+2Hi,
Using playbooks in the SOAR I’m trying to retrieve all entities from an alert in a list (preferably) or dict that indicates not only the value but also a classification of the object.
For example, if the alert has an src.ip and a dst.ip generate a dict or list like {[1.1.1.1,ip],[2.2.2.2,ip]} or similar, but taking in account that an alert can have mail addresses, hashes, all kinds of entities.
Let’s see if someone can help me.
Best regards.
Best answer by AymanC
Hi
If you have ontology setup for the underlying events within an alert, it’ll automatically create entities and classify them as a certain entity type. You can then use ‘Get Case Data’ to return the entities in the case. This returns a JSON object.
Kind Regards,
Ayman
+14Hi
If you have ontology setup for the underlying events within an alert, it’ll automatically create entities and classify them as a certain entity type. You can then use ‘Get Case Data’ to return the entities in the case. This returns a JSON object.
Kind Regards,
Ayman
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
