Iterate over "child reports/references" and bring in "indicators/data" , like soc integration "SOC - Retrive threat intel"

So within the SOC app there is a button we can use to bring in indicators into a SOC case (from for example the phishing workflow app)

if case_source == 'PHISHING':  
   ref_field = current_record['Phishing Ref']
   if case_source == 'SIEM':
   ref_field = current_record['SIEM Ref']
  if case_source == 'MANUAL':
   ref_field = current_record['PP Ref']
 for ref_record in ref_field:
    ti_ref = ref_record['TI Ref']
  for ti_record in ti_ref:
  current_record['TI Ref'].add(ti_record)

So i have a (yet another app) sort of on top, in which we can connect multiple soc-cases (and other data /sightings ) , this is so we can organise and sort “incidents” into campaigns or clusters instead of just single events.

What i need to do is like in the above code.
I need to iterate /loop over all the associated referenses, could be soc-cases for simplicity, then i need to find all the “TI ref” in those soc-cases and bring these back into the record / “campaign” i am working in.

So i tried a few varations and the last sort of “code” i was able to through together is like:

soc_case = sw_context.inputs[‘SOC case reference(s)’]

recordidsearch =’^.*?SOC-(\S+)’, soc_case)
record = ‘’
if recordidsearch:
trackingId =
record = app.records.get(tracking_id=trackingId)
if case_source == ‘PHISHING’:
ref_field = current_record[‘Phishing Ref’]
if case_source == ‘SIEM’:
ref_field = current_record[‘SIEM Ref’]
if case_source == ‘MANUAL’:
ref_field = current_record[‘PP Ref’]
for ref_record in ref_field:
ti_ref = ref_record[‘TI Ref’]
for ti_record in ti_ref:
current_record[‘TI Ref’].add(ti_record)

“Obviously” this does not work … i am blaming my shallow knowledge of python and swimlane at the moment.

Anyone has some pointers, or tried to some similar thing ?

(Blah i can only post 1 pic :stuck_out_tongue: )