Skip to main content

I am attempting to use the marketplace action "Get similar cases" and limit the "Entities" parameter to a custom group of entities against which I went the action to run. I have created two custom groups, one with all the URL entities and the other with all the email subject entities and I use each against a separate instance of the action.

However, the action has inconsistent results between different cases and entities - sometimes it works as intended, but other times it finds common IP addresses with other cases even if the IP address entities are not in the custom group of entities. Sometimes, the action that should only be using email subjects matches against common URLs. Anyone use this action successfully? Anyone know if this is a bug or somehow intended functionality?

Can you provide images of the Action setup please, along with a safe image of some example output

Thanks

Can you provide images of the Action setup please, along with a safe image of some example output

Thanks


 

As you can see the target entities for the action are only URLs and email subject entities, yet the matched entities are on domains and useruniquenames entities.

 

As you can see the target entities for the action are only URLs and email subject entities, yet the matched entities are on domains and useruniquenames entities.


Thanks Donkos


I think this attribute considers *all* entities in this case, and does not consider the entity dropdown subselector. 

The IDE shows that "get similar cases" calls this SDK, which only accepts a bool, and not an entity input
https://cloud.google.com/chronicle/docs/soar/reference/siemplify-module#get_similar_cases


For your usecase you might need an Action (custom?) to use the main search API, either the case serach for "entity: google.com" or the Entity search, depending on the outcome you are after


For your API guide go to:
Soar_url/swagger/index.html


To develop a real body post payload, I suggest crafting it in the UI to get the results you are happy with, then inspect in browser tools to copy/paste the payload out (this API isn't best understood from the swagger file)



HTH


Andy

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.