Jobs attach action, block or playbook to case/alert

Question

Hello,I’ve search for this answer for more than 2 weeks.Is there any way to use jobs (or other feature of SOAR) to attach action/block/playbook to case/alert in particular time/situation? example scenarioI have jobs that check updates on servicenow ticket - and as gathering information, sending direct updates in snow, sending emails and so on I would like to also attach playbook for other multiple actions that we would like to proceed instead of coding all via managers. any advice? It is very simple to do with siemplify.action library while for some reason .jobs doesn’t allow it. Thanks in advance!

ylandovskyy · Accepted Answer

Hey ​@AnimSparrow,Replied in this post.

AnimSparrow · Answer

it worksI went with:from SiemplifyJob import SiemplifyJobfrom SiemplifyUtils import output_handlerfrom GoogleSOARManager import GoogleSOARManagerINTEGRATION_NAME = "CUSTOM_INTEGRATION"SCRIPT_NAME = "AttachPlaybookToCaseJob"@output_handlerdef main():  siemplify = SiemplifyJob()  siemplify.script_name = SCRIPT_NAME  logger = siemplify.LOGGER  target_case_id = 8586  environment = "XXX"   playbook_to_attach = "XXXXXX"   try:    GSM = GoogleSOARManager(siemplify, environment)        case_details = GSM.fetch_case_details([target_case_id])        if target_case_id in case_details:      case_data = case_details[target_case_id]      logger.info(f"Found {target_case_id}.")      alerts = case_data.get('cyber_alerts', [])      if not alerts:        logger.error("No allerts")        siemplify.end_script()        return      target_alert = alerts[0]      alert_identifier = target_alert.get('identifier')      alert_group_id = target_alert.get('additional_properties', {}).get('AlertGroupIdentifier')      logger.info(f"Trying to attach '{playbook_to_attach}' to alert: {alert_identifier}")      try:        siemplify.attach_workflow_to_case(          playbook_to_attach,          cyber_case_id=target_case_id,          indicator_identifier=alert_identifier,        )        logger.info(f"Playbook {playbook_to_attach} attached.")      except Exception as wf_e:        logger.error(f"Error in siemplify.attach_workflow_to_case: {wf_e}")        siemplify.attach_workflow_to_case(playbook_to_attach, target_case_id, alert_identifier)    else:      logger.warning(f"Case {target_case_id} not found.")  except Exception as e:    logger.error(f"Error: {str(e)}")    raise  siemplify.end_script()if __name__ == "__main__":  main()​

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded