Skip to content

Add ticket CLI commands for SOC ticket management#224

Open
maximelb wants to merge 3 commits intocli-v2from
feat/ticket-cli
Open

Add ticket CLI commands for SOC ticket management#224
maximelb wants to merge 3 commits intocli-v2from
feat/ticket-cli

Conversation

@maximelb
Copy link
Contributor

Summary

  • Adds limacharlie ticket command group integrating the ext-ticketing system with the CLI
  • Full ticket lifecycle management: list, get, update, add-note, bulk-update, merge
  • Investigation tracking: entities (IOCs), telemetry references, forensic artifacts, detection linking
  • SOC reporting and dashboard metrics
  • Org-level ticketing configuration management
  • New SDK module (limacharlie/sdk/ticketing.py) wrapping the ext-ticketing REST API
  • New CLI module (limacharlie/commands/ticket.py) with 25+ subcommands following existing CLI patterns
  • Added ticketing discovery profile and updated threat_response profile

Command overview

limacharlie ticket list [--status ...] [--severity ...] [--search ...]
limacharlie ticket get --id <ID>
limacharlie ticket update --id <ID> [--status ...] [--assignee ...]
limacharlie ticket add-note --id <ID> --content "..."
limacharlie ticket bulk-update --ids <ID1>,<ID2> --status closed
limacharlie ticket merge --target <ID> --sources <ID1>,<ID2>

limacharlie ticket entity add --ticket <ID> --type ip --value "10.0.0.1"
limacharlie ticket entity search --type domain --value "evil.com"
limacharlie ticket telemetry add --ticket <ID> --atom <ATOM> --sid <SID>
limacharlie ticket artifact add --ticket <ID> --type pcap
limacharlie ticket detection add --ticket <ID> --detection-id <DET_ID>

limacharlie ticket report --from <RFC3339> --to <RFC3339>
limacharlie ticket dashboard
limacharlie ticket config-get / config-set
limacharlie ticket assignees

Test plan

  • Module loads correctly (auto-discovery picks up ticket.py)
  • All 803 existing unit tests pass
  • CLI help renders correctly for all commands and nested groups
  • Manual testing against live ext-ticketing instance
  • Verify auth flow works with LC JWT against ticketing API

🤖 Generated with Claude Code

maximelb and others added 2 commits February 26, 2026 18:12
Integrates the ext-ticketing system with the LimaCharlie CLI,
providing full ticket lifecycle management, investigation tracking,
and reporting capabilities.

New commands:
- ticket list/get/update/add-note/bulk-update/merge
- ticket entity add/list/update/remove/search (IOC management)
- ticket telemetry add/list/update/remove (event linking)
- ticket artifact add/list/remove (forensic references)
- ticket detection add/list/remove (detection linking)
- ticket report/dashboard (SOC metrics)
- ticket config-get/config-set (org configuration)
- ticket assignees

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
106 tests covering all ticketing SDK methods (41) and CLI commands (65),
including argument validation, stdin/file input, quiet mode, and error cases.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@maximelb maximelb requested a review from dzimine-lc February 28, 2026 00:09
@maximelb maximelb marked this pull request as ready for review February 28, 2026 00:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant