Issue
We are using Zendesk to track our company's tech support cases as well as our security incidents. How can we setup Red Canary to create a new ticket in Zendesk whenever a threat is detected?
Environment
Red Canary (Base Web Application)
Resolution
The first step is to create a new Automate Trigger. To trigger on Threats, the Trigger should be set to "When a Threat is Published." The Trigger Condition should be set to "and Threat Severity is one of: High, Medium."
The next step is to create a Playbook that uses the "Invoke Webhook or API" function. NOTE: We currently do not have a built-in method for creating Zendesk cases, but the Webhook or API function is a good substitute.
1. Click on the new Playbook to configure its settings.
2. Click the "Add Action" button, then choose "Webhook or API".
3. Click on the "Invoke Webhook or API" link, finally click on "Add to Playbook".
The Webhook or API configuration will need to look similar to the following:
Custom JSON Payload:
{
"ticket": {
"comment": {
"body":" $Detection.id $Detection.url $Detection.details"
},
"priority": "urgent",
"subject": "New Detection in Red Canary"
}
}
NOTE:
Please be aware that this is an example. Some environments include $Detection.variables that translate to text that include invalid escape characters in JSON string such as '\'. This will result in a 400 "bad request" error.
Let's review each setting:
- URL: This should be the Zendesk "Create Tickets" resource URL. According to Zendesk, it should be in the following format:
https://subdomain.zendesk.com/api/v2/tickets
HTTP Headers: The "Headers" section needs to contain two specific entries:- "Authorization" (a base64 encoded string in the format: yourEMAILaddress:yourAPItoken)
- It will look like this:
- Authorization=Basic amRvZUB5b3VyZG9thfwo83NvbTphQ3hWM==
- How to encode your authentication header:
- It will look like this:
- "Content-Type" (resource representation header). This tells the resource server what type of content is being sent to it so it can interpret it properly.
- It will look like this:
- Content-Type=application/json
- Content-Type=application/json
- It will look like this:
- "Authorization" (a base64 encoded string in the format: yourEMAILaddress:yourAPItoken)
- Payload: This section will need to contain the JSON code required to make a proper resource request. It should contain "fields" object with the "ticket" and "body" object in order to work.
- Permissions:
- To create tickets via the Zendesk API, the user needs to be an "Agent". This can include custom roles or Light Agents.
Comments
0 comments
Please sign in to leave a comment.