Use case: Use context data in a Jira ticketing system - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-14
Category
Administrator Guide
Abstract

Follow a use case that uses a playbook to manage alerts in a Jira ticketing system.

In this use case, a Jira ticketing system is used to manage alerts and reduce duplicate tickets.

Issue: When an action is taken on an endpoint, some incidents contain multiple alerts for the same endpoint. If each alert runs a playbook on the same endpoint, duplicate tickets are created for each incident.

Solution: This playbook checks existing endpoints and Incident IDs and decides whether to create a new ticket or to add the data to an existing ticket, and therefore, reduces duplicate tickets in the incident.

playbook-jira.png

The playbook flow is described in the following steps:

  1. After checking that the Jira v3 integration is enabled, in this task the playbook adds the EndpointFromAlerts key to the incident context by retrieving the alert.hostname and using the setParentIncidentContext script.

    jira-task-1.png
  2. In this task, the playbook checks if there is an open ticket for the incident by retrieving the parentIncidentContext.TicketID.

    jira-task-2.png
  3. If there is no open ticket, a new ticket is created in Jira and the TicketID is added to the Incident context.

    jira-task-ticket.png
  4. If there is an open ticket, this task checks whether there is an open ticket for the endpoint by comparing the alert.hostname (alert endpoint) to the parentIncidentContent.EndpointFromAlerts key.

    jira-task-3.png
  5. After retrieving the alert.hostname in the parentIncidentContext.EndpointFromAlerts context, if there is no open ticket for the endpoint, the playbook updates the Jira ticket for the incident.

    In this example, you can see that the EndpointFromAlerts and TicketID has been added to the incident context data.

    jira-results.png