Create new issue in Jira for each event in a detection

Hi Community! I hope that you are doing great!

I'm trying to send an issue per event in a detection, but I'm struggling to find any solution.

So in this case, there should be 5 issues created in Jira.

Thank you very much!

Hi @Felipe_Fuller ,

Thanks for your question! During the detection rule creation workflow you have the option of setting up an alert notification as described here: Create a detection rule | Elastic Security Solution [7.12] | Elastic

Some additional Jira connector documentation can be found here:

Were you able to setup the Jira action connector? For testing you could set the frequency to be On each rule execution to make sure it gets run each time an alert is created.

Jonathan

Hi @Jonathan_Buttner !

Yes! the problem is that I want to create one issue in Jira per event detected. But actually, is sending the information of all the events in one issue.

Is there any possible solution to send them in different issues?

Thank you in advance

Oh sorry I misunderstood! Unfortunately, this isn't a way to do that currently. There's a similar request for the ServiceNow integration so it is in our backlog of features to work on :grinning:

Thank you very much @Jonathan_Buttner! Should I open a new issue to suggest this implementation, or will it be considered for Jira?

Yeah no problem! I would just post on that issue I linked stating that you'd like to have the functionality for Jira as well.

1 Like

@Jonathan_Buttner and @Felipe_Fuller you can check out my github that goes over creating detections for each rule triggered to create tickets for each in JIRA Tickets.

austinsonger/Elastic-Security: Elastic Automations for Elastic SIEM using Bash (github.com)

If this solves your issue, please make sure you select this answer as the solution.

@austinsonger but this will create a new issue per event detected or a new issue per rule triggered?

For everytime that a event triggers a detection rule.

@austinsonger, thank you for all the help! The problem is that when I use your solution, I receive all the events in one ticket, not one ticket per event. What could be the issue?

You shouldn't want a ticket to be created for every event log, that will be extremely noisy. But if you really want that... you can change the interval for how often the rule runs. But there is no high ranking SIEM tool out there that will create a new alarm for every event individual event that matches a SIEM Alarm rule. I wouldn't work in this industry if that how those tools worked.

But if you want that, then please look at the screenshot I prepared below.

And below is a example of how alienVault works and it is pretty much the same.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.