Configure Jira Webhook Connector

You can configure a webhook connector in the Alert Logic console to send notifications to Jira in near real time. When you set up a notification and subscribe a webhook connector, the connector sends the event to the target URL you configured and generates an issue in Jira automatically.

Alert Logic notifications alert you to threats, changes, and scheduled events in your environment so you can respond quickly. From the Alert Logic console, you can subscribe your Jira webhook to receive:

Incident notifications—Generate an issue when incidents occur that meet specific criteria, such as escalated incidents.
Log correlation notifications—Generate an issue when your log correlation rules trigger an incident or observation.
Scheduled report notifications—Generate an issue when Alert Logic generates a scheduled report that is available for download.

Complete the following steps to successfully generate issues in Jira:

Identify your Jira target URL
Generate an Authorization header
Customize the payload template
Create the Jira webhook connector from the Alert Logic console
Subscribe your webhook to receive notifications

Identify your Jira target URL

Before you create the webhook connector in the Alert Logic console, identify your Jira instance name and make a note of it. In the Target URL field, you must replace "<myinstance>" with the Jira instance to which you want to send Alert Logic security notifications.

Generate an Authorization header

Jira requires an HTTP Authorization request header. You can use the following instructions for your operating system to generate the header.

The command requires a valid Jira user name and password, and it encodes the credentials with base64. To construct the header, you enter the word "Basic" (which is the Authorization header type), a space, and then the base64-encoded credentials.

Alert Logic stores your Authorization header securely when you save the connector.

To generate the header on Linux and Mac OS X:

In the command line, type the following command, including the single quotation marks:
echo -n '<user_name>:<password>' | base64
where you must replace <user_name> and <password> with a valid user name and password for Jira.
Copy the following string, which you must enter in the Authorization Header field when you create the connector:
Basic <resulting_base64_encoded_string>

If the user name is "admin" and the password is "testpassword" for example, the command is:

echo -n 'admin:testpassword' | base64

and the command produces this output:

YWRtaW46dGVzdHBhc3N3b3Jk

So, in the Authorization Header field, you would paste:

Basic YWRtaW46dGVzdHBhc3N3b3Jk

To generate the header in Windows PowerShell:

In the command line, type the following commands, including the quotation marks:
PS c:\Temp>$auth = [System.Text.Encoding]::UTF8.GetBytes("<user_name>:<password")
where you must replace <user_name> and <password> with a valid user name and password for Jira.
PS c:\Temp>[System.Convert]::ToBase64String($auth)
Copy the following string, which you must enter in the Authorization Header field when you create the connector:
Basic <resulting_base64_encoded_string>

If the user name is "admin" and the password is "testpassword" for example, the commands are:

PS C:\Temp>$auth = [System.Text.Encoding]::UTF8.GetBytes("admin:testpassword")

PS C:\Temp>[System.Convert]::ToBase64String($auth)

and the command produces this output:

YWRtaW46dGVzdHBhc3N3b3Jk

So, in the Authorization Header field, you would paste:

Basic YWRtaW46dGVzdHBhc3N3b3Jk

Customize the payload template

Decide which type of security information that you want Alert Logic to send to Jira: Incident, Observation (of a log correlation), or a Scheduled Report Notification payload.

If you want to send more than one payload type, you must configure a connector for each one. Because the payload is different, each payload type requires a separate connector instance.

Alert Logic provides a payload template for an incident and an observation using JQ transformation. A payload template converts the Alert Logic security information to the format expected by Jira. You can add or remove lines in the sample template to meet your workflow requirements and security goals. You must replace placeholder information in angle brackets with valid values. If you want to create a Jira connector for scheduled report notifications, you will need to configure the payload template.

For definitions of the Alert Logic variables in the templates and the full JSON that you can use to configure your payload template in JQ or JSON format, see:

For more information about JQ, see JQ. A helpful website for converting JSON to JQ is jq play.

Incident payload template

Copy

JQ Template

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
{
    "fields": {
        "reporter": {
            "id": "<REPORTER ID>"
        },
        "issuetype": {
            "name": "Task"
        },
        "project": {
            "key": "<PROJECT KEY>"
        },
        "summary": .incident.summary,
        "description": {
            "type": "doc",
            "version": 1,
            "content": [
                {
                    "type": "paragraph",
                    "content": [
                        {
                            "text": .incident.description,
                            "type": "text"
                        }
                    ]
                },
                {
                    "type": "paragraph",
                    "content": [
                        {
                            "type": "text",
                            "text": "Link to the incident",
                            "marks": [
                                {
                                    "type": "link",
                                    "attrs": {
                                        "href": .extra.incidentUrl
                                    }
                                }
                            ]
                        }
                    ]
                }
            ]
        },
        "priority": {
            "name": (if .incident_threat_rating == "Critical" then "Highest" elif .incident_threat_rating == "High" then "High" elif .incident_threat_rating == "Medium" then "Medium" else "Low" end)
        }
    }
}

Observation payload template

Copy

JQ Template

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
{
    "fields": {
        "reporter": {
            "id": "<REPORTER ID>"
        },
        "issuetype": {
            "name": "Task"
        },
        "project": {
            "key": "<PROJECT KEY>"
        },
        "summary": .fields.summary,
        "description": {
            "type": "doc",
            "version": 1,
            "content": [
                {
                    "type": "paragraph",
                    "content": [
                        {
                            "text": ("Description: " + .fields.desc),
                            "type": "text"
                        },
                        {
                            "text": ("Recommendations: " + .fields.recommendations),
                            "type": "text"
                        },
                        {
                            "text": ("Class: " + .fields.class),
                            "type": "text"
                        },
                        {
                            "text": ("Subclass: " + .fields.subclass),
                            "type": "text"
                        }
                    ]
                }
            ]
        },
        "priority": {
            "name": (if .fields.severity == "critical" then "Highest" elif .fields.severity == "high" then "High" elif .fields.severity == "medium" then "Medium" else "Low" end)
        }
    }
}

Create the Jira webhook connector from the Alert Logic console

After you note your Jira instance name, generate the Authorization header, and customize the payload template, the next step is to create the webhook in the Alert Logic console and test the payload.

To create a Jira webhook connector:

In the Alert Logic console, click the Settings icon (), and then click Connectors.
On the Connectors page, click the add icon (), and then click Jira.
On the Create a Jira Connector page, type a descriptive name for the webhook connector—for example, "Jira Webhook Connector for Incidents."
In the prepopulated Target URL https://<myinstance>.atlassian.net/rest/api/3/issue, replace "<myinstance>" with the Jira instance name that you noted earlier.
In Custom Header(s), leave the information as is. The field is prepopulated with the custom headers that Jira requires.
In Authorization Header, paste the Authorization header you generated earlier.
Choose the Payload Type, which is the type of Alert Logic security information that you want to send: Incident, Observation (of a log correlation), or Scheduled Report Notification.
Choose the format of the payload template you customized earlier: JSON or JQ.
Enter the payload template that you customized.

A red bar next to a line indicates a syntax error. Code with errors is underlined with a jagged red line. You can hover your pointer over the underlined code to view a tip about the error.

Click TEST to send a test webhook request to the target URL provided. For more information, see Connector test results.
If your webhook connector sent the test event to the target URL successfully, click SAVE.

Connector test results

If you receive a message that the connector was successfully tested, Alert Logic sends the payload template you configured and populates an issue in Jira with sample data. Check Jira to ensure the results are expected, and adjust the payload template if necessary.

If the test is unsuccessful, Alert Logic displays an error message. For server response errors, you can use the error code and message that Alert Logic passes through to troubleshoot the issue. Alert Logic also informs you if your JSON or JQ payload template contains syntax errors.

Subscribe your webhook to receive notifications

After you test and save the connector configuration, the last step is to set up your notification criteria and subscribe the webhook.

You can set up and manage a notification of any type directly from the Notifications page. For more information, see Manage Notifications. You can create notifications from other pages according to notification type:

For incidents, you can also create a notification from the Incidents page. For more information, see Incident Notifications.
For observations, you can also create a notification from the Search page (Log Search tab or Correlations tab) during the process of creating the correlation or by editing an existing correlation listed on the Correlations tab. For more information, see Correlations and Notifications and Observation Notifications.
For scheduled reports, you can also schedule the report and subscribe notification recipients from the Reports page. For more information, see Scheduled Reports and Notifications.

Manage your connectors

You can view the list of connectors and edit or delete an existing one. For more information, see Manage Connectors.