Skip to main content

Hi there!
I had been working on a custom action script inside of Google SecOps that would close cases using an action parameter that specifies a case id. I attempted to modify the Close Case action that is already a part of the Siemplify integration, but have been unsuccessful in getting it work.

Here is a general version of my current setup:

case_id = siemplify.parameters["Case ID"]
target_case = siemplify._get_case_by_id(case_id)
 
root_cause = siemplify.parameters["Root Cause"]
comment = siemplify.parameters["Comment"]
reason = siemplify.parameters["Reason"]
 
siemplify.close_case(
root_cause=root_cause,
comment=comment,
reason=CLOSE_CASE_REASON_MAPPING.get(reason) or reason,
case_id="1576",
)

When attempting to run this code in Testing, it gets the correct case, but upon reaching siemplify.close_case, it always closes the case selected in the "Test case" parameter. I'm unsure about what the issue is here, perhaps case_id does not correspond directly to the ids we see in the Cases view? Any help would be greatly appreciated, thanks!

Looks like a bug. From the SDK documentation, (https://cloud.google.com/chronicle/docs/soar/reference/siemplify-action-module#close-case-siemplify-action) your implementation is correct. 

SiemplifyAction, class has builtin context of the current case and alert where the action runs (the test case when you test your action). Looks like that context is overriding the explicit pass of case id in your code. Recommend a support ticket to be open to review the method. 

You can try using the API instead. Look at this example below :


from SiemplifyAction import SiemplifyAction
from SiemplifyUtils import output_handler

from consts import CLOSE_CASE_REASON_MAPPING



@output_handler
def main():
siemplify = SiemplifyAction()


root_cause = siemplify.parameters["Root Cause"]
comment = siemplify.parameters["Comment"]
reason = siemplify.parameters["Reason"]
case_id = siemplify.parameters["Case ID"]

url = f'{siemplify.API_ROOT}/external/v1/cases-queue/bulk-operations/ExecuteBulkCloseCase'
body = {
"casesIds": [case_id],
"closeComment": comment,
"closeReason": CLOSE_CASE_REASON_MAPPING.get(reason) or reason,
"rootCause": root_cause
}
r = siemplify.session.post(url, json=body)
r.raise_for_status()
status_result = "True"

output_message = f"The case was closed. \\n Root Cause: {root_cause} \\n Comment: {comment} \\n Reason: {reason}"
siemplify.end(output_message, status_result)



if __name__ == "__main__":
main()



 It also has the advantage that you can use the api to close multiple cases at once. 


Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.