If an event is added to a case as evidence, it's simple to retrieve it while looking at the case:
Sources -> Cases -> Click on Case -> Evidence and look at Associated Events
But this is only useful if the events were added as evidence.
If they were not added as evidence, then is there a way of listing them through a case?
@dmw There is an undocumented** endpoint that shows all the mappings of cases to those attached to a case.
You can query this and then look for any result with your case as the `case_container` key and each `source_container` is one that is merged, whether in evidence or not.
**as the Endpoint is undocumented it could change at any point
Thanks @phanTom , appreciate the reply. I'm relatively new to Phantom so I wonder if there is an app/plugin that could take advantage of that, although it may be problematic if the API is undocumented.
@dmw you just need to be able to hit the REST API of Phantom and there are 2 ways (within Phantom) to do this:
1. Use the HTTP app
2. Use the phantom.requests() capability and write the code out yourself in a playbook.
Some docs to help query REST REST: https://docs.splunk.com/Documentation/SOARonprem/5.1.0/PlatformAPI/RESTQueryData
phantom.requests() documentation: https://docs.splunk.com/Documentation/SOARonprem/5.1.0/PlaybookAPI/SessionAPI