MSSP SOC - How to ByPass "Cases"

austinsonger · November 14, 2020, 12:01am

I'm a SOC Engineer at a MSSP SOC and we currently use AlienVault for the majority of our clients, but we started to play around with Elastic SIEM and we just started to work with a potential new client and we have deployed Elastic SIEM into their environment.

We currently have AlienVault setup so every alarm, we have AlienVault API automatically creates a ticket in JIRA Service Desk as a issue.

We want to to evenually use Elastic SIEM for other clients when our contracts end with our other clients, but we don't like the "CASE" section and want to bypass it and send all "Detection alerts" straight to JIRA Service Desk as issues...

Is there a way to use Elastic SIEM API to accomplish this?

borna_talebi · November 14, 2020, 4:31am

Hi Austin,

I think you could use JIRA action to accomplish that.

austinsonger · November 16, 2020, 10:40pm

Okay, but I'm really new to the action portion so what would the steps be?

Pedro_Jaramillo · November 18, 2020, 2:05pm

Hi @austinsonger, thanks for trying out Elastic Security! Inside the security app we don't currently provide a built-in JIRA alert notification feature for Detection Rules (though it might be possible to accomplish this via a webhook notification depending on the JIRA API capabilities). These are our supported alert notification features. Our app is under active development, however, and are exploring adding built-in JIRA notification support in future releases.

but we don't like the "CASE" section and want to bypass it

Any suggestions you may have for how we could improve our "Cases" feature would be greatly appreciated.