Sync Cases to ITSM Tool
Configure the ITSM Webhook automation once, then push case updates to any ITSM with a single click from inside a case.
What You Need
- Administrator access to Automations → Integrations
- Your ITSM’s API endpoint URL and an auth credential (username:password, token, or API key)
The Four Steps
- Configure the integration — open the itsm_webhook drawer and fill in your ITSM’s connection details. (Automations → Integrations → + → itsm_webhook)
- Map ticket fields & statuses — tell the SIEM how to read your ITSM’s ticket ID and which statuses correspond to which case states. (Integration drawer → scroll to Status Mapping / advanced settings)
- Create a callback token — generate the credential your ITSM uses to push status changes back to the SIEM. (Integration drawer → key icon)
- Sync a case — open any case and click Sync With ITSM to create or update its ticket. (Cases → open a case → Sync With ITSM)
Note: Only one ITSM integration is allowed per workspace. If you need to switch tools later, edit the existing integration rather than creating a new one.
Step 1 — Configure the Integration
1.1 Open the Integration Drawer
Path: Automation → ITSM Webhook → Click to Configure
Go to Automation in the left navigation. Find the row named ITSM Webhook (tagged itsm) and click anywhere on the row, or select Click to Configure under Config Status. A drawer slides in from the right with the configuration form.

1.2 Fill in the Connection Details
Path: Integration drawer → top section
Enter a name for this configuration and the details your ITSM needs to create a new ticket. These fields describe the outbound request the SIEM sends when a case is synced for the first time.

| Field | What to enter |
| Configuration Name | A friendly label for this integration, e.g. JIRA ITSM |
| ITSM Provider | The tool you’re connecting, e.g. Jira |
| Create Method | POST — the HTTP method your ITSM uses to create tickets |
| Create URL | Your ITSM’s ticket-creation endpoint, e.g. https://<domain>.atlassian.net/rest/api/3/issue |
| Auth Type | Basic for username/password, or your ITSM’s preferred auth method |
| Auth Credentials | username:password or a token — leave blank to keep the saved value |
1.3 Define the Request Headers and Payload
Path: Integration drawer → scroll down
Scroll down within the drawer to add any headers your ITSM requires and the JSON body it expects for a new ticket. Use template variables such as $case_name or $severity — the SIEM substitutes real case data at sync time.

| Field | What to enter |
| Additional Headers | Any extra HTTP headers as JSON, e.g. {“Content-Type”: “application/json”} |
| Request Body Format | The payload encoding your ITSM expects — typically json |
| Create Payload | The JSON body sent when a new ticket is created. Reference case fields with $case_name, $description, etc. |
Step 2 — Map Ticket Fields
2.1 Tell the SIEM How to Read the Ticket Back
Path: Integration drawer → continue scrolling
After a ticket is created, your ITSM responds with a ticket ID. Point the SIEM at the field holding that ID, then provide the endpoint it should call to keep an existing ticket up to date.

| Field | What to enter |
| Ticket ID Field | The field name in your ITSM’s response that holds the ticket ID, e.g. key. The SIEM stores this to track which case maps to which ticket |
| Update URL | Your ITSM’s endpoint for updating an existing ticket. Use $ticket_id as a placeholder — the SIEM substitutes the real ID |
| Update Method | HTTP method for the update request — typically PUT |
| Update Payload | JSON body for the update request, using the same template variables as the Create Payload |
2.2 Map Statuses, Configure Notes, and Save
Path: Integration drawer → Status Mapping & Notes
Map each of your ITSM’s status labels to the corresponding case status so the two stay in sync automatically. Use + Add status for any labels not shown by default. Optionally configure the Notes endpoint so case notes post back to the ticket as comments.

| Field | What to enter |
| Status Mapping | Your ITSM status on the left, the case status it should map to on the right, e.g. OPEN → Open, Resolved → Closed |
| Notes URL / Method / Payload | Optional — the endpoint, HTTP method, and JSON body for posting a case note as a ticket comment. Use $note_text as a placeholder |
| Integration Config ID | Auto-generated and read-only — no action needed. Referenced internally by the callback token in Step 3 |
Click the save icon in the drawer header when done. The row’s Config Status changes to Configured once the SIEM validates the connection.

Step 3 — Create a Callback Token
Path: Integration drawer → key icon
The callback token lets your ITSM tool notify the SIEM when a ticket is updated — closing the loop so case statuses stay current without manual syncing. Open the itsm_webhook integration and click the key icon in the top-right corner of the drawer.

| Field | What to enter |
| Config ID | Pre-filled automatically — no action needed |
| App Name | A label for this token, e.g. Jira Production — inbound |
| Description | A short note about what this token is used for |
Click Generate Token. The token is shown exactly once — copy it immediately and configure it as the inbound webhook secret in your ITSM tool.
Security: This token grants inbound write access scoped to this integration only. Treat it like a password — do not share it or store it in plain text.
Step 4 — How to Sync a Case to your ITSM
Path: Cases → open a case → Sync With ITSM
Once setup is complete, syncing a case is a single click. Open any case from the Cases list, then find the Sync With ITSM button in the toolbar.

Once clicked on the button, it will start syncing and once completed it will give you a success message with the ticket ID

| State | What you see |
| Enable | Button is active and clickable |
| Disabled | Button is disabled while the request is in flight |
| Success | A ticket ID tag appears next to the button, confirming the ticket was created or updated |
| Cooldown (10 mins) | Button is disabled —before the next sync is allowed |
Cooldown: The sync button locks for ten minutes after a successful sync to avoid duplicate ticket updates.
