Hey Zorghost,

I've recently built something which performs this for a compliance issue my side - and I achieved this by writing a python script external to siemplify and utilising the API.

The general flow of the script would be to establish the timeframe you are wanting to pull back cases for - then utilising the API endpoint:
/api/external/v1/search/CaseSearchEverything to retrieve a list of case ID's which satisfy the timeframe requirement.

Once you have the list of CaseID's you can then iterate through the case ID's with the API endpoint:
/api/external/v1/dynamic-cases/GetCaseDetails/{caseId}

This will pull back a json with more detailed information about the case.

You can then format the data how you wish and save in a format suitable for archive - you can also use other API's if you wish in combination with the above if you require additional information.

For more documentation on API endpoints - please visit https://<YourSOARInstanceURL>/swagger/index.html as this is where API endpoints are documented complete with payload schemas 🙂 Note - if you are going to be interacting with a high volume of cases - you may wish to build in some deliberate delay as Google Armor has a rate limit of 900 requests per minute (https://cloud.google.com/chronicle/docs/soar/reference/working-with-chronicle-soar-apis)

Cheers

K