MSSP SOC - How to ByPass "Cases"

austinsonger · November 14, 2020, 12:01am

I'm a SOC Engineer at a MSSP SOC and we currently use AlienVault for the majority of our clients, but we started to play around with Elastic SIEM and we just started to work with a potential new client and we have deployed Elastic SIEM into their environment.

We currently have AlienVault setup so every alarm, we have AlienVault API automatically creates a ticket in JIRA Service Desk as a issue.

We want to to evenually use Elastic SIEM for other clients when our contracts end with our other clients, but we don't like the "CASE" section and want to bypass it and send all "Detection alerts" straight to JIRA Service Desk as issues...

Is there a way to use Elastic SIEM API to accomplish this?

borna_talebi · November 14, 2020, 4:31am

Hi Austin,

I think you could use JIRA action to accomplish that.

austinsonger · November 16, 2020, 10:40pm

Okay, but I'm really new to the action portion so what would the steps be?

Pedro_Jaramillo · November 18, 2020, 2:05pm

Hi @austinsonger, thanks for trying out Elastic Security! Inside the security app we don't currently provide a built-in JIRA alert notification feature for Detection Rules (though it might be possible to accomplish this via a webhook notification depending on the JIRA API capabilities). These are our supported alert notification features. Our app is under active development, however, and are exploring adding built-in JIRA notification support in future releases.

but we don't like the "CASE" section and want to bypass it

Any suggestions you may have for how we could improve our "Cases" feature would be greatly appreciated.

austinsonger · December 17, 2020, 12:02am

Well I need to be able to track SLA in relation to working Detection Alerts for the client and that is why I want to automatically be able to send detections to JIRA so once a JIRA ticket is created then the clock automatically begins to run.

1. High = Contact Client Under 1 Hours
1. Medium = Contact Client Under 2 Hours
1. Low = Contact Client Under 4 Hours

Cases would work for us if:

Option to automatically created a new case for every "detection" alert that comes in
If their was a SLA module for tracking time working on a case

Other Suggestion:

Elastic needs their own Threat Intelligence feed.
Create Integrations with other Other Intell Feeds (AlienVault OTX, Fireeye, Anomali, Cisco: Talos Intelligence, and others)

christos.nasikas · December 17, 2020, 10:01am

Hi @austinsonger!

Thank you for your feedback. It is very valuable to us and it is always taken into consideration. This PR enabled the Jira, ServiceNow, and IBM Resilient actions for detections. This means that you can create an issue when an alert is being fired.

About cases, we are working in this direction to provide a unified workflow between cases and detections. Specifically, this PR will allow you to manually attach an alert to a case and sync cases statuses with alerts statuses. We are working on the automatic version to be available in the future.

Thank you for your feedback again!

Best,
Christos