Skip to main content

Hi everyone,

I'm using the Siemplify SOAR SDK to create a case in Google SecOps. The case is being created successfully, but the alerts and events are not showing up inside the case. Here is the code I'm using:

import json

from SiemplifyAction import SiemplifyAction

from SiemplifyConnectorsDataModel import AlertInfo



# Initialize the SiemplifyAction object

siemplify = SiemplifyAction()



# Create multiple events as dictionaries with necessary fields

event1 = {

    "identifier": "event_id_1",

    "name": "Event 1",

    "type": "Type of event",

    "severity": 30,

    "description": "Description of event 1"

}



event2 = {

    "identifier": "event_id_2",

    "name": "Event 2",

    "type": "Type of event",

    "severity": 50,

    "description": "Description of event 2"

}



# Create multiple AlertInfo objects and add events to them

alert1 = AlertInfo()

alert1.identifier = "alert_id_1"

alert1.name = "Alert 1"

alert1.type = "Type of alert"

alert1.severity = 40

alert1.description = "Description of alert 1"

alert1.events = [event1, event2]



alert2 = AlertInfo()

alert2.identifier = "alert_id_2"

alert2.name = "Alert 2"

alert2.type = "Type of alert"

alert2.severity = 60

alert2.description = "Description of alert 2"

alert2.events = [event1]



# Convert AlertInfo objects to dictionaries

alerts_info = [

    {

        "identifier": alert.identifier,

        "name": alert.name,

        "type": alert.type,

        "severity": alert.severity,

        "description": alert.description,

        "events": alert.events

    } for alert in [alert1, alert2]

]



# Create the case dictionary

case_info_dict = {

    "display_id": "New Case",

    "description": "Description of the case",

    "severity": 40,  # Severity level (e.g., 40 for medium)

    "name": "Case Name",

    "ticket_id": "Ticket123",

    "device_vendor": "VendorName",

    "rule_generator": "RuleName",

    "source_system_name": "SourceSystem",

    "alerts_info": alerts_info

}



# Create the case

siemplify.create_case(json.dumps(case_info_dict))

Has anyone encountered a similar issue or can provide guidance on what might be going wrong? Any help would be greatly appreciated!

Thanks in advance!

The issue is likely due to how the alerts_info data is being structured and passed to the siemplify.create_case method. The Siemplify SDK expects AlertInfo objects directly, not dictionaries, and the create_case method expects a dictionary, not a json string.


Solution:



  1. Pass AlertInfo objects directly: Instead of converting AlertInfo objects to dictionaries, include the AlertInfo objects directly within the alerts_info list in the case_info_dict.

  2. Pass the dictionary directly to create_case: Remove the json.dumps() function, and pass the case_info_dict dictionary directly to the siemplify.create_case function.


Example Code (Corrected):



Action Items:



  • Implement the code changes to pass AlertInfo objects directly and remove the json.dumps() call.

  • Verify that the alerts and events are now correctly displayed in the Google SecOps case.

  • If issues persist, check Siemplify logs and Google SecOps connector documentation, or reach back out to this community post.


Hope this helps! 


 


 

The issue is likely due to how the alerts_info data is being structured and passed to the siemplify.create_case method. The Siemplify SDK expects AlertInfo objects directly, not dictionaries, and the create_case method expects a dictionary, not a json string.


Solution:



  1. Pass AlertInfo objects directly: Instead of converting AlertInfo objects to dictionaries, include the AlertInfo objects directly within the alerts_info list in the case_info_dict.

  2. Pass the dictionary directly to create_case: Remove the json.dumps() function, and pass the case_info_dict dictionary directly to the siemplify.create_case function.


Example Code (Corrected):



Action Items:



  • Implement the code changes to pass AlertInfo objects directly and remove the json.dumps() call.

  • Verify that the alerts and events are now correctly displayed in the Google SecOps case.

  • If issues persist, check Siemplify logs and Google SecOps connector documentation, or reach back out to this community post.


Hope this helps! 


 


 


using below: but it creates empty events. 

Event --> view more

 

 

 

from SiemplifyAction import SiemplifyAction
from SiemplifyUtils import unix_now, convert_unixtime_to_datetime, output_handler
from ScriptResult import EXECUTION_STATE_COMPLETED, EXECUTION_STATE_FAILED, EXECUTION_STATE_TIMEDOUT
from SiemplifyConnectorsDataModel import CaseInfo
from datetime import datetime

@output_handler
def main():
# Initialize the SiemplifyAction object
siemplify = SiemplifyAction()
current_time = datetime.utcnow()

# Create multiple event dictionaries
event1 = {
"identifier": "event_id_1",
"name": "Event 1",
"type": "Type of event",
"severity": 40,
"description": "Description of event 1"
}

event2 = {
"identifier": "event_id_2",
"name": "Event 2",
"type": "Type of event",
"severity": 60,
"description": "Description of event 2"
}

# Create a CaseInfo object
case_info = CaseInfo()
case_info.display_id = "New Case-20250307-03"
case_info.description = "Description of the case"
case_info.severity = 40 # Severity level (e.g., 40 for medium)
case_info.name = "Case Name 4"
case_info.ticket_id = "Ticket-20250307-03"
case_info.device_vendor = "VendorName"
case_info.rule_generator = "RuleName-20250703-01"
case_info.source_system_name = "SourceSystem"

# Add the events to the case
case_info.events = [event1, event2]

# Convert CaseInfo object to dictionary
case_info_dict = {
"display_id": case_info.display_id,
"description": case_info.description,
"severity": case_info.severity,
"name": case_info.name,
"ticket_id": case_info.ticket_id,
"device_vendor": case_info.device_vendor,
"rule_generator": case_info.rule_generator,
"source_system_name": case_info.source_system_name,
"events": case_info.events
}

# Create the case
siemplify.create_case(case_info_dict)

siemplify.LOGGER.info("Case created")

if __name__ == "__main__":
main()

 

 


1. Which fields to be included for proper mapping
2. how to find logs corresponding to the action (not connector)

using below: but it creates empty events. 

Event --> view more

 

 

 

from SiemplifyAction import SiemplifyAction
from SiemplifyUtils import unix_now, convert_unixtime_to_datetime, output_handler
from ScriptResult import EXECUTION_STATE_COMPLETED, EXECUTION_STATE_FAILED, EXECUTION_STATE_TIMEDOUT
from SiemplifyConnectorsDataModel import CaseInfo
from datetime import datetime

@output_handler
def main():
# Initialize the SiemplifyAction object
siemplify = SiemplifyAction()
current_time = datetime.utcnow()

# Create multiple event dictionaries
event1 = {
"identifier": "event_id_1",
"name": "Event 1",
"type": "Type of event",
"severity": 40,
"description": "Description of event 1"
}

event2 = {
"identifier": "event_id_2",
"name": "Event 2",
"type": "Type of event",
"severity": 60,
"description": "Description of event 2"
}

# Create a CaseInfo object
case_info = CaseInfo()
case_info.display_id = "New Case-20250307-03"
case_info.description = "Description of the case"
case_info.severity = 40 # Severity level (e.g., 40 for medium)
case_info.name = "Case Name 4"
case_info.ticket_id = "Ticket-20250307-03"
case_info.device_vendor = "VendorName"
case_info.rule_generator = "RuleName-20250703-01"
case_info.source_system_name = "SourceSystem"

# Add the events to the case
case_info.events = [event1, event2]

# Convert CaseInfo object to dictionary
case_info_dict = {
"display_id": case_info.display_id,
"description": case_info.description,
"severity": case_info.severity,
"name": case_info.name,
"ticket_id": case_info.ticket_id,
"device_vendor": case_info.device_vendor,
"rule_generator": case_info.rule_generator,
"source_system_name": case_info.source_system_name,
"events": case_info.events
}

# Create the case
siemplify.create_case(case_info_dict)

siemplify.LOGGER.info("Case created")

if __name__ == "__main__":
main()

 

 


1. Which fields to be included for proper mapping
2. how to find logs corresponding to the action (not connector)

I've had better luck using the API for creating cases (especially with custom event fields): /api/external/v1/cases/CreateCase

You can view the payload schema in swagger: https://cloud.google.com/chronicle/docs/soar/reference/working-with-chronicle-soar-apis

The issue is likely due to how the alerts_info data is being structured and passed to the siemplify.create_case method. The Siemplify SDK expects AlertInfo objects directly, not dictionaries, and the create_case method expects a dictionary, not a json string.


Solution:



  1. Pass AlertInfo objects directly: Instead of converting AlertInfo objects to dictionaries, include the AlertInfo objects directly within the alerts_info list in the case_info_dict.

  2. Pass the dictionary directly to create_case: Remove the json.dumps() function, and pass the case_info_dict dictionary directly to the siemplify.create_case function.


Example Code (Corrected):



Action Items:



  • Implement the code changes to pass AlertInfo objects directly and remove the json.dumps() call.

  • Verify that the alerts and events are now correctly displayed in the Google SecOps case.

  • If issues persist, check Siemplify logs and Google SecOps connector documentation, or reach back out to this community post.


Hope this helps! 


 


 


any update why this function is not working ??

any update why this function is not working ??


I think maybe the Events are in the wrong structure, looking at Swagger



Here is my own Python to create the skeleton object


CREATECASE_PAYLOAD = {
"Cases": [{
"Events": [{
"_fields": {
"BaseEventIds": [],
"ParentEventId": -1,
"DeviceVendor": "Google",
"DeviceProduct": "SecOps",
"DeviceEventClassId": ""
},
"_rawDataFields": {
}
}],
"Environment": None,
"SourceSystemName": "Google SecOps",
"TicketId": "",
"Description": None,
"DisplayId": "",
"Reason": None,
"Name": "_",
"DeviceVendor": "Google",
"DeviceProduct": "SecOps",
"StartTime": "",
"EndTime": "",
"IsTestCase": False,
"Priority": 25,
"RuleGenerator": "",
"Extensions": []
}]
}

I then programatically set each value.  Note the last loop, this is extending dynamic things inside Event0 only, you have Event0 and Event1 so please adapt as necessary


epochns = int(time.time_ns())
uid = epochns

epochms = int(time.time() * 1000)
tmpPayload = copy.deepcopy(CREATECASE_PAYLOAD)
tmpPayload['Cases'][0]['TicketId'] = str(uid)
tmpPayload['Cases'][0]['DisplayId'] = str(uid)
tmpPayload['Cases'][0]['Environment'] = environment
tmpPayload['Cases'][0]['Name'] = name
tmpPayload['Cases'][0]['Description'] = description
tmpPayload['Cases'][0]['startTime'] = str(epochms)
tmpPayload['Cases'][0]['endTime'] = str(epochms)
tmpPayload['Cases'][0]['RuleGenerator'] = rulegenerator
tmpPayload['Cases'][0]['Reason'] = 'test'
tmpPayload['Cases'][0]['Events'][0]['_fields']['DeviceEventClassId'] = alertname
tmpPayload['Cases'][0]['Events'][0]['_rawDataFields']["source_case"] = siemplify.case_id

for k, v in obj.items():
tmpPayload['Cases'][0]['Events'][0]['_rawDataFields'][k] = v

Other notes: TicketId and DisplayID should be unique (here I'm lazy and use a epoch+ms, but really I should be using uuid.uuid64() ), otherwise you will push to API, get a 200, but in post processing the Alert will be dropped as a duplicate. 

HTH?


 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.