search

guilhemmarchand / TA-jira-service-desk-simple-addon

Atlasian JIRA add-on for Splunk alert actions
11 stars 8 forks source link

Having results added in the "dedup" comment #66

Closed Icchan92 closed 3 years ago

Icchan92 commented 3 years ago

Hi, if possible, I would like to have some of the search results, or the preconfigured fields, in the jira description, to be added to the comment whenever a new alert has been triggered. I use the dedup function, to avoid creating a new alert if similar event has been detected, example the same malicious URL has been triggered again, but I would like to have the IPs / hostname information, as they can be different from the original jira. Ideally, I would like to have the same description fields just added to the comment. Thanks : )

guilhemmarchand commented 3 years ago

Added to the backlog, will be considered for review.

guilhemmarchand commented 3 years ago

@Icchan92

I have re-read carefully your question, then I realised it was already part of the dedup feature and maybe you missed it. (the documentation would desserve to be more clear on it)

https://ta-jira-service-desk-simple-addon.readthedocs.io/en/latest/userguide.html#jira-dedup-behaviour

- If the field jira_update_comment exists, its content will automatically be added as the comment

If part of your results, a field named "jira_update_comment" exists, its content will be taken and used to fill the comment content value in JIRA. So you can handle this easily in Splunk, and define the content dynamically in SPL.

For instance you would make sure to have something like:

| eval jira_update_comment="Issue creation was dedup for src: " . src . " / host: " . nt_host

If present in the result, dedup is enabled and the dedup triggers, this content will be used for the comment.

Please let me know if this makes sense.

FYI:

TA-jira-service-desk-simple-addon/bin/ta_jira_service_desk_simple_addon/modalert_jira_service_desk_helper.py

                    # Handle the JIRA comment to be added, if a field named jira_update_comment is part of the result,
                    # its content will used for the comment content.
                    jira_update_comment = "null"
                    for key, value in event.items():
                        if key in "jira_update_comment":
                            jira_update_comment = '{"body": "' + checkstr(value) + '"}'
                    helper.log_debug("jira_update_comment:={}".format(jira_update_comment))

                    if jira_update_comment in "null":
                        data = '{"body": "New alert triggered: ' + jira_summary + '"}'
                    else:
                        data = jira_update_comment

Guilhem

guilhemmarchand commented 3 years ago

Assuming this answered your question @Icchan92 I am closing the issue. Let me know otherwise ;-)