Issue syncing - Set up integrations that mirror Cortex issues with external applications, such as Jira or ServiceNow. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation
Product
Cortex XSIAM
Creation date
2025-07-15
Last date published
2026-06-16
Category
Administrator Guide
Abstract

Set up integrations that mirror Cortex issues with external applications, such as Jira or ServiceNow.

You can set up integrations in Cortex XSIAM that mirror Cortex issues with external applications, such as Atlassian Jira or ServiceNow. When mirroring issues (also referred to as issue syncing), you can make changes in an external application that will be reflected in Cortex XSIAM, and vice versa. If an issue is mirrored with an external application, you have the following options:

  • Link the ticket to the issue: If an issue is linked to a ticket, the ticket number is displayed in the Overview section of the issue card. You see details about the status of the ticket by clicking on the ticket number.

  • Sync changes between the issue and the ticket: If an issue is synced to a ticket, changes are synchronized in an outbound, inbound, or bi-directional flow.

Note

Multiple tickets can be linked to an issue with outbound syncing. Issues with inbound syncing can be linked to a single ticket only.

Set up an external integration to sync with issues

Before you can sync issues with external applications, you must set up and configure your integration instance. Complete the following steps:

  1. Install the content pack.

    1. To install from the Data Sources & Integrations page: Navigate to SettingsData Sources & Integrations, click + Add New., and search for the relevant content pack.

      To install from Marketplace: Navigate to SettingsConfigurationsMarketplace. and browse for the relevant content pack.

    2. Install the relevant content pack, for example Atlassian Jira or ServiceNow.

  2. Connect an integration instance.

    1. Navigate to SettingsData Sources & Integrations.

    2. Search for the relevant data source (for example Atlassian Jira) select it, and click Add Instance.

    3. Enter instance details in the required fields and click Connect.

Manually create a synced ticket

Prerequisite

You must set up an integration before you can sync issues. For more information, see Set up an integration for mirroring issues.

You can manually sync existing issues with external applications.

  1. From the Issues page, right-click an issue and select Run AutomationSelect Automation.

  2. Under Quick Actions, select the action you want to configure, such as Create Jira Ticket or Create ServiceNow Ticket.

  3. Define the required ticket parameters.

    Note

    Using issue fields as variables is not currently supported.

  4. Under Using, select the name of the instance to execute the command.

    Warning

    If you leave this field blank, all configured instances will be used.

  5. Under Sync Configuration, the following options are displayed, depending on your selection:

    • Link to issue: select this option if you want the issue to be linked to the created ticket. You must check this option if you want to sync the issue with the ticket.

    • Sync Direction: select the syncing configuration:

      • Inbound: Sync changes from the external ticket with the Cortex XSIAM issue.

      • Outbound: Sync changes from the Cortex XSIAM issue with the external ticket.

      • Bi-directional: Sync changes in both directions.

      • None: Do not sync changes between the Cortex XSIAM issue with the external ticket. If you select this option, the tickets are still linked, but changes are not synced. You can update this option at any time to start syncing.

    • Define the inbound and/or outbound sync profiles.

      Depending on the selected option, select sync profiles that define field mapping between the issue and the external ticket. You can use the default sync profiles or you can create custom profiles. For more information about sync profiles, see Create a sync profile.

      Note

      You can only define a single inbound profile. If you change the inbound sync profile the current profile is overwritten.

      You can define multiple outbound profiles; one issue can update multiple tickets.

  6. Click OK.

    After ticket creation, the ticket number is shown in the Issue card. Click on the ticket number to see details about the created ticket and syncing configuration. In addition, the execution is recorded in the War Room tab. If there is a error in the requested action, you can see details in the audit.

  7. View or edit the syncing configuration. For more information, see View, update, or resolve a ticket.

Example 151. 

The following example shows an automation run on an issue to create a ServiceNow ticket that is synced in an outbound flow with the ticket.

Outbound_SNOW_sync_example.png

Run a War Room command to create and sync a ticket

You can run the following command in the War Room to create an external ticket and define the syncing configuration:

!jira-create-issue-quick-action summary="<summary>" project_key="<key>" issue_type_name="<type>" 
description="<description>" using="<instance>" mirroring_link_to_object="true" 
mirroring_sync_direction="<syncDirection>" mirroring_outbound_profile_id="<profileID>"

Tip

You can find a sync profile ID under SettingsConfigurationsObject SetupIssuesSync Profiles. By default the ID field is not displayed in the table. Click the three dot menu and add it to the table layout.

Example 152. 

The following example creates a Jira Bug ticket for the Project Key SCRUM, with an Outbound sync configuration:

!jira-create-issue-quick-action summary="Restrict ingress on AWS Network ACLs for admin ports 22 and 3349" 
project_key="SCRUM" issue_type_name="Bug" description="We identified that multiple AWS Network ACLS are 
allowing inbound (ingress) traffic on admin ports" using="JiraV3" mirroring_link_to_object="true" 
mirroring_sync_direction="OUTBOUND" mirroring_outbound_profile_id="h8e14996-8695-5396-9g87-f08suu907486"

Create an automation rule for syncing issues with external tickets

Prerequisite

You must set up an integration before you can sync issues. For more information, see Set up an integration for mirroring issues.

You can set up automation rules that create external tickets when certain issues occur and define the syncing configuration for transferring data between the issues and tickets.

  1. Go to Investigation & ResponseAutomationAutomation Rules.

  2. Click Add Automation Rule.

  3. Enter a name and description for the rule.

  4. Select whether to enable the rule after creation.

  5. Under Rule Conditions, define the WHEN, and IF conditions. For more information about rule conditions, see Create an automation rule.

  6. Under THEN select the desired automation, such as Create Jira Ticket and complete the following fields:

    1. Define the required ticket parameters.

      Note

      Using issue fields as variables is not currently supported.

    2. Under Using, select the name of the instance to execute the command.

      Warning

      If you leave this field blank, all configured instances will be used.

    3. Under Sync Configuration, the following options are displayed, depending on your selection:

      • Link to issue: select this option if you want the issue to be linked to the created ticket. You must check this option if you want to sync the issue with the ticket.

      • Sync Direction: select the syncing configuration:

        • Inbound: Sync changes from the external ticket with the Cortex XSIAM issue.

        • Outbound: Sync changes from the Cortex XSIAM issue with the external ticket.

        • Bi-directional: Sync changes in both directions.

        • None: Do not sync changes between the Cortex XSIAM issue with the external ticket. If you select this option, the tickets are still linked, but changes are not synced. You can update this option at any time to start syncing.

      • Define the inbound and/or outbound sync profiles.

        Depending on the selected option, select sync profiles that define field mapping between the issue and the external ticket. You can use the default sync profiles or you can create custom profiles. For more information about sync profiles, see Create a sync profile.

        Note

        You can only define a single inbound profile. If you change the inbound sync profile the current profile is overwritten.

        You can define multiple outbound profiles; one issue can update multiple tickets.

    4. Click OK.

      If a ticket is created, the ticket number is shown in the Issue card. You can click on the ticket number to see details about the created ticket and syncing configuration. In addition, the execution is recorded in the War Room tab. If there is a error in the requested action, you can see details in the audit.

  7. Click Create.

    The rule is added to the Automation Rules page. If required, drag to reorder the rules.

Example 153. 

The following example shows an automation rule that creates a Jira ticket with bi-directional syncing when a Critical Posture issue is triggered.

issue_sync_automation_rule.png

View, update, or resolve a ticket

Once you have set up ticket syncing, you can view, update and resolve the issue and external ticket as required The changes are reflected according to the defined syncing configuration.

  1. To open the ticket details, in the Overview section of the issue card, click on the external ticket number.

    A panel opens with details of the external ticket. You can see the external ticket number, the sync configuration, and details of the ticket.

  2. Open the linked ticket by clicking on the external ticket number in the panel.

  3. Update the fields as required.

    The updates are logged in the ticket history.

    Note

    • The inbound syncing flow runs every two minutes, and the outbound syncing flow runs every five minutes.

    • In a bi-directional set-up, if the same field is updated in both tickets, the most recently updated value is used.

    • In the external ticket, the logged history shows updates to the ticket. The user name that is logged with the history reflects the user token of the user who configured the data source.

  4. Resolve the ticket.

    Note

    After an issue is resolved, ticket syncing remains active for up-to seven days. Therefore, you still update, change, or reopen the issue or external ticket and the tickets will continue to sync.

Edit or disable ticket syncing

You can change the syncing configuration between a ticket and an issue from the issue card.

  1. In the Overview section of the issue card, click on the external ticket number.

    A panel opens with details of the ticket.

  2. Click on the settings icon.

  3. Under Sync Configuration, change the syncing configuration as required.

    Note

    If you change the selected inbound sync profile, the original sync profile is immediately overwritten.

  4. To disable ticket syncing, take one of the following actions:

    • To pause ticket syncing, set the Sync Direction value to None.

      This temporarily stops the tickets from syncing, but the tickets are still linked. You can update the syncing configuration at any time to resume ticket syncing.

    • To unlink the tickets, uncheck Link to issue.

      This action is not reversable.

  5. Click Save.

Add playbook tasks to create external tickets

Prerequisite

You must set up an integration before you can sync issues. For more information, see Set up an integration for mirroring issues.

You can add a playbook task that creates external tickets and defines the syncing configuration.

  1. Open a new or existing playbook and add a new task.

  2. Select the Task Type and add a task name.

  3. Select one of the following scripts:

    • jira-create-issue-quick-action (Jira V3)

    • servicenow-create-issue-quick-action (Jira V3)

  4. Under Inputs, add fields for the ticket parameters.

    Example 154. 

    This example defines fields for a Jira ticket.

    • Summary: AWS Network ACLs allow ingress traffic on Admin ports

    • Project Key: SCRUM

    • Issue Type: Bug

    • Description: We identified that multiple AWS Network ACLS are allowing inbound (ingress) traffic on admin ports


  5. Under Sync Configuration, the following options are displayed, depending on your selection:

    • Link to issue: select this option if you want the issue to be linked to the created ticket.

    • Sync Direction: select the syncing configuration:

      • Inbound: Sync changes from the external ticket with the Cortex XSIAM issue.

      • Outbound: Sync changes from the Cortex XSIAM issue with the external ticket.

      • Bi-directional: Sync changes in both directions.

      • None: Do not sync changes between the Cortex XSIAM issue with the external ticket.

    • Define the inbound and outbound sync profiles.

      Depending on the selected option, select sync profiles that define field mapping between the issue and the external ticket. You can use the default sync profiles or you can create custom profiles. For more information about sync profiles, see Create a sync profile.

      Note

      You can only define a single inbound profile. If you change the inbound sync profile the current profile is overwritten.

      You can define multiple outbound profiles; one issue can update multiple tickets.

  6. Save the playbook.

Limitations of issue mirroring

Consider the following limitations of issue mirroring:

  • Issue syncing requires the latest version of Atlassian Jira (V3) and ServiceNow (V2).

  • Issue syncing is currently supported in Atlassian Jira (V3) and ServiceNow (V2) only.

  • You can sync up to 50K objects.

  • You can create a maximum of 200 sync profiles.

  • Cortex XSIAM supports up-to 100 Inbound syncs across all synced tickets over a two-minute time period. Any additional changes beyond this limit will not be synced.

  • If a connector instance is deleted or disabled, tickets are no longer synced and external ticket information is not available.

  • Custom statuses are not supported.

  • Currently, a specific set of fields is supported.