Use Context Data in a Jira Ticketing System - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-05-06
Last date published
2024-07-17
Category
Administrator Guide
Abstract

How to use Jira to manage alerts.

In Cortex XSIAM the playbook runs on each alert and not on the incident. In this example, a Jira ticketing system is used to manage alerts. When an action is taken on an endpoint, some incidents may contain several alerts for the same endpoint. If each alert runs a playbook on the same endpoint, several tickets can be created for each incident. This playbook checks existing endpoints and Incident IDs and decides whether to create a new ticket or whether to add to the existing ticket, rather than having duplicate tickets.

playbook-jira.png
  1. After checking that the Jira v3 integration is enabled, in this task, the playbook adds the EndpointFromAlerts key to the incident context, by retrieving the alert.hostname using the setParentIncidentContext script.

    jira-task-1.png
  2. In this task, the playbook checks if there is an open ticket for the incident by retrieving the parentIncidentContext.TicketID.

    jira-task-2.png
  3. If there is no open ticket, a new ticket is created in Jira and the TicketID is added to the Incident context.

    jira-task-ticket.png
  4. If there is an open ticket, this task checks whether there is an open ticket for the endpoint by comparing the alert.hostname (alert endpoint) to the parentincidentContentEndpointFromAlerts key.

    jira-task-3.png
  5. After retrieving the alert.hostname in the parentIncidentContextEndpointFromAlerts context, if there is no open ticket for the endpoint, the playbook updates the Jira ticket for the incident.

    In this example, you can see that the EndpointFromAlerts and TicketID has been added to the incident context data.

    jira-results.png