IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

JIRA Integration

  • 1.  JIRA Integration

    Posted Fri May 19, 2023 09:42 AM

    Hello Community! I am more or less new to IBM SOAR and have sucessfully integrated it with out JIRA. However, when I have an Incident in SOAR that generates a ticket in JIRA, every time I create a comment in the JIRA Ticket through JIRA and it synchronizes with SOAR, instead of updating the SOAR Case, it creates a new case (in the respond phase, even though the original case was still in the initial phase). The other way works fine: When I create a note in SOAR, it also creates a note in JIRA. 
    Do you know what can be wrong here?

    Thank you!



    ------------------------------
    BrunoMarX
    ------------------------------


  • 2.  RE: JIRA Integration

    Posted Tue May 23, 2023 03:10 PM

    Is it just with notes? If you change the status of the ticket on Jira does it change on SOAR?



    ------------------------------
    Richard Swierk
    ------------------------------



  • 3.  RE: JIRA Integration

    Posted Wed May 24, 2023 09:12 AM
    Edited by BrunoMarX Wed May 24, 2023 09:17 AM

    I changed the status of the ticket in JIRA from open to completed and it opened a new case in SOAR. Therefore, all my actions in JIRA result in a new case in SOAR. :(



    ------------------------------
    BrunoMarX
    ------------------------------



  • 4.  RE: JIRA Integration

    Posted Wed May 24, 2023 10:23 AM

    What do you have set for your poller_filters in the app.config?



    ------------------------------
    Richard Swierk
    ------------------------------



  • 5.  RE: JIRA Integration

    Posted Thu May 25, 2023 05:29 AM

    Hi Richard! Thank you for your reply.

    [fn_jira:global_settings]
    timeout = 30
    polling_interval = 10
    polling_lookback = 60
    max_issues_returned = 50

    poller_filters = priority in (high, medium, low) and status in ('to do', 'in progress', 'open', 'resolved', 'closed', 'done') 
    max_issues_returned = 50



    ------------------------------
    BrunoMarX
    ------------------------------



  • 6.  RE: JIRA Integration

    Posted Thu May 25, 2023 08:32 AM

    The only way I have been able to get a new SOAR incident created from the same Jira ticket is if i move the Jira ticket to a done state and then move it back to an open state. The original SOAR incident gets closed and a new SOAR incident is created.
    Does this sound like what is occurring for you?



    ------------------------------
    Richard Swierk
    ------------------------------



  • 7.  RE: JIRA Integration

    Posted Thu May 25, 2023 04:45 PM

    Thank you for your reply!

    Actually I expect this:
    A)
    - I create a case in SOAR
    - A ticket is created in JIRA
    - I Add a note in SOAR
    - the note is included in JIRA
    - I add a note in JIRA
    - The note is added in SOAR as well
    - Wherever I close the case/ticket, the Ticket/case is also closed

    B)
    - I create a ticket in JIRA
    - A Case is created in SOAR
    - The rest should be the same as in A)

    Answering to you question. Yes. This happens to me as well. I would be happy if I the notes/comments would synchronize without opening another case in JIRA.
    Is clear enough what is happening to me and what I want to achieve? 



    ------------------------------
    BrunoMarX
    ------------------------------



  • 8.  RE: JIRA Integration

    Posted Fri May 26, 2023 07:54 AM

    Yes i understand what is happening now. I am unsure why it is happening and I have not been able to reproduce this issue.
    Could you put configure DEBUG mode for logging then reproduce the issue and show me the logs.

    The configure DEBUG mode for logs go to the app.config for the jira integration on SOAR. Then under, [resilient], add loglevel=DEBUG. Save and it will redeploy the app.



    ------------------------------
    Richard Swierk
    ------------------------------



  • 9.  RE: JIRA Integration

    Posted Sun May 28, 2023 05:47 AM
    Edited by BrunoMarX Sun May 28, 2023 05:47 AM
      |   view attached

    Hi Richard,

    thank you!

    Yes!

    I did the following. Created a Case in SOAR, which got the number 2139 and created a JIRA Ticket with ID ABCD-25.
    I then created a comment in JIRA within ABCD-25 and it created a new case in SOAR. Case 2140.

    Logs attached



    ------------------------------
    BrunoMarX
    ------------------------------

    Attachment(s)

    txt
    LOGS.txt   77 KB 1 version


  • 10.  RE: JIRA Integration

    Posted Sun May 28, 2023 08:23 AM
      |   view attached

    I just uploaded a new version of the logs.

    IBM SOAR Case 2143. I manually created a JIRA Ticket through SOAR and ABCD-27 was created. Then.. Without me doing anything, Case 2144 was created in a different phase. Response instead of engage. it doesn't not have direct to do with the comment.



    ------------------------------
    BrunoMarX
    ------------------------------

    Attachment(s)

    txt
    LOGS2.txt   56 KB 1 version


  • 11.  RE: JIRA Integration

    Posted Tue May 30, 2023 07:22 AM

    Based on the logs SOAR incident 2144 is not being created by the Jira integration. Do you have any other integrations installed on you SOAR instance?



    ------------------------------
    Richard Swierk
    ------------------------------



  • 12.  RE: JIRA Integration

    Posted Thu June 01, 2023 05:18 AM

    @Richard Swierk ,

    I create the case 2143 manually and use the JIRA integration to create the TIcket ABCD-27. After that, the poller threat of the JIRA Integration creates the case 2144 and updates it. 

    2023-05-28 12:09:45,149 DEBUG [poller] [Thread-29] Updating SOAR incident: 2144 with Jira issue: ABCD-27

    in the code under https://github.com/ibmresilient/resilient-community-apps/blob/main/fn_jira/fn_jira/poller/poller.py  I find this:

    jira = update[0]
    soar = update[1]
    LOG.debug(f"Updating SOAR incident: {soar.get('id')} with Jira issue: {jira.get('key')}")

    somehow the soar.get('id') returns "case number +1". 

    No there is no other integration for JIRA. only this one.

    Thank you!



    ------------------------------
    BrunoMarX
    ------------------------------



  • 13.  RE: JIRA Integration

    Posted Thu June 01, 2023 06:50 AM

    I actually came across a similar issue the other day. When you use the SOAR manual rule to create a Jira ticket make sure you enter the label you gave to the Jira server in your app.config. If you do not give a Jira label then it will create a new incident on SOAR.



    ------------------------------
    Richard Swierk
    ------------------------------



  • 14.  RE: JIRA Integration

    Posted Thu June 01, 2023 10:01 AM

    Hi Richard,

    thank you! Well I didn't have any jira label within my app.config. I noticed a behavior..

    I Created a Case 2166 manually with name "My SOAR Case 10" and the case starts at the engage phase. I then use a Rule that can be manually run if the case does not have any JIRA Incident associated with. This rule executes a workflow. The workflow has a Post-processing Script:

    incident.properties.jira_url = "<a href='{}' target='blank'>{}</a>".format(results_content.get("issue_url"), results_content.get("issue_key"))
      incident.properties.jira_internal_url = results_content.get("issue_url_internal")
      incident.properties.jira_issue_id = results_content.get("issue_key")
      incident.properties.jira_server = rule.properties.jira_label

    As a result, there is JIRA TIcket ABCD-37.

    My case 2166 is updated and inside "JIRA Incident" Tab, I see the information regarding the JIRA incident.

    For example URL and JIRA Issua ID ABCD-37.

    So far so good.

    a few seconds later, a new case is created with name 'IBM Resilient SOAR: My SOAR Case 10' and number 2167 at the respond phase.  Inside the JIRA Incident Tab, I see the same URL and Issue ID ABCD-37.

    I don't know exactly why Case 2167 is created. and then every time I add a comment to ABCD-37, it is updated within case 2167 and not in Case 2166. :(



    ------------------------------
    BrunoMarX
    ------------------------------



  • 15.  RE: JIRA Integration

    Posted Thu June 01, 2023 10:15 AM

    This is because you need to add a label to your jira server when using the poller. The poller is searching for the SOAR cases that have a jira server label attached to them, so when it does not see a Jira server label attached to the SOAR incident it is creating a new SOAR incident.

    Label your Jira server in your app.config and then when calling the SOAR action to create a Jira ticket input the Jira label.



    ------------------------------
    Richard Swierk
    ------------------------------



  • 16.  RE: JIRA Integration

    Posted Thu June 01, 2023 12:03 PM

    Hi Richard!
    Thank you again for the reply.

    This is my app.config. Do you mean this? [fn_jira:soc]

    # V2.2.0+ have the option to have multiple servers configured.
    # By default two examples of servers are given, example one is labeled `jira_label1` and example two is labeled `jira_label2`.
    # The label for a server is placed after `[fn_jira:` and then followed by `]`.
    # To add additional servers copy the below example server configuration from `[fn_jira:jira_label1]` to `#https_proxy=`.
    # Then paste it at the bottom of the app.config.
    # Change the server label, `jira_label1`, to a label helpful to define that server.
    # Then change the setting to those of the server you wish to add.

    [fn_jira:soc]
    url = https://example-xsoar.atlassian.net
    auth_method = BASIC
    user = bruno.marx@example.com
    password = SECRET!

    # For TOKEN authentication
    #auth_token=
    # For OAUTH connections, the four parameters below are required and user/password are ignored
    #access_token = <oauth access token>
    #access_token_secret = <oauth access token secret>
    #consumer_key_name = <oauth consumer key - from Jira incoming link settings>
    #private_rsa_key_file_path = <private RSA key matched with public key on Jira>
    timeout = 10
    # data Table name to hold data for tasks synced to Jira
    jira_dt_name = jira_task_references
    # use verify_cert to disable untrusted certificate verification
    verify_cert = True
    #poller_filters = priority in (high, medium, low) and status in ('to do', 'in progress', 'open') and project in ('ABCD')
    poller_filters = priority in (high, medium, low) and status in ('to do', 'in progress', 'open', 'resolved', 'closed', 'done') 
    max_issues_returned = 50

    #http_proxy=
    #https_proxy=
    [resilient]
    api_key_id = ID3uou4324oo
    api_key_secret = $API_KEY_SECRET
    cafile = false
    loglevel = DEBUG
    host = 10.12.131.183
    port = 443
    org = Example GmbH

    [fn_jira:global_settings]
    timeout = 30
    polling_interval = 10
    polling_lookback = 60
    max_issues_returned = 50



    ------------------------------
    BrunoMarX
    ------------------------------



  • 17.  RE: JIRA Integration

    Posted Thu June 01, 2023 12:12 PM

    yes, so when you run the SOAR action to create a Jira ticket make sure you enter, soc, into the Jira label field



    ------------------------------
    Richard Swierk
    ------------------------------



  • 18.  RE: JIRA Integration

    Posted Thu June 01, 2023 12:16 PM

    Yes! 've done that . :/ same result



    ------------------------------
    BrunoMarX
    ------------------------------



  • 19.  RE: JIRA Integration

    Posted Thu June 01, 2023 01:48 PM

    I haven't changed any Case Templates. Maybe this is the reason? I set up another system with SOAR and come to the same result.

    Poller Templates for SOAR Cases

    It may be necessary to modify the templates used to create, update, or close SOAR cases based on your required custom fields in SOAR.

    This is especially relevant if you have required custom close fields that need to be filled when closing a case in SOAR. If that is the case, be sure to implement a custom close_case_template and reference those required close fields in the template.

    When overriding the template in App Host, specify the file path for each file as /var/rescircuits.

    Below are the default templates used which can be copied, modified, and used with app_config's soar_create_case_template, soar_update_case_template, and soar_close_case_template settings to override the default templates.



    ------------------------------
    BrunoMarX
    ------------------------------



  • 20.  RE: JIRA Integration

    Posted Thu June 01, 2023 02:30 PM

    what timezone is your SOAR instance using and what timezone is your Jira instance using?

    If they are running it different timezones the issue would be that it does not see the first incident because of the time difference.



    ------------------------------
    Richard Swierk
    ------------------------------



  • 21.  RE: JIRA Integration

    Posted Thu June 01, 2023 03:00 PM

    Hi Richard,

    hm...I am running within Europe/Berlin. Just checked the timezone:

    [root@apphost ~]# date
    Thu Jun  1 18:53:19 UTC 2023
    [root@apphost ~]# sudo timedatectl set-timezone
    Too few arguments.
    [root@apphost ~]# sudo timedatectl set-timezone Europe/Berlin
    [root@apphost ~]# date
    Thu Jun  1 20:53:32 CEST 2023

    now both Resilient and App host are within Berlin

    I then did the same test and created a case 2181 in SOAR and JIRA created another Case in SOAR 2182. Even though the date created now match, Date Discovered and Date Determined are two hours in the future.



    ------------------------------
    BrunoMarX
    ------------------------------



  • 22.  RE: JIRA Integration

    Posted Thu June 01, 2023 03:05 PM
    Edited by BrunoMarX Thu June 01, 2023 03:21 PM

    Within the JIRA Container, the time is also different. 2 hours in the past

    (<ServerHeartbeat[*] ()>, None )>
    2023-06-01 19:04:33,214 INFO [poller_common] [Thread-29] fn_jira polling start.
    2023-06-01 19:04:33,217 DEBUG [connectionpool] [Thread-29] Starting new HTTPS connection (1): xsoar.atlassian.net:443
    202------------------------------
    Richard Swierk



  • 23.  RE: JIRA Integration

    Posted Fri June 02, 2023 07:17 AM

    Can you logon to your Jira server, click on the gear icon in the upper right corner, and then select system. Scroll down and you should see a setting named, default user time zone, what does that say?



    ------------------------------
    Richard Swierk
    ------------------------------



  • 24.  RE: JIRA Integration

    Posted Fri June 02, 2023 07:40 AM

    Hi Richard,

    Yes. The time says Europe/Berlin --> my current time zone UTC+2. I changed the timezone for both SOAR and APP Host. They are now in the same timezone. 

    Test 1: I performed the same test as above, and get the same result.

    I see the within the JIRA App, the logs are being written with a different time. , namely UTC only. I could not change it. 

    Taking a lot at the documentation for the app I see a parameter timezone_offset

    This parameter was not set before, so I changed it, but nothing changed regarding the timestamp of the logs within the containes. I changed it to +2.00

    Test 2: I performed the same test as above, and get the same result.

    I then changed the timezone of my JIRA Server to UTC.

    Test 3: I performed the same test as above, and got a different result: THe JIRA Ticket is created but this time no extra SOAR Case is created. However, poller does not seem to be working, since JIRA comments are not being synced to SOAR Cases.

    I then changed the time of the JIRA Server back to UTC+2 and the SOAR case from Test 3 was created the same way as in Tests 1 and 2. 

    to sum up, I still have the same issue. :( 

    Thank you for your help!



    ------------------------------
    BrunoMarX
    ------------------------------



  • 25.  RE: JIRA Integration

    Posted Fri June 02, 2023 09:01 AM

    in your app.config under [fn_jira:soc] add the setting, 

    timezone_offset = +2:00


    ------------------------------
    Richard Swierk
    ------------------------------



  • 26.  RE: JIRA Integration

    Posted Fri June 02, 2023 09:15 AM

    Hi Richard,

    Thank you! I did this already between Test 1 and Test 2 in the previous post. Same result :(



    ------------------------------
    BrunoMarX
    ------------------------------



  • 27.  RE: JIRA Integration

    Posted Fri June 02, 2023 10:04 AM

    Could you please set it to where it was not creating a second SOAR case. Make sure logs are in DEBUG mode then create a SOAR incident, send it to Jira, then add comments on the Jira ticket. Send me those logs please. 



    ------------------------------
    Richard Swierk
    ------------------------------



  • 28.  RE: JIRA Integration

    Posted Fri June 02, 2023 11:13 AM
      |   view attached

    Hi Richard,

    yes. Case 2227results in JIRA TIcket ABCD-68. No "ghost" case was created for ABCD-68

    Here a screenshot.

    the "ghost" cases that are created are owned by the default group and are in the "respond" phase. The original cases are owned by me and in the engage phase.



    ------------------------------
    BrunoMarX
    ------------------------------

    Attachment(s)

    txt
    LOGS3.txt   55 KB 1 version


  • 29.  RE: JIRA Integration

    Posted Fri June 02, 2023 11:36 AM
      |   view attached

    and then I waited 30 minutes and changed the time at the JIRA Server. the "ghost" case was created including the comments that I had made inside ABCD-68 30 minutes ago.

    Logs attachted



    ------------------------------
    BrunoMarX
    ------------------------------

    Attachment(s)

    txt
    LOGS4.txt   105 KB 1 version


  • 30.  RE: JIRA Integration

    Posted Sat June 03, 2023 07:49 AM

    This time I changed the workflow. I Created a Ticket first at JIRA and then a case was automatically created in SOAR. Everything worked as expected. Including that comments were synced. Work as designed. 

    The automatically created case was already in the responde phase and had only one task, similar to the "ghost" case.

    Just noticed that all cases without incident type are created this way:



    ------------------------------
    BrunoMarX
    ------------------------------



  • 31.  RE: JIRA Integration

    Posted Mon June 05, 2023 07:32 AM

    I will test with the incident type as this could be a bug.



    ------------------------------
    Richard Swierk
    ------------------------------



  • 32.  RE: JIRA Integration

    Posted Mon June 05, 2023 09:17 AM
    Edited by BrunoMarX Mon June 05, 2023 09:19 AM

    Hi Richard! Thank you!

    If I create a case in SOAR and just give it a name without choosing anything such as incident type, it creates a case already in the respond phase similar to the "ghost" that the jira app creates. Inside the JIRA App I created case templates to test if something might change, but it doesn't seem to use my case templates for creating this "ghost" case. it just ignores my case template. The original JIRA APp case template in the documentation uses fields[summary] as name and I changed to a different parameter, but it still uses fields[summary] as name. 

    to sum up: I Create a case in SOAR and manually trigger a rule for JIRA to create a ticket in JIRA. Then JIRA poller notes a new ticket in JIRA and automatically creates this "ghost" case in SOAR as if there were not cases linked to this JIRA ticket, which is not true because when I manually trigger the rule with the JIRA integration it updates a JIRA Incident Tab. 



    ------------------------------
    BrunoMarX
    ------------------------------



  • 33.  RE: JIRA Integration

    Posted Mon June 05, 2023 09:27 AM

    For cases created by the JIRA app, the link is there. The point is. How can I make it link my manually created case with the ticket created by the JIRA App.



    ------------------------------
    BrunoMarX
    ------------------------------



  • 34.  RE: JIRA Integration

    Posted Mon June 05, 2023 10:17 AM

    Problem solved. 

    I changed my post process script and included

     incident.properties.jira_linked_to_incident = True

    Now the "ghost" case is not created anymore. However, I still would like to be able to create cases using the jinja template as mentioned above.

    Thank you for your help, Richard!



    ------------------------------
    BrunoMarX
    ------------------------------



  • 35.  RE: JIRA Integration

    Posted Wed July 05, 2023 08:29 AM
    Edited by hawny w Tue July 11, 2023 07:23 AM