What is the best way to search for all recently closed cases via API?
I'm building a job to sync the status of SOAR cases and an external system. I'm using the
/external/v1/search/CaseSearchEverything
endpoint specifying closed cases only and some tags, but the
timeRangeFilter
parameter seems to apply to case creation time, not last updated. It's possible a low priority case sits for weeks and then is closed, making this query massive if I have to look back like 6mo every time I run this to ensure nothing is missed.
I looked at
/external/v1/search/GetCasesFilterValues
but it doesn't seem like it has any options for timeframe/updated at.
Page 1 / 1
hey
@Chase_Hammons
i checked with the team, it is suggested to use get_cases_by_filter function, we use it in our sync closure jobs.
here is a reference for it
https://cloud.google.com/chronicle/docs/soar/reference/siemplify-module#get_cases_by_filter
Hey thanks for the reply. The only time related filters I see are start and end time, which I assume is for the case and would yield the same problem I'm having now. Can you help me understand how to use this to fetch recently closed cases?
hey
@Chase_Hammons
, it depends of how you want to write your job, so you can either adjust start time/end time, or for example do it how we do it in Jira integration, where we are searching based on specific tag:
cases_ids = siemplify.get_cases_by_filter(ticked_ids_free_search=ticket_id, tags=[JIRA_TAG])
Won't that get pretty massive after a few months in production - querying every case tagged with Jira? That seems like a
lot
of data to pull back.
there are other filters to choose for the function, please check out the refence
I don't see any that would enable filtering to recently closed cases. I can filter to status of closed, but that doesn't get me the recently piece
can you provide example of what you are expecting to use as a filter?
Something that would let me fetch alerts after a certain "last_updated" or "closed_at" timestamp
Or any other way to identify recently closed cases
I think I found an endpoint that does what I described:
https://cloud.google.com/chronicle/docs/soar/reference/siemplify-module#get_cases_ids_by_filter
That includes a
close_time_from_unix_time_in_ms
parameter
great, glad you have it solved!
Hey Chase, did you manage to solve this? I have a similar post, trying to retrieve closed cases to back sync some other systems we have.
I'm not getting any results using get_cases_ids_by_filter("CLOSE", sort_by="CLOSE_TIME", close_time_from_unix_time_in_ms=1706745600000, close_time_to_unix_time_in_ms=1707091200000, sort_order="DESC)
Neither the close_time nor the update_time filters for get_cases_ids_by_filter are working for me. It's quite a bummer. However, the
get_alerts_ticket_ids_from_cases_closed_since_timestamp does seem to work, and from there I'm able to call
get_cases_by_filter(ticked_ids_free_search=ticket_id) for each ticket_id fetched via get_alerts_ticket_ids_from_cases_closed_since_timestamp.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.