Is there a method to get the SIEM alerts from the last X hours for an user using a SOAR Action in a playbook?
Question
Get SIEM alerts for username from SOAR Action
+13- Bronze 5
Hi
Does the underlying alert you’re trying to use this action from derive from a case picked up from the ‘Chronicle Alerts Connector’, if not it wouldn’t work. But regardless, I think this action uses the endpoint /v1/alert/listalerts which was deprecated in July 2025 [1].
[1] - https://cloud.google.com/chronicle/docs/reference/search-api#listalerts_deprecated
I’m not sure of any direct alternative way to achieve what you’re doing from an alert’s ‘event’ identifier, but if you are able to, create an entity (for example the principal user id), and then use the /v1/entity-search/entities to search for that entity value for similar cases, you can then look to use the /v1/dynamic-cases/GetCaseDetails/{caseId} endpoint to identify all of the alert identifiers for a case.
An alternative way would be to loop through all of the CaseIds using the GetCaseDetails, and then identify within ‘fieldsGroups’, ‘item’ values that match the value you’re trying to identify, and use the ‘ticketId’ value to identify the alert id.
Hope it helps!
Kind Regards,
Ayman
+8- Silver 2
Thanks Ayman, but I was looking into some prebuilt action available in the Chronicle integration.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.