Integrate Zendesk with Google SecOps
This document explains how to integrate Zendesk with Google Security Operations.
Use cases
The Zendesk integration uses Google SecOps capabilities to support the following use cases:
Automate incident ticketing: Automatically create Zendesk tickets from security alerts to ensure every incident is tracked and assigned to the correct team.
Streamline analyst communication: Add comments and internal notes to tickets directly from playbooks to keep stakeholders informed without leaving the platform.
Standardize response workflows: Apply Zendesk macros to tickets to automate repetitive actions and ensure consistent handling of common security issues.
Track ticket resolution: Periodically retrieve ticket details and status updates to synchronize the incident lifecycle across both platforms.
Search historical context: Query existing tickets by keyword to find related historical incidents and accelerate current investigations.
Before you begin
Before you configure the integration in Google SecOps, verify that you have the following requirements met in your Zendesk environment:
API token: An administrator must generate a valid API token to authenticate the connection. For detailed instructions, see Managing API token access to the Zendesk API.
Account permissions: Ensure the account used to generate the token has sufficient permissions to create and update tickets in the target groups.
Token access: Enable Token Access in your Zendesk API settings to allow the integration to communicate with the Zendesk API.
Integration parameters
The Zendesk integration requires the following parameters:
| Parameter | Description |
|---|---|
Server Address |
Required. The URL of your Zendesk instance. The default value is |
User Email Address |
Required. The email address of the Zendesk user account used to authenticate the connection. |
Api Token |
Required. The unique API token generated within your Zendesk administrator settings. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.
Add Comment to Ticket
Add a comment to an existing ticket.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Ticket ID | String | N/A | Ticket number. |
| Comment Body | String | N/A | N/A |
| Author Name | String | N/A | N/A |
| Internal Note | Boolean | N/A | N/A |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Apply Macros on Ticket
Apply a macro to a ticket.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Ticket ID | String | N/A | Ticket number. |
| Macro Title | String | N/A | N/A |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_applied | True/False | is_applied:False |
JSON Result
N/A
Create Ticket
Create a ticket with specific properties.
Known Limitations
Emails with unicode characters are not supported by the Zendesk API. It effects "Email CC" parameter. Action will just ignore them
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Subject | String | N/A | N/A |
| Description | String | N/A | N/A |
| Assigned User | String | N/A | User full name. |
| Assignment Group | String | N/A | Group name. |
| Priority | String | N/A | Priority will be one of the following: urgent, high, normal, or low. |
| Ticket Type | String | N/A | Priority will be one of the following: urgent, high, normal, or low. |
| Tag | String | N/A | N/A |
| Internal Note | Checkbox | Un-checked | Specify whether the comment should be public, or internal. Unchecked means it will be public, checked means it will be internal only |
| Email CCs | CSV | N/A | Specify a comma-separated list of email addresses, which should also receive the notification of the ticket creation. Note: at max 48 email CCs can be added. This is Zendesk limitation. |
| Validate Email CCs | Boolean | Checked | If enabled, action will try to check that users with emails provided in "Email CCs" parameter exist. If at least one user doesn't exist, action will fail. If this parameter is disabled, action will not perform this check. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| ticket_id | N/A | N/A |
JSON Result
N/A
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | If "Validate Email CCs" is enabled and at least one email was not found (fail): Error executing action "{action name}". Reason: users with the following emails were not found: {entity.identifier}. Please check the spelling or disable "Validate Email CCs" parameter. if at least one input is not a valid email address: Error executing action "{action name}". Reason: users with the following emails were not found: {entity.identifier}. Please check the spelling or disable "Validate Email CCs" parameter. |
General |
Get Ticket Details
Get ticket details, comments, and attachments by the ticket ID.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Ticket ID | String | N/A | The ID of the ticket. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| ticket_details | N/A | N/A |
JSON Result
{
"Details":
{
"ticket":
{
"follower_ids": [],
"via":
{
"source":
{"to": {},
"from": {},
"rel": "None"},
"channel": "web"
},
"updated_at": "2019-02-03T10:08:00Z",
"submitter_id": 360638872459,
"assignee_id": 360638872459,
"brand_id": 360000159559,
"id": 2,
"custom_fields": [],
"satisfaction_rating": "None",
"sharing_agreement_ids": [],
"allow_attachments": "True",
"collaborator_ids": [],
"priority": "high",
"subject": "Test",
"type": "incident",
"status": "open",
"description": "Test Test Test",
"tags": ["test"],
"forum_topic_id": "None",
"organization_id": 360018882419,
"due_at": "None",
"is_public": "True",
"requester_id": 360638872459,
"followup_ids": [],
"recipient": "None",
"problem_id": "None",
"url": "https://siemplifyhelp.zendesk.com/api/v2/tickets/2.json", "fields": [],
"created_at": "2019-02-03T10:08:00Z",
"raw_subject": "Test",
"email_cc_ids": [],
"allow_channelback": "False",
"has_incidents": "False",
"group_id": 360000361099,
"external_id": "None"
}
},
"Comments":
[{
"body": "Test Test Test",
"plain_body": "Test Test Test",
"via":
{
"source":
{"to": {},
"from": {},
"rel": "None"},
"channel": "web"
},
"attachments":
[{
"thumbnails": [],
"url": "https://siemplifyhelp.zendesk.com/api/v2/attachments/360701661660.json",
"file_name": "Siemplify 10 2018-12-11 (1).lic",
"content_url": "https://siemplifyhelp.zendesk.com/attachments/token/GeO6Xbc5I009xGRKLwWd7u7Qv/?name=Siemplify+10+2018-12-11+%281%29.lic",
"height": "None",
"width": "None",
"mapped_content_url": "https://siemplifyhelp.zendesk.com/attachments/token/GeO6Xbc5I009xGRKLwWd7u7Qv/?name=Siemplify+10+2018-12-11+%281%29.lic",
"content_type": "application/unknown",
"inline": "False",
"id": 360701661660,
"size": 1272
}],
"audit_id": 393260420939,
"created_at": "2019-02-03T10:08:00Z",
"id": 393260420979,
"author_id": 360638872459,
"html_body": "<div> Test Test Test < br >< /div>",
"type": "Comment",
"public": "True",
"metadata":
{
"system":
{
"latitude": 32.066599999999994,
"client": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36",
"ip_address": "1.1.1.1",
"location": "Tel Aviv, 05, Israel",
"longitude": 34.764999999999986
},
"custom": {}
}
}],
"Attachments": [{"test.txt": ""}]
}
Ping
Test Connectivity.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_connected | True/False | is_connected:False |
JSON Result
N/A
Search Tickets
Search for tickets by a keyword.
Parameters
| Parameters | Type | Default Value | Description |
|---|---|---|---|
| Search Query | String | N/A | Query content (example: type:ticket status:pending). |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| results_count | N/A | N/A |
JSON Result
N/A
Update Ticket
Update existing ticket details
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Ticket ID | String | N/A | Ticket number. |
| Subject | String | N/A | The subject of the ticket. |
| Assigned User | String | N/A | User full name. |
| Assignment Group | String | N/A | Group name. |
| Priority | String | N/A | Priority will be one of the following: urgent, high, normal, or low. |
| Ticket Type | String | N/A | The ticket type will be one of the following: problem, incident, question or task. |
| Tag | String | N/A | Tag to add to the ticket. |
| Status | String | N/A | The status will be one of the following: new, open, pending, hold, solved, or closed. |
| Additional Comment | String | N/A | If you want to add a comment to the ticket, specify the text you would like to add as a comment here. |
| Internal Note | Checkbox | Un-checked | Specify whether the comment should be public, or internal. Unchecked means it will be public, checked means it will be internal only |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_updated | True/False | is_updated:False |
JSON Result
N/A
Need more help? Get answers from Community members and Google SecOps professionals.