febery/blog
Back to thoughts
2 min read

argus part 5: the bidirectional itsm bridge

how argus automates the lifecycle of an incident by bridging security alerts with itsm ticketing.

security operations are only effective if they result in action. in most enterprises, "action" means a ticket in an itsm tool.

i built argus not just to be a messenger, but to be an active participant in the ticketing lifecycle. it acts as a bidirectional bridge between your security telemetry and your source of truth for incidents.

automated ticket logging

the most immediate benefit of the argus itsm bridge is automated logging. when a high-fidelity alert is triggered in sentinel or xdr:

  1. trigger: sentinel sends a post request to the argus api.
  2. orchestration: argus fetches the context and automatically creates a ticket in the itsm tool.
  3. notification: it then posts a teams card that includes the new ticket number, its status, and a direct link to the incident.

this eliminates the manual "copy-paste" phase of security operations, ensuring that every alert is tracked from the first second it appears.

monitoring and callbacks

a notification that becomes stale is worse than no notification at all. argus uses callbacks to ensure the teams workspace stays in sync with the itsm tool.

if an engineer updates the priority or assigns an owner to a ticket inside the itsm portal, the tool sends a callback (patch request) to argus. argus then performs an in-place update of the adaptive card in teams. the conversation evolves as the incident does, without cluttering the channel with new messages.

the "command & control" query

the bridge also works in the other direction. using teams' native interaction capabilities, engineers can query the itsm tool directly from the chat:

  • search: retrieve recent incidents for a specific user or asset.
  • status: check the current state of a ticket without leaving teams.
  • actions: trigger status changes or add comments directly from the adaptive card buttons.

this "single pane of glass" philosophy is what makes argus an enterprise overseer rather than a simple bot. it brings the data to the engineer, rather than forcing the engineer to go find the data.

in the final part of this series, we will explore how argus orchestrates complex playbooks and manages secure enterprise access.

Previous postargus part 6: orchestration and enterprise rbacNext postargus part 4: decoupling UI with adaptive cards