Iterate over "child reports/references" and bring in "indicators/data" , like soc integration "SOC - Retrive threat intel"

Tools
,
1

So within the SOC app there is a button we can use to bring in indicators into a SOC case (from for example the phishing workflow app)

if case_source == 'PHISHING':  
   ref_field = current_record['Phishing Ref']
   if case_source == 'SIEM':
   ref_field = current_record['SIEM Ref']
  if case_source == 'MANUAL':
   ref_field = current_record['PP Ref']
 for ref_record in ref_field:
    ti_ref = ref_record['TI Ref']
  for ti_record in ti_ref:
  current_record['TI Ref'].add(ti_record)

current_record.save()

So i have a (yet another app) sort of on top, in which we can connect multiple soc-cases (and other data /sightings ) , this is so we can organise and sort “incidents” into campaigns or clusters instead of just single events.

What i need to do is like in the above code.
I need to iterate /loop over all the associated referenses, could be soc-cases for simplicity, then i need to find all the “TI ref” in those soc-cases and bring these back into the record / “campaign” i am working in.

image
image.png1299×504 16.7 KB

So i tried a few varations and the last sort of “code” i was able to through together is like:

soc_case = sw_context.inputs[‘SOC case reference(s)’]

recordidsearch = re.search(r’^.*?SOC-(\S+)’, soc_case)
record = ‘’
if recordidsearch:
trackingId = recordidsearch.group(1)
record = app.records.get(tracking_id=trackingId)
if case_source == ‘PHISHING’:
ref_field = current_record[‘Phishing Ref’]
if case_source == ‘SIEM’:
ref_field = current_record[‘SIEM Ref’]
if case_source == ‘MANUAL’:
ref_field = current_record[‘PP Ref’]
for ref_record in ref_field:
ti_ref = ref_record[‘TI Ref’]
for ti_record in ti_ref:
current_record[‘TI Ref’].add(ti_record)
current_record.save()

“Obviously” this does not work … i am blaming my shallow knowledge of python and swimlane at the moment.

Anyone has some pointers, or tried to some similar thing ?

(Blah i can only post 1 pic :stuck_out_tongue: )

2

Hello @lmyrefelt sorry for the delay in response. If I understand correctly you have an app that’s a master / parent and it has reference records to different application records (e.g. PHISHING, SIEM, MANUAL, etc.). And those reference apps have additional reference applications. I hope this is right.

How I visualize it is:

SOC-CASES
------> PHISHING
------------- > SOME TI_REF RECORD
------> SIEM
------------- > SOME TI_REF RECORD
------> MANUAL
------------- > SOME TI_REF RECORD

If this is correct then you first need to pull the parent reference records and then iterate over the nested reference records as well. I wrote this but not 100% if this works (I don’t have an application layered like this right now). Let me know if this works or if you have any questions. If this doesn’t work we can always jump on a call and help.

from swimlane import Swimlane

sw = Swimlane('https://sw_web:4443', sw_context.inputs['api_user'], sw_context.inputs['api_pass'], verify_ssl=False, default_timeout=10)

app = sw.apps.get(name='SOC Cases')

current_record = app.records.get(tracking_id=sw_context.inputs['tracking_id'])

for reference in current_record['Case Ref']:
    if 'PHSH' in reference['Tracking Id']:
        phish_ref = app.records.get(tracking_id=reference['Tracking Id'])
        for ti_ref in phish_ref['Phishing Ref']:
            if 'TI' in ti_ref['Tracking Id']:
                current_record['Case Ref'].add(ti_ref)
                current_record.save()
                # If you want reciprocal reference back to the master case from the ti_ref record then you will add this
                # ti_ref['SOC Case Ref'].add(current_record)
                # ti_ref.save()
    if 'SIEM' in reference['Tracking Id']:
        phish_ref = app.records.get(tracking_id=reference['Tracking Id'])
        for ti_ref in phish_ref['Phishing Ref']:
            if 'TI' in ti_ref['Tracking Id']:
                current_record['Case Ref'].add(ti_ref)
                current_record.save()
                # If you want reciprocal reference back to the master case from the ti_ref record then you will add this
                # ti_ref['SOC Case Ref'].add(current_record)
                # ti_ref.save()
    if 'MAN' in reference['Tracking Id']:
        phish_ref = app.records.get(tracking_id=reference['Tracking Id'])
        for ti_ref in phish_ref['Phishing Ref']:
            if 'TI' in ti_ref['Tracking Id']:
                current_record['Case Ref'].add(ti_ref)
                current_record.save()
                # If you want reciprocal reference back to the master case from the ti_ref record then you will add this
                # ti_ref['SOC Case Ref'].add(current_record)
                # ti_ref.save()
3

thanks a bunch Josh, vill try it first thing tomorrow … now it’s bed time here :sweat::sleeping:

1 Like
4

Actually i do have a “mix”.

parent app
-------> SOC-cases
--------------> PHISH
------------------> SOME TI ( or other stuff )
------> Another app
------------> som event
------------------> some ti ( or other stuff)
------> Yet another app
----------> some data

:slight_smile:

5

ill se what i can make based on the code you gave, thanks again