Introduction

In the fast-paced world of cybersecurity, efficiently managing incidents is crucial for any organization. This blog post delves into how integrating IBM SOAR with Atlassian JIRA, using the “Atlassian Jira Functions for SOAR”, can significantly streamline your incident management process.

Understanding IBM SOAR

IBM SOAR (Security Orchestration, Automation, and Response) is a cornerstone in the realm of cybersecurity operations. It’s designed to automate responses to cyber threats, ensuring swift and coordinated action. Its key features include incident response planning, orchestration of tools, and interactive investigations.

The Role of Atlassian JIRA

Atlassian JIRA is renowned for its project management and issue tracking capabilities. It’s widely used by teams to plan, track, and manage agile software development projects, making it an indispensable tool in many organizations.

The Integration: IBM SOAR and Atlassian JIRA

Integrating IBM SOAR with Atlassian JIRA bridges the gap between security incident management and issue tracking. The “Atlassian Jira Functions for SOAR” app facilitates this by allowing the tracking of SOAR Incidents and Tasks as Jira Issues, creating a cohesive management ecosystem.

Key Features of the Integration

• Bidirectional Synchronisation: This feature ensures that any update in SOAR is reflected in JIRA and vice versa, maintaining consistency across platforms.
• Incident and Task Tracking: Incidents logged in SOAR can be tracked as Jira issues, ensuring that all team members are on the same page.
• Automated Transitions and Comments: When an incident is closed in SOAR, the corresponding Jira issue is automatically transitioned, and any notes created in SOAR are added as comments in Jira.

Prerequisites for Integration

Before diving into the integration of IBM SOAR with Atlassian JIRA, it’s essential to ensure that certain prerequisites are in place. These prerequisites are critical for a smooth and successful integration process.

1. IBM QRadar Suite Instance: You need to have an active IBM QRadar Suite instance. This can be on a subscription basis, ensuring you have access to the latest features and support.
2. Edge Gateway (App Host) Connection: An Edge Gateway, or App Host, must be connected to your IBM QRadar Suite instance. The App Host serves as a secure, scalable, and resilient environment for running applications that extend the capabilities of IBM QRadar.

Ensuring these prerequisites are met is crucial for the subsequent steps in the integration process. They lay the foundation for a seamless and effective implementation of the “Atlassian Jira Functions for SOAR”.

Understanding the Integration Workflow

The integration of IBM SOAR with Atlassian JIRA involves a specific workflow that ensures the efficient functioning of the system. Here’s a breakdown of how this integration works:

1. Uploading the Application: The process begins with the uploading of the “Atlassian Jira Functions for SOAR” application. This is done by downloading the application package (a ZIP file) from the IBM App Exchange.
2. Installation on App Host: Once uploaded, the application is installed under the App Host as a running container. The App Host environment is crucial as it securely runs the application, ensuring that it’s isolated from the core system but still connected to the necessary IBM QRadar Suite components.
3. Running the Python API (fn_jira): Within this container, the Python API fn_jira is executed. This API is the cornerstone of the integration, facilitating the communication and data exchange between IBM SOAR and Atlassian JIRA.
4. Utilization by Playbooks: The fn_jira API is then utilized by the playbooks you write in IBM SOAR. These playbooks are designed to automate various tasks, such as creating Jira issues when a case is created in IBM SOAR, thereby streamlining the incident management process.

Understanding this workflow is key to appreciating how the integration leverages the strengths of both IBM SOAR and Atlassian JIRA, creating a more efficient and responsive incident management system.

Setting Up the Integration

The integration process begins with downloading the “Atlassian Jira Functions for SOAR” from the IBM App Exchange. After uploading it to IBM SOAR, the configuration involves setting up the necessary parameters to ensure seamless communication between SOAR and JIRA.

Downloading the “Atlassian Jira Functions for SOAR”:

• Browse the IBM App Exchange Platform.
• Type in the search bar “JIRA” and hit enter.
• Select the First List named “Atlassian Jira Functions for SOAR”
• Click on Download Button
• A Zip file named like app-fn_jira-3.0.****.zip will be downloaded.

Upload the Downloaded Zip file to SOAR:

• Go the Permissions and Access tab from left Navigation:

• Click on Apps Tab
• Click on Blue Install Button
• Select the Zip file which we downlaoded
• and Click on Upload File
• Confirm the changes.

Configure Jira App for IBM SOAR:

to Connect to JIRA, we’ll provide required details to the install function API:

• Click on the Details Button on “Jira App for IBM SOAR” App.
• Select the Configurations Tab
• Select the “app.config” file.
• Modify the content of app.config file with your JIRA Instance details such as URL, User and Token ID and Configure the Poller as needed more details can bee seen in this official document.
• Select the Edge Gateway from Dropdown and Click on Deploy.
• make sure after deploy all four checks are shown Green.

My Experience and Playbook Creation

My journey with this integration involved writing a Python playbook to utilize the app’s API, automating the creation of Jira issues whenever a case is created in IBM SOAR. This playbook serves as a critical component in ensuring that incident tracking is as real-time and automated as possible.

Some example playbooks are already created when we upload the zip file to SOAR we are free to utilize them or modify as per need.

A Sample Playbook to auto create issue in JIRA once a case is created in SOAR :

The Flow of Playbook:

The Script:

from json import dumps

#inputs.jira_label = incident.properties.jira_label

# ID of this incident
inputs.incident_id = incident.id

# A map for JIRA priorities
#priority_map = { "Lowest": {"name": "Lowest"}, "Low": {"name": "Low"}, "Medium": {"name": "Medium"}, "High": {"name": "High"}, "Highest": {"name": "Highest"} }
#jira_priority = priority_map.get(incident.severity_code, {"name": "Low"})




# Define JIRA fields here
inputs.jira_fields = dumps({
  "project": incident.properties.jira_project_key,
  "issuetype": incident.properties.jira_issue_type,
  #"priority": jira_priority,
  "summary": f"IBM SOAR: {incident.name if len(incident.name) <= 252 - len('IBM SOAR: ') else incident.name[:252 - len('IBM SOAR: ')] + '...'}",
  #"summary": f"IBM SOAR: {incident.name}"
  "description": incident.description.content if incident.get("description") else "Created in IBM SOAR"
})

Realized Benefits

The integration has brought about significant improvements in incident management efficiency. The automated synchronization between IBM SOAR and JIRA ensures that all stakeholders are updated with the latest incident status, leading to more coordinated and timely responses.

Conclusion

The integration of IBM SOAR with Atlassian JIRA through the “Atlassian Jira Functions for SOAR” is a game-changer in incident management. It exemplifies how technology can be leveraged to bring about efficiency and coherence in cybersecurity operations.

I encourage you to explore this integration for your incident management needs and experience the enhanced efficiency firsthand.