specify the new name of the case.
Only If First Alert	Checkbox	Unselected	No	If selected, will only change the case’s name if the action was executed on the first alert in the case.

Example

In this scenario, the title of a case will be changed to “Phishing - Suspicious Email” only if it runs in the first alert.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

Spell Check String

Description

Check the input string spelling. It will output the percent accurate, total words, amount of misspelled words, list of each misspelled word and the correction, and a corrected version of the input string.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
String	String	N/A	Yes	Specify the string that will be checked for misspellings.

Example

In this scenario, we’re spell checking the input string “Testing if this is a mispelled wodr.”.

Action Results

Script Result

Script Result Name	Value options	Example
accuracy_percentage	Percentage value	71

JSON Result

{"input_string": "Testing if this is a mispelled wodr.", "total_words": 7, "total_misspelled_words": 2, "misspelled_words": [{"misspelled_word": "mispelled", "correction": "misspelled"}, {"misspelled_word": "wodr", "correction": "word"}], "accuracy": 71, "corrected_string": "Testing if this is a misspelled word."}

Search Text

Description

Search for the 'Search For' parameter in the input text or loop through the 'Search For Regex' list and find matches in the input text. If there is a match, the action will return true.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Text	String	N/A	Yes	Specify the text that will be searched.
Search For	String	N/A	No	Specify the string to search in the “text” field.
Search For Regex	String	N/A	No	List of regexes that will be used to search the string. Regex should be wrapped in double quotes. Supports comma delimited list.
Case Sensitive	Checkbox	N/A	No	Specify whether the search should be case sensitive.

Example

In this scenario, we’re checking if the word "malicious" exists in the “Text” field value.

Action Results

Script Result

Script Result Name	Value options	Example
match_found	True/False	True

JSON Result

{
"matches": [{"search": "malicious", "input": "This IOC is malicious.", "match": true}]
}

Set Context Value

Description

Sets a key and value in a specific context. This action is often used with the “Get context Value” action to retrieve the value of the key.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Value	String	N/A	Yes	Specify the context value.
Key	String	N/A	Yes	Specify the context key.
Scope	Dropdown	Alert	Yes	Specify context assignment scope (Alert, Case, Global).

Example

In this scenario, we’re setting a context key of “malicious” to “yes” value.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

Create Siemplify Task

Description

Assigns a task to a user or role. The task will be related to the case the action ran on.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Task Title	String	N/A	No	Specify the title of the task.
SLA (in minutes)	Integer	480	Yes	Specify the amount of time in minutes the assigned user/role has to respond to the task.
Task Content	String	N/A	Yes	Specify the details of the task.
Assign To	Drop Down	N/A	Yes	Specify the user or role that task will be assigned to.

Example

In this scenario, a task is created instructing Tier 3 to run a virus scan.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

Assign Case To User

Description

Assigns a case to a user.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Case Id	String	N/A	Yes	Specify the case id. Use [Case.Id] for the current case.
Assign To	String	@Admin	Yes	Specify the user to assign a case to. This is the user's ID. Use “Get Siemplify Users” action to retrieve ID for a specific user.
Alert Id	String		Yes	Specify the alert id. Use [Alert.Identifier].

Example

In this scenario, we’re assigning the current case to a specific user using their ID.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

Get Case Data

Description

Retrieves all data from a case and returns a JSON result. The result includes comments, entity information, insights, playbooks that ran, alert information and events.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Case Id	Integer	N/A	No	Specify the case Id to query. If left blank, it will use the current case.

Example

In this scenario, we’re retrieving case details from the current case.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

JSON Result

{
"wallData": [{"commentForClient": null, "comment": null, "modificationTimeUnixTimeInMsForClient": 0, "creatorUserId": "8f8er8d6-ee8b-478e-9ee592-cc27e9addda13b", "id": 6357, "type": 5, "caseId": 36902, "isFavorite": false, "modificationTimeUnixTimeInMs": 1680717397165, "creationTimeUnixTimeInMs": 1680717397165, "alertIdentifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE"}, {"actionTriggerType": 0, "integration": "Tools", "executingUser": null, "playbookName": "New Playbook", "playbookIsInDebugMode": true, "status": 5, "actionProvider": "Scripts", "actionIdentifier": "Tools_Get Case Data_1", "actionResult": "Action started", "alertIdentifiers": ["SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE"], "creatorUserId": null, "id": 7677, "type": 3, "caseId": 0, "isFavorite": false, "modificationTimeUnixTimeInMs": 1680717397401, "creationTimeUnixTimeInMs": 1680717397401, "alertIdentifier": null}], "alerts": [{"ticketId": "d21ebvcxzb88-35vc35-46b4-9edd08-063696d7cc092", "status": 0, "identifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE", "hasWorkflows": true, "workflowsStatus": 1, "sourceSystemName": "CrowdStrikeFalcon", "securityEventCards": [{"caseId": 36902, "eventId": "5fde7844-0099-4c5d-a562-63e2d0deb7e5", "alertIdentifier": "SUSPICIOUS ACTIVITY991C7837-1EE9-4EEA-AE7B-975366CA2EAE", "eventName": "CustomIOAWinLowest", "product": "Falcon", "sources": [{"isValid": true, "identifier": "172.30.202.229", "type": "ADDRESS"}, {"isValid": true, "identifier": "EXLAB2019-AD", "type": "HOSTNAME"}, {"isValid": true, "identifier": "E019-AD$", "type": "USERUNIQNAME"}], "destinations": [], "artificats": [{"isValid": true, "identifier": "MPCMDRUN.EXE", "type": "FILENAME"}, {"isValid": true, "identifier": "60D88450B376694DC55EB8F40B0F79580D1DF399A7BDF", "type": "FILEHASH"}], "port": null, "outcome": null, "time": "2023-03-01T19:51:00Z", "deviceEventClassId": "Indicator of Attack", "fields": [{"isHighlight": true, "groupName": "HIGHLIGHTED FIELDS", "hideOptions": false, "items": [{"originalName": "startTime", "name": "Start Time", "value": "1680615463369"}, {"originalName": "endTime", "name": "End Time", "value": "1680615463369"}]}, {"isHighlight": false, "groupName": "Default", "hideOptions": false, "items": [{"originalName": "cid", "name": "cid", "value": "27fe4e4760b8476b2b6650e5a74"}, {"originalName": "created_timestamp", "name": "created_timestamp", "value": "2023-03-01T19:51:11.387187948Z"}........................
}

Wait For Playbook to Complete

Description

Pauses the current playbook until another playbook or block, that is running on the same alert, completes.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Playbook Name	String	N/A	No	Specify the name of the block or playbook that you want to complete first.

Example

In this scenario, we’re pausing the current playbook until the “investigation block” that’s running on the same alert is complete.

Action Results

Script Result

Script Result Name	Value options	Example
ScriptResult	True/False	True

Convert Into Simulated Case

Description

Converts a case into a simulated case that can be loaded into the platform.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Push to Simulated Cases	Checkbox	Unselected	No	If selected, the case is added to the available simulated cases list.
Save JSON as Case Wall File	Checkbox	Selected	No	If selected, a JSON file which represents the case is saved to the case wall to be downloaded.
Override Alert Name	String	Empty	No	Specify a new alert name to be used. This parameter supersedes the Full Path Name parameter if selected.
Full path name	Checkbox	Unselected	No	If selected, use the alert name as `source_product_eventtype` —for example, `QRadar_WinEventLog:Security_Remote fail login`. This parameter is ignored if Override Alert Name is set.

Example

In this example, a case is converted to a simulated case using "Risky Sign On" as the alert name, which will be displayed as one of the available simulated cases in the homescreen.

Action Results

Script Result

Script Result Name Value options Example

ScriptResult True/False True

JSON Result

{
  "cases": [
    {
      "CreatorUserId": null,
      "Events": [
        {
          "_fields": {
            "BaseEventIds": "[]",
            "ParentEventId": -1,
            "DeviceProduct": "WinEventLog:Security",
            "StartTime": "1689266169689",
            "EndTime": "1689266169689"
          },
          "_rawDataFields": {
            "sourcetype": "Failed login",
            "starttime": "1689702001439",
            "endtime": "1689702001439"
          },
          "Environment": null,
          "SourceSystemName": null,
          "Extensions": []
        }
      ],
      "Environment": "default",
      "SourceSystemName": "QRadar",
      "TicketId": "de2e3913-e4d8-4060-ae2b-1c81ee64ba47",
      "Description": "This case created by SPLUNK query ",
      "DisplayId": "de2e3913-e4d8-4060-ae2b-1c81ee64ba47",
      "Reason": null,
      "Name": "Risky Sign On",
      "DeviceVendor": "WIN-24TBDNRMSVB",
      "DeviceProduct": "WinEventLog:Security",
      "StartTime": 1689702001439,
      "EndTime": 1689702001439,
      "Type": 1,
      "Priority": -1,
      "RuleGenerator": "Remote Failed login",
      "SourceGroupingIdentifier": null,
      "PlaybookTriggerKeywords": [],
      "Extensions": [
        {
          "Key": "KeyName",
          "Value": "TCS"
        }
      ],
      "Attachments": null,
      "IsTrimmed": false,
      "DataType": 1,
      "SourceType": 1,
      "SourceSystemUrl": null,
      "SourceRuleIdentifier": null,
      "SiemAlertId": null,
      "__CorrelationId": "7efd38feaea247ad9f5ea8d907e4387c"
    }
  ]
}

Jobs

Close Cases Based On Search

Description

This job will close all cases based on a search query. The Search Payload is the payload used in the 'CaseSearchEverything' API call. To get an example of this value, go to Search in the UI and open Developer Tools. Search for the cases to delete. Look for the "CaseSearchEverything" api call in DevTools. Copy the JSON payload of the POST request and paste in "Search Payload". The Close Reason should be 0 or 1. 0 = malicious 1 = not malicious. Root Cause comes from Settings -> Case Data -> Case Close Root Cause.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
Search Payload	JSON	N/A	No	Specify JSON payload to search. Example: {"tags":[],"ruleGenerator":[],"caseSource":[],"stage":[],"environments":[],"assignedUsers":[],"products":[],"ports":[],"categoryOutcomes":[],"status":[],"caseIds":[],"incident":[],"importance":[],"priorities":[],"pageSize":50,"isCaseClosed":false,"title":"","startTime":"2023-01-22T00:00:00.000Z","endTime":"2023-01-22T23:59:59.999Z","requestedPage":0,"timeRangeFilter":1}
Close Comment	String	N/A	Yes	Specify a close comment.
Close Reason	String	N/A	Yes	Specify the closure reason. 0 = malicious, 1 = not malicious
Root Cause	Integer	N/A	Yes	Specify root cause. Root Cause comes from Settings -> Case Data -> Case Close Root Cause.
Chronicle SOAR Username	String	N/A	Yes	Specify Chronicle SOAR username.
Chronicle SOAR Password	Password	N/A	Yes	Specify Chronicle SOAR password.