Detection Alerts - Creating JIRA Ticket (Automatically)

I need to be able to find a way of using the Elastic SIEM API to create tickets in JIRA everytime a Detection Alert comes in.

We are trying to basically skip the "CASE" portion of the SIEM too, because it doesn't work for us and we need a way of tracking SLA's for our clients and automatically creating tickets in JIRA is the way to go.

Hey there @austinsonger!

Not sure what version you're on, but support for the JIRA connector was added to the Detection Engine in 7.10.1 (released Dec 09), so you should be able to set this up either in the UI, or via the API in that version going forward. You should just be able to use either the create or update rule API and specify an actions object as defined in the docs. If you have any issue, I recommend opening up your browser's dev tools and follow what the app does when creating a rule with a JIRA action and you should be good to go!

Hope that helps -- cheers!
Garrett

Yeah... But it only allows to do that per rule... I want the config for every alert and doing rule by rule is going to take forever.

It would be nice to be able to set a setting like that for all rules.

Feel free to outline your use case in an enhancement request and tag with the Team:SecuritySolution label. We're in the process of improving the overall Rule Management workflow so feedback like this would be valuable in that effort. There is this kibana issue for modifying rules in bulk, but sounds like you want default actions rather than assigning specific actions to a bunch of rules. Either way, commenting on that issue or creating an enhancement request is the best way to get your feedback into the product. In the meantime, wiring up a quick script to add your JIRA action to all rules via the API would be the easiest way to achieve this.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.