Issue
We are using Jira to track our company's tech support cases as well as our security incidents. How can we setup Red Canary to create a new ticket ("issue") in Jira whenever a threat is detected?
Environment
Red Canary (Base Web Application)
Resolution
The first step is to create a new Automate Trigger. The Trigger should be set to "When a Threat is Published." The Trigger Condition should be set to "and Threat Severity is one of: High, Medium."
The next step is to create a Playbook that uses the "Invoke Webhook or API" function. NOTE: We currently do not have a built-in method for creating Jira cases, but the Webhook or API function is a good substitute.
Click on the new Playbook to configure its settings. Click the "Add Action" button, then choose "Webhook or API," click on the "Invoke Webhook or API" link, finally click on "Add to Playbook."
The Webhook or API configuration will need to look similar to the following (after you save your settings):
JSON Payload:
{
"fields": {
"summary": "Red Canary Threat Detected",
"issuetype": {
"id": "10008"
},
"project": {
"key": "AUT"
},
"description": {
"type": "doc",
"version": 1,
"content": [
{
"type": "paragraph",
"content": [
{
"text": "Details: EndPoint $Endpoint.hostname \n\nUsername $EndpointUser.username \n\nSensorID is $Endpoint.sensor_id \n\nDetection Details $Detection.details \n\nDetection URL $Detection.url",
"type": "text"
}
]
}
]
}
}
}
NOTE:
Please be aware that this is an example. Some environments include $Detection.variables that translate to text that include invalid escape characters in JSON string such as '\'. This will result in a 400 "bad request" error.
Variables can be escaped with JSON or XML formatting to avoid the above error. Use $JSON:Variable.name to use this functionality.
For example instead of $Detection.ioc_process_paths you will need to use $JSON:Detection.ioc_process_paths
Let's review each setting:
- URL: This should be the Jira "Create Issues" resource URL. According to Jira, it should be in the following format: https://your-domain.atlassian.net/rest/api/3/issue
- HTTP Headers: The "Headers" section needs to contain two specific entries:
- "Basic Authorization" (a base64 encoded string in the format: yourEMAILaddress:yourAPItoken)
- It will look like this:
- Authorization=Basic amRvZUB5b3VyZG9thfwo83NvbTphQ3hWM==
- How to encode your authentication header:
- It will look like this:
- "Content-Type" (resource representation header). This tells the resource server what type of content is being sent to it so it can interpret it properly.
- It will look like this:
- Content-Type=application/json
- Content-Type=application/json
- It will look like this:
- "Basic Authorization" (a base64 encoded string in the format: yourEMAILaddress:yourAPItoken)
- Payload: Select "Custom Payload."
- This section will need to contain the JSON code required to make a proper resource request. It should contain "fields" object with the "issuetype" and "project" object in order to work.
- NOTE: In order to see the specific "fields" codes ("issuetype" and "project") that need to be used in your Jira environment, you will need to perform a Get Createmeta API call.
- NOTE: If you use one of the Red Canary variables in the "summary" field (Example: "summary": "$Detection.url",) the Playbook may fail. Please test this first. If it does fail, you will need to escape your variables for JSON. Use $JSON:Variable.name to use this functionality.
- This looks like: "GET https://yourdomain.atlassian.net/rest/api/2/rest/api/3/issue/createmeta" This will return a list of the specific fields and issuetype codes you will need to specify in your JSON payload.
- Permissions:
- JIRA API outlines the needed permissions to be able to create issues as well as other examples:
Comments
0 comments
Please sign in to leave a comment.