I’m trying to build a dashboard for SOAR Case Data.
I couldn’t find a field in the `case_history` object that will allow me to filter by the environment name. Any suggestions?
Question
Filter by the SOAR Environment Name in the Case History dataset from Dashboards
+5To filter by environment name in Google SecOps SOAR (formerly Siemplify), you typically will not find the field directly within the case_history object itself.
Instead, you must reference the Environment field located on the associated Case object.
Since the Case History is a child dataset of the Case, you must join or reference the parent Case to filter by environment. The exact path depends on where you are performing the search:
// Example logic (pseudocode for Dashboard builder)
match:
$case_id = case.name
$env = case.environment // <--- Use this field
$history = case_history.case_id
outcome:
$current_environment = array_distinct($env)
+9- Silver 2
Or at least, this feature is not enabled on my instance.
- Bronze 1
Or at least, this feature is not enabled on my instance.
Unfortunately, you are currently unable to join case and case_history, which seems like a significant flaw as there are many use cases where you may need to reference both the case details and it’s history.
Additionally, you cannot currently apply dashboard filters to multi-stage queries, which means that even if you create a query with datasets you can join there is no easy way to quickly update all charts or graphs on a dashboard with just one filter.
Will it be possible to join the datasets and apply filters to multi-stage queries in the future?
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.