Listing all events added to a case but not as evid...

dmw · ‎12-06-2021

Hey everyone

If an event is added to a case as evidence, it's simple to retrieve it while looking at the case:

Sources -> Cases -> Click on Case -> Evidence and look at Associated Events

But this is only useful if the events were added as evidence.

If they were not added as evidence, then is there a way of listing them through a case?

Thanks.

phanTom · ‎12-07-2021

@dmw There is an undocumented** endpoint that shows all the mappings of cases to those attached to a case.

/rest/case_container_map

You can query this and then look for any result with your case as the `case_container` key and each `source_container` is one that is merged, whether in evidence or not.

**as the Endpoint is undocumented it could change at any point

dmw · ‎12-07-2021

Thanks @phanTom , appreciate the reply. I'm relatively new to Phantom so I wonder if there is an app/plugin that could take advantage of that, although it may be problematic if the API is undocumented.

phanTom · ‎12-08-2021

@dmw you just need to be able to hit the REST API of Phantom and there are 2 ways (within Phantom) to do this:

1. Use the HTTP app
2. Use the phantom.requests() capability and write the code out yourself in a playbook.

Some docs to help query REST REST: https://docs.splunk.com/Documentation/SOARonprem/5.1.0/PlatformAPI/RESTQueryData

phantom.requests() documentation: https://docs.splunk.com/Documentation/SOARonprem/5.1.0/PlaybookAPI/SessionAPI

Listing all events added to a case but not as evidence

using SOAR ⁄ Phantom

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!