Automated Ticket Creation with non-integrated Ticketing System

Hello there,

Trying to automate a ticketing creation system based on the alerts that we get that come from IDR. The system already sends out an email that we get and we could pipe that into the ticketing system but it’s not very verbose on the issue. Was thinking about creating a script that will pull from the API any new investigations. Is this the best way to do this? Loop an API query into IDR to populate the API call for the ticketing service? Any other way? Thanks

Hi,

have you read about our Universal Webhook? Universal Webhook | InsightIDR Documentation

This allows events to be sent when an alert is triggered, and you could use this to feed into your ticketing system instead of the email method.

Does this get you any closer to what you are trying to achieve?

As far as APIs go, we have the following Investigation API: InsightIDR API Documentation

David

1 Like

Hello, thank you for your response. This might be something that will help us in creating this automation. My only real question is if this can produce the same amount of information about an investigation that a direct API call can? The investigation API looks great.

Hi Casey,

yes the universal webhook will output a body like this

{
“timestamp”: “[time of alert]”,
“type”: “[type of alert]”,
“name”: “[name of alert]”,
“description”: “[description of alert]”,
“link”: “[deep link back to IDR for the alert]”,
“investigationID”: “[the unique identifier of the investigation]”,
“actors”: {
“users”: [
{
“name”: “[the user name]”
“distinguishedName”:"[the Active Directory distinguished name of the user]"
“emails”:"[list of emails for the user]"
}
],
“assets”: [
{
“hostname”: “[the asset hostname]”
“fqdn”: “[fully qualified domain name of the asset]”
“shortname”: “[the shortname of the asset]”
}
]
}
}

https://docs.rapid7.com/insightidr/webhook/#request-body-1

which actually has more information than the output from the Investigation API

David

Thank you for that response. I do see that that outputs more information and would be useful. When I went in and tried to make one it looks like there isn’t any way to customize the information sent, is that correct? So that the syntax that IDR uses for its investigations would have to be the same syntax used by whatever program that is going to receive the webhook? I’m trying to pipe this into freshservice ticketing system and use the information to populate those fields. As it seems right now, this will not be possible unless I can some how send the information with different identifiers to match the ticketing system. Does that make sense?

Yes it does make sense, and you are correct there is no way to change the output fields or values that gets sent from IDR. An intermediate step (such as a script) would be required to modify those fields if necessary.

Hello @casey_durham please were you able to get the webhook to automate the alerts to your ticketing platform.
Please would it be possible to see a sample of what your webhook script looks like.
@david_smith