Query Actions
Query a Case Management Table
Query a Case Management Table by filling in the following parameters in the step.
Parameter | Description |
---|---|
Table Name | Type of Table: Alerts, Attachments, Cases, Custom Table, Observables, Tasks |
Fields | Field Types |
Condition (Optional) | Condition that compares two Case Management table field values. |
Advanced-Limit (Optional) | Query Limit |
Query a Case Management Table using SQL
Query a Case Management Table using SQL by filling in the following parameters in the step.
Parameter | Description |
---|---|
SQL Query | The SQL Query |
Output Format | Output Format Types: Table, CSV or JSON |
note
Please note that you need to use table and column names and not display names. Down below, is the full list of table and column names mapped to their display names.
- To query associated cases linked to fields across different tables, employ the following SQL query:
SELECT *
FROM cases c
JOIN <insert_table_name> ON c.id::text = ANY(<inserted_table_name>.<linked_entity_column_name);
note
Replace <insert_table_name>
and <inserted_table_name>
with the name of the table where the associated cases are linked to fields.
For example, to get all cases and the Observables attached to them:
SELECT *
FROM cases c
JOIN observables o ON c.id::text = ANY(o.case_ids);
List of Tables
Cases
Name | Display Name |
---|---|
case_id | Case ID |
type | Case Type |
severity | Severity |
name | Name |
summary | Summary |
created_at | Created At |
case_manager | Case Manager |
status | Status |
linked_observables | Linked Observables |
close_reason | Close Reason |
closed_at | Closed At |
closed_by | Closed By |
closed_by_workflow | Closed By Workflow |
collaborators | Collaborators |
created_by | Created By |
linked_alerts | Linked Alerts |
linked_attachments | Linked Attachments |
linked_cases | Linked Cases |
linked_tasks | Linked Tasks |
mitre_attack | Mitre Attack |
response | Response |
sla | SLA |
sla_expiry | SLA Expiry |
case_tags | Tags |
created_at | Created At |
vendors | Vendors |
Observables
Name | Display Name |
---|---|
created_by | Created By |
content | Content |
enrichment_data | Enrichment Data |
updated_at | Updated At |
case_ids | Linked Cases |
attachment_ids | Linked Attachments |
task_ids | Linked Tasks |
name | Name |
type | Observable Type |
description | Description |
verdict | Verdict |
alert_ids | Linked Alerts |
id | ID |
updated_by | Updated By |
observable_id | Observable ID |
auto_id | Observable Number |
observable_ids | Linked Observables |
Alerts
Name | Display Name |
---|---|
processed | Processed |
id | ID |
updated_at | Updated At |
created_by | Created By |
updated_by | Updated By |
observable_ids | Linked Observables |
template_exists | Template Exists |
severity | Severity |
response | Response |
alert_id | Alert ID |
case_ids | Linked Cases |
type | Alert Type |
name | Name |
vendor | Vendor |
event | Event |
description | Description |
attachment_ids | Linked Attachments |
Attachments
Name | Display Name |
---|---|
updated_at | Updated At |
created_by | Created By |
updated_by | Updated By |
id | ID |
ioc_ids | Linked IOCs |
alert_ids | Linked Alerts |
attachment | Attachment |
attachment_id | Attachment ID |
case_ids | Linked Cases |
description | Description |
name | Name |
response | Response |
task_ids | Linked Tasks |
type | Attachment Type |
menu | Menu |
observable_ids | Linked Observables |
created_at | Created At |
Tasks
Name | Display Name |
---|---|
updated_at | Updated At |
id | ID |
created_by | Created By |
updated_by | Updated By |
created_at | Created At |
observable_ids | Linked Observables |
is_blocking | Block closing case until done |
description | Description |
closed_at | Closed At |
case_ids | Linked Cases |
task_id | Task ID |
due_date | Due date |
task_ids | Linked Tasks |
name | Name |
status | Status |
alert_ids | Linked Alerts |
priority | Priority |
Custom Tables
If you're using custom tables, please follow the Query a Table Using SQL docs to fetch the correct table scheme. You can get the full table name via the Copy Table ID button: