Easing Ticket Troubles
While ticket management is a necessity for most organizations today, it’s not without some security challenges. Using different platforms for incident management and ticketing respectively makes it tough to align tickets with incident lifecycles. This also leads to endless screen switching and tiresome information collection for documentation.
Product proliferation also leads to tougher ticket creation as analysts receive alerts from a wide variety of sources. This either results in manual ticket creation – a source of stress and analyst error – or piecemeal automation that causes redundant ticket creation.
Here, we will show how combining RSA Archer’s ticket management features with Demisto’s security orchestration and automation capabilities can provide analysts with a unified platform that runs the gamut from ticket creation to resolution.
Using Demisto and Archer, you can:
- Ingest Archer ticket data into Demisto Enterprise.
- Trigger playbooks for triage and resolution of Archer tickets.
- Leverage 140+ Demisto product integrations to enrich Archer tickets.
- Run 10+ Archer commands interactively via a ChatOps interface while collaborating with other analysts and Demisto AI.
USE CASE #1
Automated ticket management and response
If a security analyst uses different platforms for incident management and ticketing respectively, it can be tough to track the lifecycle of an incident due to flitting between screens, fragmented information, and lack of single-window documentation.
If analysts use RSA Archer for ticketing and Demisto for incident management and security orchestration, they can trigger actions for specific ticket types in Archer to create an incident in Demisto.
Ticket enrichment and response can also be streamlined by automatically running playbooks upon ticket creation in Archer. For example, any external IP addresses and domains can be enriched using reputation sources and can then be cross-checked against the internal IOC database aggregated from ISACs and threat feeds. If there are any hits, the incident severity can be raised, among other actions.
Demisto playbooks and investigation toolkits can gather additional information needed for triage and resolution of Archer tickets. Analysts can align ticket management with an incident’s lifecycle, can access documentation from a single source, and forego the need to switch between screens.
To learn more about Demisto’s integration with RSA Archer, read our joint solution brief:
USE CASE #2
Automate ticket creation across alert sources
When SOCs receive alerts across a base of different sources, these sources are usually isolated from their ticketing platform. If the ticket creation for alerts is manual, it leads to alert fatigue and potentially serious tickets slipping under the cracks. If the ticket creation is automated individually with each source, it leads to redundant tickets being generated and leaving analysts in a muddle.
Analysts can create rule sets to use information gathered from other alerting sources and automatically create tickets in Archer. The output of the ticket creation task can be used in other related tasks like sending the owner relevant ticket information in an email, and automating initial enrichment.
Moreover, redundant ticket creation is taken care of using Demisto’s Related Incidents screen. This time-based radial view of related incidents provides analysts with a quick visual map to see how incidents are linked. Analysts can choose to track similar incidents together or just mark them as duplicates after this study.
Unified and automated ticket creation across sources ensures that analysts minimize repetitive tasks and are notified only when they have relevant information available to use. They can also quickly view similar incidents, track similar tickets together, and resolve duplicate tickets to improve the ticket quality of their SOC.
With Demisto’s 140+ technology partner base, these use cases just scratch the surface of potential actions analysts can orchestrate using Archer as one of the components.
If you are new to Demisto and interested in exploring this integration among others, we invite you to sign up for the Demisto Community Edition below.