I have 2 question that needs to be addressed how to move cases from” default” to another environment.
Hi
Thank you for reaching out to the community!
Moving Cases Between Environments
Yes, you can move cases from the "default" environment to another environment. This can be done manually through the case screen, provided the "Allow users to move cases between environments" setting is enabled in SOAR Settings > Advanced > General. When you move a case, it creates a copy in the selected environment. You also have the option to close the case in the current environment while creating a copy in the new one.
Associating Detection Rules with Specific Environments
To have alerts automatically assigned to the correct environment, you can configure this at the connector level. By going to SOAR Settings > Ingestion > Connectors and selecting a specific connector, you can set the "Environment" parameter to route all alerts from that connector to a particular environment.
Alternatively, if you are using SIEM rules, you can define metadata within your rules to specify the target environment for each alert. For example, you could use labels like detection_ruleLabels_env1 to send alerts to SOAR environment env1.
Moving Cases via Playbook
While there isn't a direct "move case to environment" action within playbooks, you can achieve this by leveraging the MoveEnvironment object in the REST API for cases. The MoveEnvironment object has a shouldDeleteOldCase field, which is a boolean that determines if the original case should be deleted after being moved.
For a playbook to move a case, you would typically use an HTTP request action to call the relevant API endpoint. You would need to construct the request body to include the destinationCaseId and potentially set shouldDeleteOldCase to true or false depending on your desired outcome.
It's important to note that the ability to move cases between environments must be enabled in the SOAR settings for this to function.
You may find the following documentation helpful as well.
https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.cases
Yes, you can move cases from the "default" environment to another environment. This can be done manually through the case screen, provided the "Allow users to move cases between environments" setting is enabled in SOAR Settings > Advanced > General. When you move a case, it creates a copy in the selected environment. You also have the option to close the case in the current environment while creating a copy in the new one.
Yes, I understand the manual method. Any ways how to do it via playbook?
Hi
There’s an API Endpoint on the SOAR side that may be of interest, unfortunately nothing that I believe is out of the box/ Custom create an action using the below endpoint:
API: /api/external/v1/dynamic-cases/IngestCaseInOtherEnvironment
TYPE: POST
Example Payload:
{
“caseId”: 1,
“environment”: “Default Environment”,
“shouldCloseOldCase”: true,
“shouldDeleteOldCase”: true
}
Kind Regards,
Ayman
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.