So within the SOC app there is a button we can use to bring in indicators into a SOC case (from for example the phishing workflow app)
if case_source == 'PHISHING':
ref_field = current_record['Phishing Ref']
if case_source == 'SIEM':
ref_field = current_record['SIEM Ref']
if case_source == 'MANUAL':
ref_field = current_record['PP Ref']
for ref_record in ref_field:
ti_ref = ref_record['TI Ref']
for ti_record in ti_ref:
current_record['TI Ref'].add(ti_record)
current_record.save()
So i have a (yet another app) sort of on top, in which we can connect multiple soc-cases (and other data /sightings ) , this is so we can organise and sort âincidentsâ into campaigns or clusters instead of just single events.
What i need to do is like in the above code.
I need to iterate /loop over all the associated referenses, could be soc-cases for simplicity, then i need to find all the âTI refâ in those soc-cases and bring these back into the record / âcampaignâ i am working in.
So i tried a few varations and the last sort of âcodeâ i was able to through together is like:
soc_case = sw_context.inputs[âSOC case reference(s)â]
recordidsearch = re.search(râ^.*?SOC-(\S+)â, soc_case)
record = ââ
if recordidsearch:
trackingId = recordidsearch.group(1)
record = app.records.get(tracking_id=trackingId)
if case_source == âPHISHINGâ:
ref_field = current_record[âPhishing Refâ]
if case_source == âSIEMâ:
ref_field = current_record[âSIEM Refâ]
if case_source == âMANUALâ:
ref_field = current_record[âPP Refâ]
for ref_record in ref_field:
ti_ref = ref_record[âTI Refâ]
for ti_record in ti_ref:
current_record[âTI Refâ].add(ti_record)
current_record.save()
âObviouslyâ this does not work ⌠i am blaming my shallow knowledge of python and swimlane at the moment.
Anyone has some pointers, or tried to some similar thing ?
(Blah i can only post 1 pic
)
Hello @lmyrefelt sorry for the delay in response. If I understand correctly you have an app thatâs a master / parent and it has reference records to different application records (e.g. PHISHING, SIEM, MANUAL, etc.). And those reference apps have additional reference applications. I hope this is right.
How I visualize it is:
SOC-CASES
------> PHISHING
------------- > SOME TI_REF RECORD
------> SIEM
------------- > SOME TI_REF RECORD
------> MANUAL
------------- > SOME TI_REF RECORD
If this is correct then you first need to pull the parent reference records and then iterate over the nested reference records as well. I wrote this but not 100% if this works (I donât have an application layered like this right now). Let me know if this works or if you have any questions. If this doesnât work we can always jump on a call and help.
from swimlane import Swimlane
sw = Swimlane('https://sw_web:4443', sw_context.inputs['api_user'], sw_context.inputs['api_pass'], verify_ssl=False, default_timeout=10)
app = sw.apps.get(name='SOC Cases')
current_record = app.records.get(tracking_id=sw_context.inputs['tracking_id'])
for reference in current_record['Case Ref']:
if 'PHSH' in reference['Tracking Id']:
phish_ref = app.records.get(tracking_id=reference['Tracking Id'])
for ti_ref in phish_ref['Phishing Ref']:
if 'TI' in ti_ref['Tracking Id']:
current_record['Case Ref'].add(ti_ref)
current_record.save()
# If you want reciprocal reference back to the master case from the ti_ref record then you will add this
# ti_ref['SOC Case Ref'].add(current_record)
# ti_ref.save()
if 'SIEM' in reference['Tracking Id']:
phish_ref = app.records.get(tracking_id=reference['Tracking Id'])
for ti_ref in phish_ref['Phishing Ref']:
if 'TI' in ti_ref['Tracking Id']:
current_record['Case Ref'].add(ti_ref)
current_record.save()
# If you want reciprocal reference back to the master case from the ti_ref record then you will add this
# ti_ref['SOC Case Ref'].add(current_record)
# ti_ref.save()
if 'MAN' in reference['Tracking Id']:
phish_ref = app.records.get(tracking_id=reference['Tracking Id'])
for ti_ref in phish_ref['Phishing Ref']:
if 'TI' in ti_ref['Tracking Id']:
current_record['Case Ref'].add(ti_ref)
current_record.save()
# If you want reciprocal reference back to the master case from the ti_ref record then you will add this
# ti_ref['SOC Case Ref'].add(current_record)
# ti_ref.save()
thanks a bunch Josh, vill try it first thing tomorrow ⌠now itâs bed time here 

1 Like
Actually i do have a âmixâ.
parent app
-------> SOC-cases
--------------> PHISH
------------------> SOME TI ( or other stuff )
------> Another app
------------> som event
------------------> some ti ( or other stuff)
------> Yet another app
----------> some data

ill se what i can make based on the code you gave, thanks again