As a weekend project I wanted to see how easy it would be to integrate Azure Sentinel incidents to Jira.

I’ve seen this done in production a while back, but back then there were some difficulties. Now that we have Automation Rules and improved Logic App triggers this was actually a pretty simple task, at least for a quick demo.

Below you can see an example Jira issue based on an Azure Security Center finding that triggered a Sentinel incident.

Jira

Jira setup

For starters I signed up for a free Jira plan at https://www.atlassian.com/software/jira/free and created a new Jira Project based on the standard Kanban template.

After that I renamed the standard “Bug” issue type to “Security Incident”. This gave me a good starting data model for our Sentinel incidents, while still retaining the standard Epic, Task and Story issue types in the Jira template.

This project setup would give our imaginary SecOps team a simple way to handle both development items and incidents in the same project.

For this demo I added custom fields for ID and Severity of Sentinel Incidents. You can add custom fields for any data that seem relevant to sync from Sentinel, as long as you find a way to match the data types between the different products.

After creating a basic starter for the issue type, I generated an API token via Jira Account Settings (https://id.atlassian.com/manage-profile/security/api-tokens).

Logic App playbook

Automating the Jira issue creation with a Logic App was very simple, at least for this minimal demo.

I created a Logic App based on the following workflow:

  1. Trigger every time a new incident is created in Azure Sentinel.
  2. Create a new Jira issue, selecting our Jira Project, Issue Type and any Sentinel incident fields that we want to include. The connection is authenticated with the Jira API token.
  3. Add a comment to the Jira issue for our Sentinel Incident URL (this is because the standard URL field in Jira is limited to 255 characters, which is not enough for Sentinel links).
  4. Add a comment back to the Sentinel Incident so we can have links work both ways between the Sentinel incident and Jira issue.

Designer

Sentinel Automation Rule

I already had an existing Automation Rule that triggered a Teams message for every new Sentinel Incident.

I added the Jira issue creation playbook as a new action in the Automation Rule, and a second action for creating a “Jira” tag for the Sentinel incidents to make it clearer that the incident is also in Jira.

Automation Rule

Issues and enhancements

  • The integration will trigger only for new incidents. If new alerts are added to exising incidents in Sentinel, Jira will not know about this.
  • In the demo I just created a new Severity field in Jira to co-exist with the standard Jira Priority field, these are redundant and would make classifying and prioritizing difficult.
  • I made no effort for doing a two-directional integration, so after triggering the automation the Sentinel incident and Jira issue will have different lifecycles.