Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Listing all events added to a case but not as evidence

dmw
New Member
‎12-06-2021 04:34 PM

Hey everyone

If an event is added to a case as evidence, it's simple to retrieve it while looking at the case:

Sources -> Cases -> Click on Case -> Evidence and look at Associated Events

But this is only useful if the events were added as evidence.

If they were not added as evidence, then is there a way of listing them through a case?

Thanks.

Labels (1)
Labels
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎12-07-2021 01:04 AM

@dmw There is an undocumented** endpoint that shows all the mappings of cases to those attached to a case. 

/rest/case_container_map

You can query this and then look for any result with your case as the `case_container` key and each `source_container` is one that is merged, whether in evidence or not. 

**as the Endpoint is undocumented it could change at any point 

0 Karma
Reply

dmw
New Member
‎12-07-2021 02:45 PM

Thanks @phanTom , appreciate the reply. I'm relatively new to Phantom so I wonder if there is an app/plugin that could take advantage of that, although it may be problematic if the API is undocumented.

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎12-08-2021 01:17 AM

@dmw you just need to be able to hit the REST API of Phantom and there are 2 ways (within Phantom) to do this:

1. Use the HTTP app 
2. Use the phantom.requests() capability and write the code out yourself in a playbook. 

Some docs to help query REST REST: https://docs.splunk.com/Documentation/SOARonprem/5.1.0/PlatformAPI/RESTQueryData 

phantom.requests() documentation: https://docs.splunk.com/Documentation/SOARonprem/5.1.0/PlaybookAPI/SessionAPI 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...