If I create a case in SOAR and just give it a name without choosing anything such as incident type, it creates a case already in the respond phase similar to the "ghost" that the jira app creates. Inside the JIRA App I created case templates to test if something might change, but it doesn't seem to use my case templates for creating this "ghost" case. it just ignores my case template. The original JIRA APp case template in the documentation uses fields[summary] as name and I changed to a different parameter, but it still uses fields[summary] as name.
to sum up: I Create a case in SOAR and manually trigger a rule for JIRA to create a ticket in JIRA. Then JIRA poller notes a new ticket in JIRA and automatically creates this "ghost" case in SOAR as if there were not cases linked to this JIRA ticket, which is not true because when I manually trigger the rule with the JIRA integration it updates a JIRA Incident Tab.
Original Message:
Sent: Mon June 05, 2023 07:32 AM
From: Richard Swierk
Subject: JIRA Integration
I will test with the incident type as this could be a bug.
------------------------------
Richard Swierk
Original Message:
Sent: Sat June 03, 2023 07:49 AM
From: BrunoMarX
Subject: JIRA Integration
This time I changed the workflow. I Created a Ticket first at JIRA and then a case was automatically created in SOAR. Everything worked as expected. Including that comments were synced. Work as designed.
The automatically created case was already in the responde phase and had only one task, similar to the "ghost" case.
Just noticed that all cases without incident type are created this way:
------------------------------
BrunoMarX
Original Message:
Sent: Fri June 02, 2023 10:04 AM
From: Richard Swierk
Subject: JIRA Integration
Could you please set it to where it was not creating a second SOAR case. Make sure logs are in DEBUG mode then create a SOAR incident, send it to Jira, then add comments on the Jira ticket. Send me those logs please.
------------------------------
Richard Swierk
Original Message:
Sent: Fri June 02, 2023 09:15 AM
From: BrunoMarX
Subject: JIRA Integration
Hi Richard,
Thank you! I did this already between Test 1 and Test 2 in the previous post. Same result :(
------------------------------
BrunoMarX
Original Message:
Sent: Fri June 02, 2023 09:01 AM
From: Richard Swierk
Subject: JIRA Integration
in your app.config under [fn_jira:soc] add the setting,
------------------------------
Richard Swierk
Original Message:
Sent: Fri June 02, 2023 07:39 AM
From: BrunoMarX
Subject: JIRA Integration
Hi Richard,
Yes. The time says Europe/Berlin --> my current time zone UTC+2. I changed the timezone for both SOAR and APP Host. They are now in the same timezone.
Test 1: I performed the same test as above, and get the same result.
I see the within the JIRA App, the logs are being written with a different time. , namely UTC only. I could not change it.
Taking a lot at the documentation for the app I see a parameter timezone_offset
This parameter was not set before, so I changed it, but nothing changed regarding the timestamp of the logs within the containes. I changed it to +2.00
Test 2: I performed the same test as above, and get the same result.
I then changed the timezone of my JIRA Server to UTC.
Test 3: I performed the same test as above, and got a different result: THe JIRA Ticket is created but this time no extra SOAR Case is created. However, poller does not seem to be working, since JIRA comments are not being synced to SOAR Cases.
I then changed the time of the JIRA Server back to UTC+2 and the SOAR case from Test 3 was created the same way as in Tests 1 and 2.
to sum up, I still have the same issue. :(
Thank you for your help!
------------------------------
BrunoMarX
Original Message:
Sent: Fri June 02, 2023 07:17 AM
From: Richard Swierk
Subject: JIRA Integration
Can you logon to your Jira server, click on the gear icon in the upper right corner, and then select system. Scroll down and you should see a setting named, default user time zone, what does that say?
------------------------------
Richard Swierk
Original Message:
Sent: Thu June 01, 2023 03:05 PM
From: BrunoMarX
Subject: JIRA Integration
Within the JIRA Container, the time is also different. 2 hours in the past
(<ServerHeartbeat[*] ()>, None )>
2023-06-01 19:04:33,214 INFO [poller_common] [Thread-29] fn_jira polling start.
2023-06-01 19:04:33,217 DEBUG [connectionpool] [Thread-29] Starting new HTTPS connection (1): xsoar.atlassian.net:443
202------------------------------
Richard Swierk
Original Message:
Sent: Thu June 01, 2023 01:47 PM
From: BrunoMarX
Subject: JIRA Integration
I haven't changed any Case Templates. Maybe this is the reason? I set up another system with SOAR and come to the same result.
Poller Templates for SOAR Cases
It may be necessary to modify the templates used to create, update, or close SOAR cases based on your required custom fields in SOAR.
This is especially relevant if you have required custom close fields that need to be filled when closing a case in SOAR. If that is the case, be sure to implement a custom close_case_template
and reference those required close fields in the template.
When overriding the template in App Host, specify the file path for each file as /var/rescircuits
.
Below are the default templates used which can be copied, modified, and used with app_config's soar_create_case_template
, soar_update_case_template
, and soar_close_case_template
settings to override the default templates.
------------------------------
BrunoMarX
Original Message:
Sent: Thu June 01, 2023 12:11 PM
From: Richard Swierk
Subject: JIRA Integration
yes, so when you run the SOAR action to create a Jira ticket make sure you enter, soc, into the Jira label field
------------------------------
Richard Swierk
Original Message:
Sent: Thu June 01, 2023 12:03 PM
From: BrunoMarX
Subject: JIRA Integration
Hi Richard!
Thank you again for the reply.
This is my app.config. Do you mean this? [fn_jira:soc]
# V2.2.0+ have the option to have multiple servers configured.
# By default two examples of servers are given, example one is labeled `jira_label1` and example two is labeled `jira_label2`.
# The label for a server is placed after `[fn_jira:` and then followed by `]`.
# To add additional servers copy the below example server configuration from `[fn_jira:jira_label1]` to `#https_proxy=`.
# Then paste it at the bottom of the app.config.
# Change the server label, `jira_label1`, to a label helpful to define that server.
# Then change the setting to those of the server you wish to add.
[fn_jira:soc]
url = https://example-xsoar.atlassian.net
auth_method = BASIC
user = bruno.marx@example.com
password = SECRET!
# For TOKEN authentication
#auth_token=
# For OAUTH connections, the four parameters below are required and user/password are ignored
#access_token = <oauth access token>
#access_token_secret = <oauth access token secret>
#consumer_key_name = <oauth consumer key - from Jira incoming link settings>
#private_rsa_key_file_path = <private RSA key matched with public key on Jira>
timeout = 10
# data Table name to hold data for tasks synced to Jira
jira_dt_name = jira_task_references
# use verify_cert to disable untrusted certificate verification
verify_cert = True
#poller_filters = priority in (high, medium, low) and status in ('to do', 'in progress', 'open') and project in ('ABCD')
poller_filters = priority in (high, medium, low) and status in ('to do', 'in progress', 'open', 'resolved', 'closed', 'done')
max_issues_returned = 50
#http_proxy=
#https_proxy=
[resilient]
api_key_id = ID3uou4324oo
api_key_secret = $API_KEY_SECRET
cafile = false
loglevel = DEBUG
host = 10.12.131.183
port = 443
org = Example GmbH
[fn_jira:global_settings]
timeout = 30
polling_interval = 10
polling_lookback = 60
max_issues_returned = 50
------------------------------
BrunoMarX
Original Message:
Sent: Thu June 01, 2023 10:15 AM
From: Richard Swierk
Subject: JIRA Integration
This is because you need to add a label to your jira server when using the poller. The poller is searching for the SOAR cases that have a jira server label attached to them, so when it does not see a Jira server label attached to the SOAR incident it is creating a new SOAR incident.
Label your Jira server in your app.config and then when calling the SOAR action to create a Jira ticket input the Jira label.
------------------------------
Richard Swierk
Original Message:
Sent: Thu June 01, 2023 10:00 AM
From: BrunoMarX
Subject: JIRA Integration
Hi Richard,
thank you! Well I didn't have any jira label within my app.config. I noticed a behavior..
I Created a Case 2166 manually with name "My SOAR Case 10" and the case starts at the engage phase. I then use a Rule that can be manually run if the case does not have any JIRA Incident associated with. This rule executes a workflow. The workflow has a Post-processing Script:
incident.properties.jira_url = "<a href='{}' target='blank'>{}</a>".format(results_content.get("issue_url"), results_content.get("issue_key"))
incident.properties.jira_internal_url = results_content.get("issue_url_internal")
incident.properties.jira_issue_id = results_content.get("issue_key")
incident.properties.jira_server = rule.properties.jira_label
As a result, there is JIRA TIcket ABCD-37.
My case 2166 is updated and inside "JIRA Incident" Tab, I see the information regarding the JIRA incident.
For example URL and JIRA Issua ID ABCD-37.
So far so good.
a few seconds later, a new case is created with name 'IBM Resilient SOAR: My SOAR Case 10' and number 2167 at the respond phase. Inside the JIRA Incident Tab, I see the same URL and Issue ID ABCD-37.
I don't know exactly why Case 2167 is created. and then every time I add a comment to ABCD-37, it is updated within case 2167 and not in Case 2166. :(
------------------------------
BrunoMarX
Original Message:
Sent: Thu June 01, 2023 06:49 AM
From: Richard Swierk
Subject: JIRA Integration
I actually came across a similar issue the other day. When you use the SOAR manual rule to create a Jira ticket make sure you enter the label you gave to the Jira server in your app.config. If you do not give a Jira label then it will create a new incident on SOAR.
------------------------------
Richard Swierk
Original Message:
Sent: Thu June 01, 2023 05:18 AM
From: BrunoMarX
Subject: JIRA Integration
@Richard Swierk ,
I create the case 2143 manually and use the JIRA integration to create the TIcket ABCD-27. After that, the poller threat of the JIRA Integration creates the case 2144 and updates it.
2023-05-28 12:09:45,149 DEBUG [poller] [Thread-29] Updating SOAR incident: 2144 with Jira issue: ABCD-27
in the code under https://github.com/ibmresilient/resilient-community-apps/blob/main/fn_jira/fn_jira/poller/poller.py I find this:
jira = update[0]
soar = update[1]
LOG.debug(f"Updating SOAR incident: {soar.get('id')} with Jira issue: {jira.get('key')}")
somehow the soar.get('id') returns "case number +1".
No there is no other integration for JIRA. only this one.
Thank you!
------------------------------
BrunoMarX
Original Message:
Sent: Tue May 30, 2023 07:22 AM
From: Richard Swierk
Subject: JIRA Integration
Based on the logs SOAR incident 2144 is not being created by the Jira integration. Do you have any other integrations installed on you SOAR instance?
------------------------------
Richard Swierk
Original Message:
Sent: Sun May 28, 2023 08:22 AM
From: BrunoMarX
Subject: JIRA Integration
I just uploaded a new version of the logs.
IBM SOAR Case 2143. I manually created a JIRA Ticket through SOAR and ABCD-27 was created. Then.. Without me doing anything, Case 2144 was created in a different phase. Response instead of engage. it doesn't not have direct to do with the comment.
------------------------------
BrunoMarX
Original Message:
Sent: Fri May 26, 2023 07:53 AM
From: Richard Swierk
Subject: JIRA Integration
Yes i understand what is happening now. I am unsure why it is happening and I have not been able to reproduce this issue.
Could you put configure DEBUG mode for logging then reproduce the issue and show me the logs.
The configure DEBUG mode for logs go to the app.config for the jira integration on SOAR. Then under, [resilient], add loglevel=DEBUG. Save and it will redeploy the app.
------------------------------
Richard Swierk
Original Message:
Sent: Thu May 25, 2023 04:45 PM
From: BrunoMarX
Subject: JIRA Integration
Thank you for your reply!
Actually I expect this:
A)
- I create a case in SOAR
- A ticket is created in JIRA
- I Add a note in SOAR
- the note is included in JIRA
- I add a note in JIRA
- The note is added in SOAR as well
- Wherever I close the case/ticket, the Ticket/case is also closed
B)
- I create a ticket in JIRA
- A Case is created in SOAR
- The rest should be the same as in A)
Answering to you question. Yes. This happens to me as well. I would be happy if I the notes/comments would synchronize without opening another case in JIRA.
Is clear enough what is happening to me and what I want to achieve?
------------------------------
BrunoMarX
Original Message:
Sent: Thu May 25, 2023 08:32 AM
From: Richard Swierk
Subject: JIRA Integration
The only way I have been able to get a new SOAR incident created from the same Jira ticket is if i move the Jira ticket to a done state and then move it back to an open state. The original SOAR incident gets closed and a new SOAR incident is created.
Does this sound like what is occurring for you?
------------------------------
Richard Swierk
Original Message:
Sent: Thu May 25, 2023 05:29 AM
From: BrunoMarX
Subject: JIRA Integration
Hi Richard! Thank you for your reply.
[fn_jira:global_settings]
timeout = 30
polling_interval = 10
polling_lookback = 60
max_issues_returned = 50
poller_filters = priority in (high, medium, low) and status in ('to do', 'in progress', 'open', 'resolved', 'closed', 'done')
max_issues_returned = 50
------------------------------
BrunoMarX
Original Message:
Sent: Wed May 24, 2023 10:23 AM
From: Richard Swierk
Subject: JIRA Integration
What do you have set for your poller_filters in the app.config?
------------------------------
Richard Swierk
Original Message:
Sent: Wed May 24, 2023 09:12 AM
From: BrunoMarX
Subject: JIRA Integration
I changed the status of the ticket in JIRA from open to completed and it opened a new case in SOAR. Therefore, all my actions in JIRA result in a new case in SOAR. :(
------------------------------
BrunoMarX
Original Message:
Sent: Tue May 23, 2023 03:09 PM
From: Richard Swierk
Subject: JIRA Integration
Is it just with notes? If you change the status of the ticket on Jira does it change on SOAR?
------------------------------
Richard Swierk
Original Message:
Sent: Fri May 19, 2023 09:42 AM
From: BrunoMarX
Subject: JIRA Integration
Hello Community! I am more or less new to IBM SOAR and have sucessfully integrated it with out JIRA. However, when I have an Incident in SOAR that generates a ticket in JIRA, every time I create a comment in the JIRA Ticket through JIRA and it synchronizes with SOAR, instead of updating the SOAR Case, it creates a new case (in the respond phase, even though the original case was still in the initial phase). The other way works fine: When I create a note in SOAR, it also creates a note in JIRA.
Do you know what can be wrong here?
Thank you!
------------------------------
BrunoMarX
------------------------------