This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Adding Entities from Source Case to Current Case in Action

Posted 2 weeks ago
mikelmi01
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am currently working on a custom action to copy entities from a source case to the current case. Despite the source case (ID: 18545, which I added as a parameter) having entities, the action reports that zero entities were added. Here's the code I'm using:

 

from SiemplifyAction import SiemplifyAction
from Siemplify import Siemplify
from SiemplifyUtils import output_handler

@output_handler
def main():
    siemplify_action = SiemplifyAction()

    # Retrieve the source case ID from the action parameters
    source_case_id = siemplify_action.extract_action_param(param_name="source_case_id", is_mandatory=True)

    # Get the current case
    current_case = siemplify_action.case

    # Create an instance of Siemplify to access get_case_by_id
    siemplify = Siemplify()

    # Retrieve the source case
    try:
        source_case = siemplify._get_case_by_id(int(source_case_id))
    except Exception as e:
        siemplify_action.LOGGER.error(f"Error retrieving case with ID {source_case_id}: {str(e)}")
        siemplify_action.end(f"Could not retrieve case with ID {source_case_id}.", False)
        return

    source_entities = source_case.get("entities", [])

    # Add entities to the current case
    for entity in source_entities:
        siemplify_action.add_entity_to_case(
            entity_identifier=entity.identifier,
            entity_type=entity.entity_type,
            is_internal=entity.is_internal,
            is_suspicious=entity.is_suspicious,
            is_enriched=entity.is_enriched,
            is_vulnerable=entity.is_vulnerable,
            properties=entity.properties
        )

    siemplify_action.end(f"Added {len(source_entities)} entities from case {source_case_id} to the current case.", True)

if __name__ == "__main__":
    main()

 

Issue:

The output message is:

Added 0 entities from case 18545 to the current case.

However, I have confirmed that case 18545 contains entities. I suspect the problem might be with the line:

 

 

 

source_entities = source_case.get("entities", [])

 

 

 

 Perhaps the key "entities" is incorrect or not returning the expected data. I've also tried using get_case_by_id, but it results in an error, so I'm using the private method _get_case_by_id for now.

Question:

  • Is "entities" the correct key to access the list of entities from a case object retrieved via _get_case_by_id?

  • If not, what is the correct way to access the entities from a source case?

  • Are there any best practices for copying entities from one case to another?

Any guidance or suggestions would be greatly appreciated.

Thank you!

Solved Solved
0 6 252
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
mikelmi01
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I managed to find the solution, which is the following:

 

 

from SiemplifyAction import SiemplifyAction
from SiemplifyUtils import output_handler
import json

@output_handler
def main():
    siemplify = SiemplifyAction()
    source_case_id = siemplify.extract_action_param(param_name="source_case_id", is_mandatory=True)

    try:
        # Get the full case as a dictionary
        source_case = siemplify._get_case_by_id(int(source_case_id))
        # Print the complete content of the case for debugging
        print(json.dumps(source_case, indent=4))
    except Exception as e:
        siemplify.LOGGER.error(f"Error retrieving the case with ID {source_case_id}: {str(e)}")
        siemplify.end(f"Failed to retrieve the case with ID {source_case_id}.", False)
        return

    # List to store the found entities
    found_entities = []

    # Iterate over the alerts in the case
    for alert in source_case.get("cyber_alerts", []):
        for entity in alert.get("domain_entities", []):
            identifier = entity.get("identifier")
            entity_type = entity.get("entity_type")
            if identifier and entity_type:
                found_entities.append((identifier, entity_type))

    # Remove duplicates
    unique_entities = list(set(found_entities))

    if not unique_entities:
        siemplify.end(f"No entities found in case {source_case_id}.", True)
        return

    # Add the entities to the current case
    added_count = 0
    for identifier, entity_type in unique_entities:
        try:
            siemplify.add_entity_to_case(
                entity_identifier=identifier,
                entity_type=entity_type,
                is_internal=False,
                is_suspicous=False,
                is_enriched=False,
                is_vulnerable=False,
                properties={}
            )
            added_count += 1
        except Exception as e:
            siemplify.LOGGER.error(f"Failed to add entity {identifier} to the current case: {str(e)}")

    siemplify.end(f"Successfully added {added_count} entities from case {source_case_id} to the current case.", True)

if __name__ == "__main__":
    main()

 

 

I used the method _get_case_by_id to get the full information of the source case, whose id is located in source_case_id, as a dictionary. Then I printed the full case data with print(json.dumps(source_case, indent=4))).

From that printed information, I extracted the identifier (the entity's unique value) and the entity_type and made a list with them. And finally, I added the entities of that list to the Test case, which in my case was empty. By doing this, the entities of the case source_case_id will be copied in the Test case

View solution in original post

Jump to Solution
0 Likes
6 REPLIES 6
Top Solution Authors
View all