SiemplifyAction module
class SiemplifyAction.SiemplifyAction
SiemplifyAction.SiemplifyAction(mock_stdin=None, get_source_file=False)
Bases: Siemplify
add_alert_entities_to_custom_list
add_alert_entities_to_custom_list(category_name)
Add the alert's entities to the custom list record with the given category.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
category_name | {string} | Custom list category | "CustomList" | N/A |
Returns
{[CustomList]} list of the added objects
Example
Input: Explicitly, category_name
. Implicitly, entities via scope.
Running add_alert_entities_to_custom_list
will result in a list of
"CustomList" objects and a configuration change in the settings.
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
result = siemplify.add_alert_entities_to_custom_list("WhiteListed HOSTs")
Result behavior
Adds the WhiteListed HOSTs
category.
Result value
[<SiemplifyDataModel.CustomList object at 0x0000000003476E10>, <SiemplifyDataModel.CustomList object at 0x0000000003476B00>]
add_attachment
add_attachment(file_path, case_id=None, alert_identifier=None, description=None, is_favorite=False)
Add an attachment to the case wall.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
file_path | {string} | File path | "C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe" | N/A |
case_id | {string} | Case identifier | 234 | N/A |
alert_identifier | {string} | Alert identifier | 12345 | N/A |
description | {string} | The description for the file | N/A | N/A |
is_favorite | boolean | N/A | True/False | N/A |
Returns
{long} attachment_id
Example
Input: Explicitly, File path, description, and is_favorite
. Implicitly,
case_id
and alert_identifier
.
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
result = siemplify.add_attachment("C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe", case_id="234", alert_identifier=None, description=None, is_favorite=True)
Result behavior
The file mentioned in the file path will be attached to case id 234 and the attachment ID will be returned.
Result value
5 [The attachment ID]
add_comment
add_comment(comment, case_id=None, alert_identifier=None)
Add a new comment to a specific case.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
comment | {string} | Comment to be added to case wall | N/A | N/A |
case_id | {string} | Case identifier | 234 | If a case_id is not provided,the current case will be used. None by default (optional) |
alert_identifier | {string} | Alert identifier | 12345 | If an alert_identifier is not provided,the current alert will be used. None by default (optional) |
Returns
NoneType
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
comment = "Ran some tests on the hash and it seems fine"
siemplify.add_comment(comment=comment)
Result behavior
The specified comment is added to the current case.
Result value
None
add_entity_insight
add_entity_insight(domain_entity_info, message, triggered_by=None, original_requesting_user=None)
Add an entity insight to the case it is being used in.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
domain_entity_info | {DomainEntityInfo} | The entity object that represents an entity to add insight to | N/A | N/A |
message | {string} | Insight message | N/A | N/A |
triggered_by | {string} | Integration name | N/A | If no integration name is provided, the selected integration
for the action will be used. None by default (optional) |
original_requesting_user | {string} | Requesting user | N/A | None by default (optional) |
Returns
{boolean} True
if success. Otherwise, False
.
Example
Result behavior
Result value
add_entity_to_case
add_entity_to_case(entity_identifier, entity_type, is_internal, is_suspicous, is_enriched, is_vulnerable, properties, case_id=None, alert_identifier=None, environment=None)
Add an entity to the current case.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
entity_identifier | {string} | Entity identifier | 192.0.2.1, example.com | N/A |
entity_type | {string} | Entity type | "ADDRESS" | N/A |
is_internal | {boolean} | N/A | Internal/External | N/A |
is_suspicous | {boolean} | N/A | Suspicious/Not suspicious | N/A |
is_enriched | {boolean} | N/A | True/False | False by default |
is_vulnerable | {boolean} | N/A | True/False | False by default |
properties | {dict} | {"Property1":"PropertyValue", "Property2":"PropertyValue2"} | N/A | N/A |
Returns
NoneType
If there is an existing Entity, the following error appears: /
500 Server Error: Internal Server Error for url:
https://localhost:8443/api/external/v1/sdk/CreateEntity?format=snake:
\"ErrorMessage\":\"Cannot add entity [Identifier:Entities Identifies -
Type:siemplify.parameters[] to alert [MONITORED MAILBOX
<[email protected]>
_633997CB-D23B-4A2B-92F2-AD1D350284FF] in case [12345]
because the entity already exists >there.\"
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
siemplify.add_entity_to_case(entity_identifier, entity_type, is_internal, is_suspicous, is_enriched, is_vulnerable, properties, case_id, alert_identifier, environment)
Result behavior
This function will add a new entity to the case if it is not present in the case.
Result value
None
add_tag
add_tag(tag, case_id=None, alert_identifier=None)
Add a new tag to a specific case.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
tag | {string} | Tag to be added | Any string to be used as a tag | N/A |
case_id | {string} | Case identifier | 12345 | If a case_id is not provided,then the current case ID will be used. None by default (optional) |
alert_identifier | {string} | Alert identifier | 123 | If an alert_identifier is not provided,then the current alert ID will be used. None by default(optional) |
Returns
NoneType
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
tag_to_be_added = "MaliciousMail"
siemplify.add_tag(tag=tag_to_be_added)
Result behavior
The "MaliciousMail" tag is added to the current case.
Result value
None
any_alert_entities_in_custom_list
any_alert_entities_in_custom_list(category_name)
Check if any of the alert's entities has a custom list record with the given
category.
This function gets a category name from CustomLists and returns True
(Boolean)
if any of the entities in the scope is in that category. An entity is considered
in the category if its identifier is listed with this category in the settings
in the CustomLists table.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
category_name | {string} | The custom list category name | BlackListed IPs |
N/A |
Returns
{boolean} True
if there is an entity in the category, False
otherwise.
Example 1
from SiemplifyAction import SiemplifyAction \
siemplify = SiemplifyAction() \
result = siemplify.any_entity_in_custom_list("BlackListed IPs")
Example 2
from SiemplifyAction import SiemplifyAction \
siemplify = SiemplifyAction() \
result = siemplify.any_entity_in_custom_list("Executive IPs")
Result behavior
Sample Code 1 result is True
. Sample Code 2 result is False
.
Result value
True/False
assign_case
assign_case(user, case_id=None, alert_identifier=None)
Assign case to user.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
user | {string} | User/role | Admin, @Tier1 | N/A |
case_id | {string} | Case identifier | 12345 | If a case_id is not provided,then the current case id will be used. None by default (optional) |
alert_identifier | {string} | Alert identifier | 123 | If an alert_identifier is not provided,then the current alert ID will be used. None by default (optional) |
Returns
NoneType
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
assigned_user= "Admin"
siemplify.assign_case(assigned_user)
Result behavior
The case gets assigned to the Admin user.
Result value
None
attach_workflow_to_case
attach_workflow_to_case(workflow_name, cyber_case_id=None, indicator_identifier=None)
Attach a playbook to the current alert.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
workflow_name | {string} | Workflow (playbook) name | N/A | N/A |
cyber_case_id | {string} | Case identifier | 234 | If no case is provided, the current case is used. None by default (optional) |
indicator_identifier | {string} | Alert identifier | 12345 | If no alert identifier is provided, the current alert is used. None by default (optional) |
Returns
NoneType
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
siemplify.attach_workflow_to_case(workflow_name, cyber_case_id, indicator_identifier)
Result behavior
Attaches the given workflow to the case for the given indicator identifier.
Result value
None
property case
change_case_priority
change_case_priority(priority, case_id=None, alert_identifier=None)
Change case priority.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
priority | {int} | Priority represented by each number, respectively, is: Low, Medium, High, and Critical |
{"Low": 40, "Medium": 60, "High": 80, "Critical": 100} | N/A |
case_id | {string} | Case identifier | 12345 | If no case is provided, the current case is used |
alert_identifier | {string} | Alert identifier | 123 | If no alert identifier is provided, the current alert is used |
Returns
NoneType
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
priority_to_change_to = 60
siemplify.change_case_priority(priority=priority_to_change_to )
Result behavior
The case priority gets changed to "Medium".
Result value
None
change_case_stage
change_case_stage(stage, case_id=None, alert_identifier=None)
Change case stage
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
stage | {string} | Stage should match exactly the string that is defined in the case stages table | Incident, Investigation |
N/A |
case_id | {string} | Case identifier | 12345 | If no case is provided, the current case is used |
alert_identifier | {string} | Alert identifier | 123 | If no alert identifier is provided, the current alert is used |
Returns
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
stage_to_change_to = "Investigation"
siemplify.change_case_stage(stage=stage_to_change_to)
Result behavior
The case state is changed to "investigation".
Result value
None
close_alert
close_alert(root_cause, comment, reason, case_id=None, alert_id=None)
Close current alert.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
root_cause | {string} | Close case root cause | A string taken from the "Case close root cause" table in the settings |
N/A |
comment | {string} | Comment | Any string could be used here | Comment should describe the case, but is not restricted |
reason | {ApiSyncAlertCloseReasonEnum} | One of three predefined strings available in the popup when done manually: "NotMalicious", "Malicious", and "Maintenance" |
See SiemplifyDataModel.ApiSyncAlertCloseReasonEnum |
Returns
{dict} result of server operation
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
reason = "Maintenance"
root_cause = "Employee Error"
comment = "User accidentally activated a correlation before it was ready to be used and triggered this alert"
siemplify.close_alert(reason=reason, root_cause=root_cause, comment=comment)
Result behavior
The current alert is moved to a new case and subsequently closed with the alert.
Result value
None
close_case
close_case(root_cause, comment, reason, case_id=None, alert_identifier=None)
Close case.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
root_cause | {string} | Close case root cause | N/A | N/A |
comment | {string} | Comment | Any string could be used here | Comment should describe the case, but is not restricted |
reason | {ApiSyncAlertCloseReasonEnum} | Close case reason | One of three predefined strings available in the popup when done manually: "NotMalicious", "Malicious", and "Maintenance" | |
case_id | {string} | Case identifier | 12345 | If no case is provided, the current case is used |
alert_identifier | {string} | Alert identifier | 123 | If no alert identifier is provided, the current alert is used |
Returns
NoneType
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
reason = "Maintenance"
root_cause = "Employee Error"
comment = "User accidentally activated a correlation before it was ready to be used and triggered this alert"
siemplify.close_case(reason=reason, root_cause=root_cause, comment=comment)
Result behavior
The case gets closed with the specified reason, root cause and comment.
Result value
None
create_case_insight
create_case_insight(triggered_by, title, content, entity_identifier, severity, insight_type, additional_data=None, additional_data_type=None, additional_data_title=None)
Add insight to the case.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
triggered_by | {string} | Integration name | VirusTotal, XForce | N/A |
title | {string} | Insight title | Enriched by VirusTotal | N/A |
content | {string} | Insight message | Insight Message | N/A |
entity_identifier | {string} | Entity identifier | example.com | N/A |
severity | {int} | Severity level | 0 = info, 1 = warning, 2 = error |
|
insight_type | {int} | Insight type | 0 = general, 1 = entity |
N/A |
additional_data | {string} | Additional data for insight | {"checked against": "VT", "malicious": "No"} | N/A |
additional_data_type | {int} | Type of the additional data | 'General'=0, 'Entity'=1 |
N/A |
additional_data_title | {string} | Additional data title for insight | VT check | N/A |
Returns
{boolean} True
if success. Otherwise, False
.
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
siemplify.create_case_insight(triggered_by, title, content, entity_identifier, severity, insight_type, additional_data, additional_data_type, additional_data_title)
Result behavior
Creates the insight for a case with defined data.
True
if case insight is created. Otherwise, False
.
Result value
True/False
property current_alert
dismiss_alert
dismiss_alert(alert_group_identifier, should_close_case_if_all_alerts_were_dismissed, case_id=None)
property environment
escalate_case
escalate_case(comment, case_id=None, alert_identifier=None)
Escalate case.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
comment | {string} | Escalate comment | N/A | N/A |
case_id | {string} | Case identifier | 12345 | N/A |
alert_identifier | {string} | Alert identifier | 123 | N/A |
extract_action_param
extract_action_param(param_name, default_value=None, input_type=<class 'str'>, is_mandatory=False, print_value=False)
Get an action script parameter.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
param_name | {string} | Name of the parameter | Any of the parameters names available for the action | N/A |
default_value | {any} | The default value of the parameter | The given value will be returned if the parameter was not set (if is_mandatory is set to False) |
If the parameter is not passed, use this value by default. None by default (optional) |
input_type | {obj} | Cast the parameter to a different type | int | str by default (optional) |
is_mandatory | {boolean} | Raise an exception if the parameter is empty | True/False | False by default |
print_value | {boolean} | Print the value to the log | True/False | False by default |
Returns
The parameter value, {string} by default, unless input_type
is specified.
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
param_value= siemplify.extract_action_param(
"Threshold",
default_value=-1,
input_type=int,
is_mandatory=False,
print_value=False)
Result behavior
The value of the selected parameter will be returned, casted to the selected type.
Result value
20
fetch_and_save_timestamp
fetch_and_save_timestamp(datetime_format=False, timezone=False, new_timestamp=1683033493671)
Fetch timestamp and save it to case context.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
datetime_format | {boolean} | Format for date/time | True for getting in date time format, False for Unix | False by default (optional) |
timezone | Parameter not supported anymore | |||
new_timestamp | {int} | The time stamp to save | N/A | Unix time by default (optional) |
Returns
Datetime/int
Example
from SiemplifyAction import SiemplifyAction
sa = SiemplifyAction()
sa.fetch_and_save_timestamp(self, datetime_format=False, new_timestamp=SiemplifyUtils.Unix_now())
Result behavior
The latest timestamp is fetched and is saved as TIMESTAMP file in the current directory.
Result value
datetime.datetime(2019, 7, 16, 14, 26, 2, 26000)/1563276380
fetch_timestamp
fetch_timestamp(datetime_format=False, timezone=False)
Get the timestamp saved with save_timestamp.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
datetime_format | {boolean} | If True, return timestamp as datetime. Else, return in Unix | True/False | False by default (optional) |
timezone | Parameter not supported anymore |
Returns
Saved Unix time/datetime
Example
from SiemplifyAction import SiemplifyAction
sa = SiemplifyAction()
result = sa.fetch_timestamp(datetime_format=True)
Result behavior
The latest timestamp is fetched and is saved as TIMESTAMP file in the current directory.
Result value
datetime.datetime(2019, 7, 16, 14, 26, 2, 26000)/1563276380
get_alert_context_property
get_alert_context_property(property_key)
Get context property from current alert.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
property_key | {string} | The key of the requested property | N/A | N/A |
Returns
{string} The property value
get_alerts_ticket_ids_from_cases_closed_since_timestamp
get_alerts_ticket_ids_from_cases_closed_since_timestamp(timestamp_unix_ms, rule_generator)
Get alerts from cases that were closed since timestamp.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
timestamp_unix_ms | {long} | Timestamp | 1550409785000L | |
rule_generator | {string} | N/A | Phishing email detector | N/A |
Returns
{[string]} list of alert IDs
get_attachments
get_attachments(case_id=None)
Get attachments from a case.
This function gets a list of custom list items from category and entities list
and returns a list of custom list item objects.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
case_id | {string} | Case identifier | 234 | If no case provided, the current case will be used (optional) |
Returns
{dict} attachments
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
result = siemplify.get_attachments(case_id="234")
Result behavior
A list of dictionaries of attachments will be returned for the case id 234.
Result value
[{u'is_favorite': False, u'description': u'test', u'type': u'.exe', u'id': 4, u'name': u'chrome_proxy'}]
get_case_comments
get_case_comments(case_id=None)
Get case comments.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
case_id | {string} | Case identifier | 234 | If no case provided, the current case will be used |
Returns
{[dict]} of case comments
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
siemplify.get_case_comments(case_id)
Result behavior
All comments belonging to the case will be fetched.
Result value
[{‘comment': u'this is a comment',
u'is_deleted': False,
u'last_editor_full_name': u'example user',
u'modification_time_unix_time_in_ms_for_client': 0,
u'creation_time_unix_time_in_ms': 1681904404087, u'id': 12,
u'modification_time_unix_time_in_ms': 1681904404087,
u'case_id': 234,
u'is_favorite': False,
u'alert_identifier': None,
u'creator_user_id': u'cd1c112a-0277-44a9-b68d-98ceef9b0399',
u'last_editor': u'cd1c112a-0277-44a9-b68d-98ceef9b0399',
u'type': 5,
u'comment_for_client': None,
u'creator_full_name': u'example user'}]
get_case_context_property
get_case_context_property(property_key)
Get a case context property.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
property_key | {string} | The requested key property | N/A | N/A |
Returns
{string} the property value
get_configuration
get_configuration(provider, environment=None, integration_instance=None)
Get integration configuration.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
provider | {string} | Integration name | VirusTotal | |
environment | {string} | Configuration for specific environment or ‘all' | Optional. If provided, the credentials will be taken from the relevant environment's configuration. If no environment is stated, the case's environment is used by default. If there is no configuration for the specific environment, the default configuration will be returned. |
|
integration_instance | {string} | The identifier of the integration instance | N/A | N/A |
Returns
{dict} configuration details
get_similar_cases
get_similar_cases(consider_ports, consider_category_outcome, consider_rule_generator, consider_entity_identifiers, days_to_look_back, case_id=None, end_time_unix_ms=None)
Get similar cases.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
consider_ports | {boolean} | Parameter configures whether to use a port filter or not | True/false | N/A |
consider_category_outcome | {boolean} | Parameter configures whether to consider category outcome of the events | True/false | N/A |
consider_rule_generator | {boolean} | Parameter configures whether to consider the rule generator for the alerts | True/false | N/A |
consider_entity_identifiers | {boolean} | Parameter configures whether to consider entity identifiers for the alerts | True/false | N/A |
days_to_look_back | {int} | Parameter configures the number of days prior to look for similar cases | 365 | N/A |
Returns
{[int]} list of case IDs
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
result = siemplify.get_similar_cases(consider_ports=True,
consider_category_outcome=False,
consider_rule_generator=False,
consider_entity_identifiers=False,
days_to_look_back=30, case_id="234", end_time_unix_ms=None)
Result behavior
A list of case IDs similar to the case 234 will be returned.
Result value
[4, 231]
get_ticket_ids_for_alerts_dismissed_since_timestamp
get_ticket_ids_for_alerts_dismissed_since_timestamp(timestamp_unix_ms)
property is_timeout_reached
load_case_data
load_case_data()
This function loads the case data.
Parameters
No parameters required.
Returns
NoneType
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
result = siemplify.load_case_data()
Result behavior
The case data gets loaded.
Result value
None
property log_location
mark_case_as_important
mark_case_as_important(case_id=None, alert_identifier=None)
Mark case as important.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
case_id | {string} | Case identifier | 234 | N/A |
alert_identifier | {string} | Alert identifier | 12345 | N/A |
Returns
NoneType
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
siemplify.mark_case_as_important()
Result behavior
The current case is marked as important.
Result value
None
raise_incident
raise_incident(case_id=None, alert_identifier=None)
Raise incident.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
case_id | {string} | Case identifier | 234 | N/A |
alert_identifier | {string} | Alert identifier | 12345 | N/A |
Returns
NoneType
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
siemplify.raise_incident(case_id, alert_identifier)
Result behavior
The case raised to Incident status.
Result value
None
remove_alert_entities_from_custom_list
remove_alert_entities_from_custom_list(category_name)
Remove the alert's entities to the custom list record with the given category.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
category_name | {string} | The custom list category | `WhiteListed HOSTs` | N/A |
Returns
{[CustomList]} list of the removed CustomList objects
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
result = siemplify.remove_alert_entities_from_custom_list("WhiteListed HOSTs")
Result behavior
The WhiteListed HOSTS
is removed.
Result value
[<SiemplifyDataModel.CustomList object at 0x0000000003476E10>,
<SiemplifyDataModel.CustomList object at 0x0000000003476B00>]
save_timestamp
save_timestamp(datetime_format=False, timezone=False, new_timestamp=1683033493671)
Save timestamp to current script context.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
datetime_format | {boolean} | N/A | True for datetime format, False for Unix | Default is False (optional) |
timezone | Parameter not supported anymore | |||
new_timestamp | {long} | Timestamp to save to context | N/A | Timestamp will default to Unix timestamp of calling the method |
Returns
NoneType
Example
from SiemplifyAction import SiemplifyAction
sa = SiemplifyAction()
sa.save_timestamp(self, datetime_format=False, new_timestamp=SiemplifyUtils.unix_now())
Result behavior
New timestamp will be saved as TIMESTAMP file in the current directory.
Result value
None
set_alert_context_property
set_alert_context_property(property_key, property_value)
Set an alert context property by key and value pairs.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
property_key | {string} | Key of the property to store to context | N/A | N/A |
property_value | {string} | Value of the property to store to context | N/A | N/A |
set_alert_sla
set_alert_sla(period_time, period_type, critical_period_time, critical_period_type, case_id=None, alert_id=None)
Sets the SLA of the given alert_identifier
of case_id
. SLA being set using
this API should surpass all other alert SLA types.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
period_time | {int/str} | The total SLA period | N/A | period_time > 0 |
period_type | {string} | Time units of period_time, represented by ApiPeriodTypeEnum | N/A | N/A |
critical_period_time | {int/str} | The critical SLA period | N/A | critical_period_time >= 0 Critical period (after scaling with its time units) should be smaller than the total period. |
critical_period_type | {string} | the time units of critical_period_time, represented by ApiPeriodTypeEnum |
||
case_id | {long} | Case identifier | 234 | N/A |
alert_id | {string} | Alert identifier | 12345 | N/A |
set_case_context_property
set_case_context_property(property_key, property_value)
Set a case context property using the key value pair.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
property_key | {string} | Key of the property | N/A | N/A |
property_value | {string} | Value of the property | N/A | N/A |
set_case_sla
set_case_sla(period_time, period_type, critical_period_time, critical_period_type, case_id=None)
Sets the SLA of the given case_id
if given, otherwise sets the SLA of the
current case. SLA being set using this API should surpass all other case SLA
types.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
period_time | {int/str} | The total SLA period | N/A | period_time > 0 |
period_type | {string} | Time units of period_time, represented by ApiPeriodTypeEnum | N/A | N/A |
critical_period_time | {int/str} | The critical SLA period | N/A | critical_period_time >0 Critical period (after scaling with its time units) should be smaller than the total period. |
critical_period_type | {string} | the time units of critical_period_time, represented by ApiPeriodTypeEnum |
N/A | N/A |
case_id | {long} | Case identifier | N/A | N/A |
signal_handler
signal_handler(sig, frame)
property target_entities
try_set_alert_context_property
try_set_alert_context_property(property_key, property_value)
try_set_case_context_property
try_set_case_context_property(property_key, property_value)
update_alerts_additional_data
update_alerts_additional_data(alerts_additional_data, case_id=None)
Update alerts additional data.
Parameters
Param name | Param type | Definition | Possible values | Comments |
---|---|---|---|---|
case_id | {string} | Case identifier | 234 | N/A |
alerts_additional_data | {string:string} | N/A | N/A | N/A |
Returns
NoneType
Example
from SiemplifyAction import SiemplifyAction
siemplify = SiemplifyAction()
additional_data = {"testKey":"testValue"}
siemplify.update_alerts_additional_data(alerts_additional_data=additional_data, case_id=caseid)
Result behavior
Updates the alert with additional data i.e. testKey:testValue.
Result value
None