This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Case Created using create_case(case_info) but Alerts/Events Not Showing in Google SecOps

Posted on 03-05-2025 04:59 AM
shubhamagar
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi everyone,

I'm using the Siemplify SOAR SDK to create a case in Google SecOps. The case is being created successfully, but the alerts and events are not showing up inside the case. Here is the code I'm using:

import json
from SiemplifyAction import SiemplifyAction
from SiemplifyConnectorsDataModel import AlertInfo

# Initialize the SiemplifyAction object
siemplify = SiemplifyAction()

# Create multiple events as dictionaries with necessary fields
event1 = {
    "identifier": "event_id_1",
    "name": "Event 1",
    "type": "Type of event",
    "severity": 30,
    "description": "Description of event 1"
}

event2 = {
    "identifier": "event_id_2",
    "name": "Event 2",
    "type": "Type of event",
    "severity": 50,
    "description": "Description of event 2"
}

# Create multiple AlertInfo objects and add events to them
alert1 = AlertInfo()
alert1.identifier = "alert_id_1"
alert1.name = "Alert 1"
alert1.type = "Type of alert"
alert1.severity = 40
alert1.description = "Description of alert 1"
alert1.events = [event1, event2]

alert2 = AlertInfo()
alert2.identifier = "alert_id_2"
alert2.name = "Alert 2"
alert2.type = "Type of alert"
alert2.severity = 60
alert2.description = "Description of alert 2"
alert2.events = [event1]

# Convert AlertInfo objects to dictionaries
alerts_info = [
    {
        "identifier": alert.identifier,
        "name": alert.name,
        "type": alert.type,
        "severity": alert.severity,
        "description": alert.description,
        "events": alert.events
    } for alert in [alert1, alert2]
]

# Create the case dictionary
case_info_dict = {
    "display_id": "New Case",
    "description": "Description of the case",
    "severity": 40,  # Severity level (e.g., 40 for medium)
    "name": "Case Name",
    "ticket_id": "Ticket123",
    "device_vendor": "VendorName",
    "rule_generator": "RuleName",
    "source_system_name": "SourceSystem",
    "alerts_info": alerts_info
}

# Create the case
siemplify.create_case(json.dumps(case_info_dict))

Has anyone encountered a similar issue or can provide guidance on what might be going wrong? Any help would be greatly appreciated!

Thanks in advance!

0 5 618
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
ErikaB
Staff
Reply posted on --/--/---- --:-- AM

The issue is likely due to how the alerts_info data is being structured and passed to the siemplify.create_case method. The Siemplify SDK expects AlertInfo objects directly, not dictionaries, and the create_case method expects a dictionary, not a json string.

Solution:

  1. Pass AlertInfo objects directly: Instead of converting AlertInfo objects to dictionaries, include the AlertInfo objects directly within the alerts_info list in the case_info_dict.
  2. Pass the dictionary directly to create_case: Remove the json.dumps() function, and pass the case_info_dict dictionary directly to the siemplify.create_case function.

Example Code (Corrected):

ErikaB_0-1741305401792.png

Action Items:

  • Implement the code changes to pass AlertInfo objects directly and remove the json.dumps() call.
  • Verify that the alerts and events are now correctly displayed in the Google SecOps case.
  • If issues persist, check Siemplify logs and Google SecOps connector documentation, or reach back out to this community post.

Hope this helps! 

 

 

0 Likes

Posted on --/--/---- --:-- AM
shubhamagar
Bronze 2
Bronze 2
In response to ErikaB
Reply posted on --/--/---- --:-- AM

using below: but it creates empty events. 

shubhamagar_0-1741348312762.png

Event --> view more

shubhamagar_0-1741352239046.png

 

 

 

from SiemplifyAction import SiemplifyAction
from SiemplifyUtils import unix_now, convert_unixtime_to_datetime, output_handler
from ScriptResult import EXECUTION_STATE_COMPLETED, EXECUTION_STATE_FAILED, EXECUTION_STATE_TIMEDOUT
from SiemplifyConnectorsDataModel import CaseInfo
from datetime import datetime

@output_handler
def main():
    # Initialize the SiemplifyAction object
    siemplify = SiemplifyAction()
    current_time = datetime.utcnow()

    # Create multiple event dictionaries
    event1 = {
        "identifier": "event_id_1",
        "name": "Event 1",
        "type": "Type of event",
        "severity": 40,
        "description": "Description of event 1"
    }

    event2 = {
        "identifier": "event_id_2",
        "name": "Event 2",
        "type": "Type of event",
        "severity": 60,
        "description": "Description of event 2"
    }

    # Create a CaseInfo object
    case_info = CaseInfo()
    case_info.display_id = "New Case-20250307-03"
    case_info.description = "Description of the case"
    case_info.severity = 40  # Severity level (e.g., 40 for medium)
    case_info.name = "Case Name 4"
    case_info.ticket_id = "Ticket-20250307-03"
    case_info.device_vendor = "VendorName"
    case_info.rule_generator = "RuleName-20250703-01"
    case_info.source_system_name = "SourceSystem"

    # Add the events to the case
    case_info.events = [event1, event2]

    # Convert CaseInfo object to dictionary
    case_info_dict = {
        "display_id": case_info.display_id,
        "description": case_info.description,
        "severity": case_info.severity,
        "name": case_info.name,
        "ticket_id": case_info.ticket_id,
        "device_vendor": case_info.device_vendor,
        "rule_generator": case_info.rule_generator,
        "source_system_name": case_info.source_system_name,
        "events": case_info.events
    }

    # Create the case
    siemplify.create_case(case_info_dict)

    siemplify.LOGGER.info("Case created")

if __name__ == "__main__":
    main()

 

 


1. Which fields to be included for proper mapping
2. how to find logs corresponding to the action (not connector)
0 Likes

Posted on --/--/---- --:-- AM
arjohnson
Bronze 1
Bronze 1
In response to shubhamagar
Reply posted on --/--/---- --:-- AM

I've had better luck using the API for creating cases (especially with custom event fields): /api/external/v1/cases/CreateCase

You can view the payload schema in swagger: https://cloud.google.com/chronicle/docs/soar/reference/working-with-chronicle-soar-apis

0 Likes

Posted on --/--/---- --:-- AM
shubhamagar
Bronze 2
Bronze 2
In response to ErikaB
Reply posted on --/--/---- --:-- AM

any update why this function is not working ??

0 Likes

Posted on --/--/---- --:-- AM
SoarAndy
Staff
In response to shubhamagar
Reply posted on --/--/---- --:-- AM

I think maybe the Events are in the wrong structure, looking at Swagger

SoarAndy_0-1742462411562.png

Here is my own Python to create the skeleton object

CREATECASE_PAYLOAD = {
	"Cases": [{
        "Events": [{
            "_fields": {
                "BaseEventIds": [],
                "ParentEventId": -1,
                "DeviceVendor": "Google",
                "DeviceProduct": "SecOps",
                "DeviceEventClassId": ""
            },
            "_rawDataFields": {
            }
        }],
        "Environment": None,
        "SourceSystemName": "Google SecOps",
        "TicketId": "",
        "Description": None,
        "DisplayId": "",
        "Reason": None,
        "Name": "_",
        "DeviceVendor": "Google",
        "DeviceProduct": "SecOps",
        "StartTime": "",
        "EndTime": "",
        "IsTestCase": False,
        "Priority": 25,
        "RuleGenerator": "",
        "Extensions": []
    }]
}

I then programatically set each value.  Note the last loop, this is extending dynamic things inside Event0 only, you have Event0 and Event1 so please adapt as necessary

                epochns = int(time.time_ns())
                uid = epochns
                
                epochms = int(time.time() * 1000)
                tmpPayload = copy.deepcopy(CREATECASE_PAYLOAD)
                tmpPayload['Cases'][0]['TicketId'] = str(uid)
                tmpPayload['Cases'][0]['DisplayId'] = str(uid)
                tmpPayload['Cases'][0]['Environment'] = environment
                tmpPayload['Cases'][0]['Name'] = name
                tmpPayload['Cases'][0]['Description'] = description
                tmpPayload['Cases'][0]['startTime'] = str(epochms)
                tmpPayload['Cases'][0]['endTime'] = str(epochms)
                tmpPayload['Cases'][0]['RuleGenerator'] =  rulegenerator
                tmpPayload['Cases'][0]['Reason'] =  'test'
                tmpPayload['Cases'][0]['Events'][0]['_fields']['DeviceEventClassId'] = alertname
                tmpPayload['Cases'][0]['Events'][0]['_rawDataFields']["source_case"] = siemplify.case_id

                for k, v in obj.items(): 
                    tmpPayload['Cases'][0]['Events'][0]['_rawDataFields'][k] = v

Other notes: TicketId and DisplayID should be unique (here I'm lazy and use a epoch+ms, but really I should be using uuid.uuid64() ), otherwise you will push to API, get a 200, but in post processing the Alert will be dropped as a duplicate. 

HTH?

 

Top Solution Authors
View all