Solved: How to get all closed alerts in a Job even if the ...

mikelmi01

I am trying to create a job that helps me get all alerts from a specific product (Cortex XDR, for example) that were closed recently. This is what I have for the moment:

from SiemplifyJob import SiemplifyJob
from SiemplifyUtils import convert_datetime_to_unix_time
from datetime import datetime, timedelta

def main():
    siemplify = SiemplifyJob()

    # Get alerts closed modified in the last X hours
    hours = 1
    threshold_time = datetime.utcnow() - timedelta(hours=hours)
    threshold_timestamp = convert_datetime_to_unix_time(threshold_time)

    recent_alerts = []
    

    case_ids = siemplify.get_cases_ids_by_filter(
        status="CLOSE",
        update_time_from_unix_time_in_ms=threshold_timestamp,
        sort_by="UPDATE_TIME",
        sort_order="DESC",
        max_results=1000
    )

    for case_id in case_ids:
        case = siemplify._get_case_by_id(case_id)
        for alert in case.get("cyber_alerts", []):
            product = alert.get("additional_properties", {}).get("DeviceProduct")
            mod_time = alert.get("modification_time")
            if product == "Cortex XDR" and mod_time and mod_time > threshold_timestamp:
                recent_alerts.append(alert)

    siemplify.LOGGER.info(f"Found {len(recent_alerts)} closed Cortex XDR alerts recently modified.")

if __name__ == "__main__":
    main()

This code, however, only gets the alerts where the Device Product is "Cortex XDR" from the cases closed recently, and doesn't include the closed alerts from cases that are still open. I want to get all closed alerts that were recently closed (defined by the hours variable), both the ones in an open or closed cases.

Is there any possible way to do this?

Any suggestions or best practices would be appreciated!

Kyle_M

Thank you for your patience @mikelmi01. There isn't an SDK call that will present the alert status, but I did find an API endpoint that can help: /api/external/v1/dynamic-cases/GetCaseDetails/{caseId}. In the payload there will be a section for alerts with a status key. You can use this endpoint in your loop when inspecting open cases to see if they have any closed alerts.

View solution in original post

Kyle_M

Hi @mikelmi01

Great question! As I understand it, you need to extend the functionality of your job to include closed alerts within open cases. I'm not aware of and SDK method or API endpoint that will do this. My suggestion at a high level is to change the get_cases_ids_by_filter method to include both statuses. Then in your for loop, you can add logic to check the status of the alert inside open cases. Please let me know if this helps or if you have any other questions.

Thanks!

mikelmi01

Hi @Kyle_M

Thanks for the response. However, what you suggest of changing the filter to both statuses and then getting the status confuses me. If we go to the case we can easily check the status of each alert. For example, in this case we only have one alert and it's closed (which means that the case is closed):

However, I haven't found any method inside the job to get the status of the alerts. Is there any that might help me with this?

Kyle_M

Thank you for your patience @mikelmi01. There isn't an SDK call that will present the alert status, but I did find an API endpoint that can help: /api/external/v1/dynamic-cases/GetCaseDetails/{caseId}. In the payload there will be a section for alerts with a status key. You can use this endpoint in your loop when inspecting open cases to see if they have any closed alerts.

How to get all closed alerts in a Job even if the case is still open