Find Relevant Case Skill
Identify existing cases that may be related to the current investigation based on IOCs, hostnames, usernames, or other entities.
Inputs
SEARCH_TERMS- List of values to search for (e.g.,["198.51.100.10", "mikeross-pc", "jsmith"])- (Optional)
CASE_STATUS_FILTER- Filter by status: "Opened", "Closed" (default: "Opened") - (Optional)
TIME_FRAME_HOURS- Lookback period for case creation/update - (Optional)
MAX_RESULTS- Maximum cases to return
Workflow
Step 1: Construct Search Filter
Build a filter for list_cases based on search terms and filters.
Note: The list_cases tool may have limited ability to search within case entities. If direct entity search isn't supported, use broader filters and refine results.
Step 2: Execute Search
secops-soar.list_cases(
filter=constructed_filter,
limit=MAX_RESULTS
)
Step 3: Process Results
Extract case IDs and basic details (DisplayName, Priority) from results.
Step 4: (Optional) Refine Results
If too many results, use get_case_full_details on a subset to verify entity presence:
secops-soar.get_case_full_details(case_id=candidate_case_id)
Outputs
| Output | Description |
|---|---|
RELEVANT_CASE_IDS | List of case IDs that match the search |
RELEVANT_CASE_SUMMARIES | Brief summaries (ID, name, priority) |
FIND_CASE_STATUS | Success/failure status of the search |
Limitations & Workarounds
The list_cases tool may not support direct entity searching. Alternatives:
- Broader filters - Use time range, alert type, then manually review
- SIEM correlation - Search SIEM for entity, check if events belong to a case
- Multiple searches - Search each term separately, combine results