Project Summary
At UKG, I built an automated system to monitor recent activity for SSL/TLS certificates across our infrastructure. The solution uses a combination of Jira webhooks, a Google Cloud Function (Python), and Splunk's HTTP Event Collector (HEC) to identify whether new or rotated certificates are actively in use and visible in logs.
Technologies Used
- 📌 Jira (Webhook-based trigger)
- ☁️ Google Cloud Function (Python, runs serverless logic)
- 🔍 Splunk HEC (for querying or logging cert activity)
Workflow
-
A Jira Webhook is triggered when a new ticket related to a certificate is created (e.g., cert renewal, deployment).
-
The webhook invokes a Google Cloud Function (Python) which:
- Parses the Jira issue for certificate serial numbers (hex format)
- Converts them to decimal (for Splunk indexing)
-
The function constructs a query and sends it to Splunk HEC to determine:
- If the certificate has been seen in recent logs (e.g., last 7 days)
- If not, it marks the cert as potentially inactive
-
The function optionally sends the results back to Jira as a comment or attaches them to the ticket.
Example Use Case
A newly issued certificate with serial 0x3FA29B4E0C is detected in a Jira ticket. The Cloud Function extracts this serial, converts it to decimal 171011739532, and checks Splunk using:
index=cert_logs serial="171011739532"
If the certificate appears in Splunk logs, it's considered "active." If no logs are found, it's flagged for investigation.
Outcome
- ✅ Automated visibility into cert activity
- 📉 Reduced manual log inspection
- 🔒 Strengthened compliance and audit readiness