Skip to main content

Sync Cases to ITSM Tool

Configure the ITSM Webhook automation once, then push case updates to any ITSM with a single click from inside a case.

What You Need

  • Administrator access to Automations → Integrations
  • Your ITSM’s API endpoint URL and an auth credential (username:password, token, or API key)
The Four Steps

  1. Configure the integration — open the itsm_webhook drawer and fill in your ITSM’s connection details. (Automations → Integrations → + → itsm_webhook)
  2. Map ticket fields & statuses — tell the SIEM how to read your ITSM’s ticket ID and which statuses correspond to which case states. (Integration drawer → scroll to Status Mapping / advanced settings)
  3. Create a callback token — generate the credential your ITSM uses to push status changes back to the SIEM. (Integration drawer → key icon)
  4. Sync a case — open any case and click Sync With ITSM to create or update its ticket. (Cases → open a case → Sync With ITSM)

Note: Only one ITSM integration is allowed per workspace. If you need to switch tools later, edit the existing integration rather than creating a new one.

Step 1 — Configure the Integration

1.1 Open the Integration Drawer

Path: Automation → ITSM Webhook → Click to Configure

Go to Automation in the left navigation. Find the row named ITSM Webhook (tagged itsm) and click anywhere on the row, or select Click to Configure under Config Status. A drawer slides in from the right with the configuration form.

1.2 Fill in the Connection Details

Path: Integration drawer → top section

Enter a name for this configuration and the details your ITSM needs to create a new ticket. These fields describe the outbound request the SIEM sends when a case is synced for the first time.

FieldWhat to enter
Configuration NameA friendly label for this integration, e.g. JIRA ITSM
ITSM ProviderThe tool you’re connecting, e.g. Jira
Create MethodPOST — the HTTP method your ITSM uses to create tickets
Create URLYour ITSM’s ticket-creation endpoint, e.g. https://<domain&gt;.atlassian.net/rest/api/3/issue
Auth TypeBasic for username/password, or your ITSM’s preferred auth method
Auth Credentialsusername:password or a token — leave blank to keep the saved value
1.3 Define the Request Headers and Payload

Path: Integration drawer → scroll down

Scroll down within the drawer to add any headers your ITSM requires and the JSON body it expects for a new ticket. Use template variables such as $case_name or $severity — the SIEM substitutes real case data at sync time.

FieldWhat to enter
Additional HeadersAny extra HTTP headers as JSON, e.g. {“Content-Type”: “application/json”}
Request Body FormatThe payload encoding your ITSM expects — typically json
Create PayloadThe JSON body sent when a new ticket is created. Reference case fields with $case_name, $description, etc.
Step 2 — Map Ticket Fields

2.1 Tell the SIEM How to Read the Ticket Back

Path: Integration drawer → continue scrolling

After a ticket is created, your ITSM responds with a ticket ID. Point the SIEM at the field holding that ID, then provide the endpoint it should call to keep an existing ticket up to date.

FieldWhat to enter
Ticket ID FieldThe field name in your ITSM’s response that holds the ticket ID, e.g. key. The SIEM stores this to track which case maps to which ticket
Update URLYour ITSM’s endpoint for updating an existing ticket. Use $ticket_id as a placeholder — the SIEM substitutes the real ID
Update MethodHTTP method for the update request — typically PUT
Update PayloadJSON body for the update request, using the same template variables as the Create Payload
2.2 Map Statuses, Configure Notes, and Save

Path: Integration drawer → Status Mapping & Notes

Map each of your ITSM’s status labels to the corresponding case status so the two stay in sync automatically. Use + Add status for any labels not shown by default. Optionally configure the Notes endpoint so case notes post back to the ticket as comments.

FieldWhat to enter
Status MappingYour ITSM status on the left, the case status it should map to on the right, e.g. OPEN → Open, Resolved → Closed
Notes URL / Method / PayloadOptional — the endpoint, HTTP method, and JSON body for posting a case note as a ticket comment. Use $note_text as a placeholder
Integration Config IDAuto-generated and read-only — no action needed. Referenced internally by the callback token in Step 3

Click the save icon in the drawer header when done. The row’s Config Status changes to Configured once the SIEM validates the connection.

Step 3 — Create a Callback Token

Path: Integration drawer → key icon

The callback token lets your ITSM tool notify the SIEM when a ticket is updated — closing the loop so case statuses stay current without manual syncing. Open the itsm_webhook integration and click the key icon in the top-right corner of the drawer.

FieldWhat to enter
Config IDPre-filled automatically — no action needed
App NameA label for this token, e.g. Jira Production — inbound
DescriptionA short note about what this token is used for

Click Generate Token. The token is shown exactly once — copy it immediately and configure it as the inbound webhook secret in your ITSM tool.

Security: This token grants inbound write access scoped to this integration only. Treat it like a password — do not share it or store it in plain text.

Step 4 — How to Sync a Case to your ITSM

Path: Cases → open a case → Sync With ITSM

Once setup is complete, syncing a case is a single click. Open any case from the Cases list, then find the Sync With ITSM button in the toolbar.

Once clicked on the button, it will start syncing and once completed it will give you a success message with the ticket ID

StateWhat you see
EnableButton is active and clickable
DisabledButton is disabled while the request is in flight
SuccessA ticket ID tag appears next to the button, confirming the ticket was created or updated
Cooldown (10 mins)Button is disabled —before the next sync is allowed

Cooldown: The sync button locks for ten minutes after a successful sync to avoid duplicate ticket updates.