How to use Jira to manage alerts.
In Cortex XSIAM the playbook runs on each alert and not on the incident. In this example, a Jira ticketing system is used to manage alerts. When an action is taken on an endpoint, some incidents may contain several alerts for the same endpoint. If each alert runs a playbook on the same endpoint, several tickets can be created for each incident. This playbook checks existing endpoints and Incident IDs and decides whether to create a new ticket or whether to add to the existing ticket, rather than having duplicate tickets.
After checking that the Jira v3 integration is enabled, in this task, the playbook adds the
EndpointFromAlerts
key to the incident context, by retrieving thealert.hostname
using thesetParentIncidentContext
script.In this task, the playbook checks if there is an open ticket for the incident by retrieving the
parentIncidentContext.TicketID
.If there is no open ticket, a new ticket is created in Jira and the TicketID is added to the Incident context.
If there is an open ticket, this task checks whether there is an open ticket for the endpoint by comparing the
alert.hostname
(alert endpoint) to theparentincidentContentEndpointFromAlerts
key.After retrieving the
alert.hostname
in theparentIncidentContextEndpointFromAlerts
context, if there is no open ticket for the endpoint, the playbook updates the Jira ticket for the incident.In this example, you can see that the
EndpointFromAlerts
andTicketID
has been added to the incident context data.