soar_ops module
TIPCommon.soar_ops.create_slo_message
TIPCommon.soar_ops.create_slo_message(slo: int, interval_days: Iterable[int], existing_comments: Iterable[str])
Gets SLO warning messages based on time intervals and existing comments.
For the interval_days=[0, 1, 7, 14]
parameter, the function sends a message
warning that the SLO would be breached following the next schedule:
- 7-14 days until the expiration time.
- 1-7 days until the expiration time.
- When the SLO was breached.
If a comment was already sent in the current breached interval, no new comment
is returned ( None
is returned).
slo
int
The SLO breach date in Unix microseconds (for example, 1_673_774_674_567)
interval_days
Iterable[int]
An iterable containing the number of days from time breach warnings should be sent (for example, [0, 1, 3, 7, 14])
existing_comments
Iterable[int]
The existing comments to check if a comment was already sent.
Raises
ValueError
- When one of the time intervals is negative.
Returns
The comment is returned if applicable. Otherwise None
is returned.
TIPCommon.soar_ops.get_clean_comment_body
TIPCommon.soar_ops.get_clean_comment_body(comment: str | CaseComment, prefix: str)
Removes a prefix from the comment string or comment object.
comment
str | CaseComment
The comment string or comment object to remove the prefix from.
prefix
str
The prefix to remove.
Raises
TypeError
- When the type of comment is neither str
or CaseComment
.
Returns
The comment without the prefix.
Return type
str
TIPCommon.soar_ops.get_file
TIPCommon.soar_ops.get_file(chronicle_soar: SiemplifyAction | SiemplifyConnectorExecution | SiemplifyJob, identifier: str)→ bytes | None
Returns file content in bytes.
Parameters
chronicle_soar
ChronicleSOAR
A Google Security Operations SOAR SDK object.
identifier
str
The filename identifier along with the full path.
Returns
Bytes data of the provided identifier.
Return type
bytes | None
TIPCommon.soar_ops.get_secops_mode
TIPCommon.soar_ops.get_secops_mode()→ str | None
Returns the SECOPS_MODE
environment variable.
Returns
The SECOPS_MODE
environment variable.
Return type
str | None
TIPCommon.soar_ops.get_soar_case_comments
TIPCommon.soar_ops.get_soar_case_comments(chronicle_soar: SiemplifyAction | SiemplifyJob, case_id: str | int)
Returns a list of comment objects from a case, using its ID.
chronicle_soar
SiemplifyAction | SiemplifyJob
The SDK object.
case_id
str | int
The ID of the case whose comments are fetched.
Returns
A list of comment objects.
Return type
list[base.action.CaseComment]
TIPCommon.soar_ops.get_user_by_id
TIPCommon.soar_ops.get_user_by_id(chronicle_soar: SiemplifyAction | SiemplifyConnectorExecution | SiemplifyJob, user_id: str)→ UserProfileCard | None
Gets a UserProfileCard object from a user ID.
Parameters
chronicle_soar
ChronicleSOAR
A Google Security Operations SOAR SDK object.
user_id
str
The user ID, e.g. f6dc053c-58bb-4da5-95bb-739be7d297a2
.
Returns
The user object if it is found; otherwise, None
.
Return type
UserProfileCard | None
TIPCommon.soar_ops.get_users_profile_cards_with_pagination
TIPCommon.soar_ops.get_users_profile_cards_with_pagination(chronicle_soar: SiemplifyAction | SiemplifyConnectorExecution | SiemplifyJob, search_term: str = '', page_size: int = 20, filter_by_role: bool = False, filter_disabled_users: bool = False, filter_support_users: bool = False, fetch_only_support_users: bool = False, filter_permission_types: list[int] | None = None)→ list[UserProfileCard]
Gets all user profile cards using pagination. The page size serves as the limit for the number of users in each iteration.
Parameters
chronicle_soar
ChronicleSOAR
A Google Security Operations SOAR SDK object.
search_term
str
The search terms.
Defaults to ''
.
page_size
int
The number of users to return.
Defaults to 20
.
filter_by_role
bool
Define whether to filter by role.
Defaults to False
.
filter_disabled_users
bool
Define whether to filter disabled users.
Defaults to False
.
filter_support_users
bool
Define whether to filter support users.
Defaults to False
.
fetch_only_support_users
bool
Define whether to return only support users.
Defaults to False
.
filter_permission_types
list[int] | None
A list of filter permission types (e.g. 0
).
Defaults to None
.
Returns
A list of all users.
Return type
list[UserProfileCard]
TIPCommon.soar_ops.is_slo_comment
TIPCommon.soar_ops.is_slo_comment(comment: str)
Checks if a comment is an SLO warning comment.
An SLO comment is either an SLO warning ("SLO will be breached in {int} days") or an SLO breached message ("SLO was breached").
comment
str
The comment to check.
Returns
True
if the comment is an SLO comment. Otherwise, False
is returned.
Return type
bool
TIPCommon.soar_ops.remove_prefix_from_comments
TIPCommon.soar_ops.remove_prefix_from_comments(comments: list[str], prefix: str)
Removes a prefix (when present) from a list of comments.
comments
list[str]
The comments to remove the prefix from.
prefix
str
The prefix to remove.
Returns
A list of all comments after the prefix was removed from them
Return type
list[str]
TIPCommon.soar_ops.save_file
TIPCommon.soar_ops.save_file(chronicle_soar: SiemplifyAction | SiemplifyConnectorExecution | SiemplifyJob, path: str, name: str, content: bytes)→ bytes | None
Saves a file to a Google Cloud bucket or local path.
Parameters
chronicle_soar
ChronicleSOAR
A Google Security Operations SOAR SDK object.
path
str
The path of the folder where files should be saved.
name
str
The filename to be saved.
content
bytes
The file content in bytes format.
Returns
The path to the downloaded files.
Return type
str | None
Need more help? Get answers from Community members and Google SecOps professionals.
