June 03, 2019 / by Mervin Marks / In soar /

DNIF & Freshdesk Integration

In most organizations, each and every department has their own set of tools for managing their day-to-day team operations, for example - project support teams might be using some form of an ITSM tool, developers might be working closely with Github, project managers on some project management tools, IT infra teams have their own asset management solutions and so on….this siloed way of operations makes it difficult for teams to collaborate and manage their tasks related to inter departmental requests. In order to solve these set of challenges for security teams, DNIF users need not worry about switching multiple screens to collaborate, delegate or request actions across teams in their organization thanks to the extensive list of automation and orchestration plugins available.

Today we have a new addition to this extensive list and this time we have one of the offerings from Freshworks. Freshdesk is an award-winning cloud-hosted help desk solution. It is designed to meet the demands of both small businesses and large companies. The solution also includes standard features, such as, help desk ticketing, knowledge base, and community platform. Once set up, Freshdesk turns your support emails into tickets that you can track for rapid and accurate responses.

DNIF is a Big Data Real-Time Analytics Platform with customers from every major vertical using the platform as a SIEM, Security Analytics Tool and Threat Hunting Platform. DNIF comes with a host of Security Orchestration, Automation and Response (SOAR) capabilities, everything from Enrichment, Validation and Response. Here the integration built with Freshdesk is a responsive one, on detection of an incident a ticket is raised in Freshdesk to be further investigated by respective teams members assigned. The flexibility of both platforms allow for multiple possible use-cases some of which will be covered in future articles and blogs, for now let’s start with using Freshdesk with DNIF.

Benefits

  • Automatically generate tickets for incidents encountered.
  • Share the complete threat storyline with teams that need to act upon this information.
  • Create custom email templates as per encountered threat types, example: malware, brute force and so on.
  • Improve your incident response SLAs by automating the process, starting from threat detection to sharing the relevant details with incident response teams.

Using the Freshdesk API and DNIF

The Freshdesk API can be found on Github at https://github.com/dnif/trigger-freshdesk

Following are the steps to integrate Freshdesk with DNIF:

  1. Login to your DNIF instance (i.e., DataStore for distributed setups): Access DNIF container via SSH.

  2. Move to the /dnif/<Deployment-key>/trigger_plugins folder path.
    $cd /dnif/CnxxxxxxxxxxxxV8/trigger_plugins/
    
  3. Clone the Github repository using the following command:
    git clone https://github.com/dnif/trigger-freshdesk.git freshdesk
    
  4. Move to the ‘/dnif/<Deployment-key>/trigger_plugins/freshdesk/’ folder path and open dnifconfig.yml configuration file and replace the tags: <Add_your_*> with your Freshdesk credentials.
    trigger_plugin:
      FD_API: <Add_your_API_key>
      FD_PASS: X
      FD_DOMAIN: <Add_your_freshdesk_domain>
    
  5. Users can pass on the necessary details from the query output to their tickets by defining the required fields in a template.txt file and place it within the folder path: ‘/dnif/<Deployment-key>/trigger_plugins/freshdesk/

Below are the contents of the template.txt file which is specific to the query shared in the following sections, this template can be customised as per your requirements and choice of fields that you would like to include in your ticket description:

"email": "[email protected]",
"subject": "{$Subject}",
"priority" : 1,
"status" : 2,
"Description":
"Action: {$Action} </br>
Authentication Protocol: {$AuthProtocol}  </br>
Log Name: {$LogName} </br>
Login Source: {$LoginSrc} </br>
Source IP: {$SrcIP} </br>  
Sub Status: {$SubStatus} </br>
System Name: {$SystemName} </br>  
User : {$User} </br>
Message: {$Message}"

Note: The fields starting with a dollar sign, for example - $Action represents the name of the field within DNIF, whose value you would like to include in the ticket template.

Freshdesk trigger plugin functions

Freshdesk API trigger can be used to raise a ticket from within the DNIF web console based on certain events or incidents. create_ticket - this function allows you to create a ticket with details as defined within the ticket template. Following are the inputs required to create a ticket:

  • Subject of ticket(Commas(,) cannot be used in the subject line) - this is similar to the subject line that we write in emails.
  • Query result set with relevant fields.
  • Template name to be triggered - if this field is not provided the default template gets triggered.

DNIF Query Example

_fetch * from event where $Action = LOGIN_FAIL AND $Duration=30d limit 1
>>_trigger api freshdesk create_ticket Login Fail observed for user : , $User , default.txt

In the DNIF query above we are looking at the number if login failures that took place in a duration of 30 days and here the threshold to trigger the API is set at 1. The query then moves onto the next level where the API is actually triggered to create the login fail ticket along with mention of the users that failed to login.

Output of the above query:

Ticket created in freshdesk from the DNIF web console

The trigger call returns output in the following structure for available data:

Fields Description
$FDCreatedAt Ticket creation timestamp
$FDDescription HTML content of the ticket
$FDDueBy Timestamp that denotes when the ticket is due to be resolved
$FDEmailConfigID ID of email config which is used for this ticket([email protected]/[email protected]) If product_id is given and email_config_id is not given, product’s primary email_config_id will be set
FDFirstResponseDueBy Timestamp that denotes when the first response is due
$FDGroupID ID of the group to which the ticket has been assigned. The default value is the ID of the group that is associated with the given email_config_id
$FDPriority Priority of the ticket. The default value is 1
$FDProductID ID of the product to which the ticket is associated
$FDRequesterID User ID of the requester
$FDTicketID ID of the created ticket
$FDStatus Status of the ticket
$FDsubject Subject of the ticket

In conclusion, DNIF analyzes and detects possible threats or suspicious activity in a network environment and automatically generates a ticket in Freshdesk. Once a ticket is generated in Freshdesk all responsible team can coordinate appropriately and act upon the ticket. Team DNIF is happy to announce this integration with Freshdesk from Freshworks, not just as technology partner but as happy customers who use quite a few of their services. We hopes to build upon the exiting integration and increase functionality.