Hello -  This is not supported yet through the API.  This is on the roadmap but does not yet have a landing date.  

As for the 40 days are you talking SIEM or SOAR? 

in SOAR 40 days i guess we should use custom

Yes I believe custom is the answer. 

Yes…use that.



Thank you,
DN 

Again to get Start time for the Udm query we need to write custom action to get date of 40 days back and stop time will alert generated time , ,since there is no dropdown to select desired date]

You could just run the query

security_result.action = "BLOCK" AND

metadata.log_type = "OFFICE_365" AND

principal.user.email_addresses = "Example@gmail.COM"

And then use the picker within the UDM function to provide you a count. 

if zero result i.e no json result den the udm query to count placeholder wont b resloved. just try with no udm events

correct. I take the output into the IF state and if you have the JSON response verbiage set it as 0 found in the IF statement for your logic. I do this with emails also for phishing. but I want to know for  Not = Blocked. If JSON response then all are blocked and I can autoclose. If 1-5 found then I take X actions. if > 5 escalate. 

Example for an IP search that I run

@vanitharaj1208 As you say, you can develop the action in python yourself. But you can also create a playbook block to achieve it using the built-in soar functions. As input you have the number of days you want to see back (days_back).

1. string functions: convert string (days_back) to int
2. math arithmetic functions: multiply (int * 86400)
3. get current timestamp
4. calculate the timestamp back by using convert time format function (With a delta you calculated before and the current timestamp as input)
5. return timestamp back as block output

You just have to pay attention to the correct time zones

Yes, i have created an custom action to get back time ... based on days