Configure external connections
editConfigure external connections
editYou can push Elastic Security cases to these third-party systems:
- ServiceNow ITSM
- ServiceNow SecOps
- Jira (including Jira Service Desk)
- IBM Resilient
- Swimlane
To push cases, you need to create a connector, which stores the information required to interact with an external system.
After you have created a connector, you can set Elastic Security cases to automatically close when they are sent to external systems.
To create connectors and send cases to external systems, you need the appropriate license and your role needs All privileges for the Action and Connectors feature. For more information, see Cases prerequisites.
Create a new connector
edit-
Go to Cases → Edit external connection.
- From the Incident management system list, select Add new connector.
-
Select one of these:
- ServiceNow: To send cases to ServiceNow
If you’ve upgraded from Elastic Stack version 7.15.0 or earlier to version 7.16.0 or later, you must install Elastic for ITSM or Elastic for Security Operations (SecOps) on your ServiceNow instance and complete additional configuration steps before creating a new ServiceNow ITSM or SecOps connector. If you don’t, an error message displays and you cannot create the new connector. For more information, refer to ServiceNow SecOps and ServiceNow ITSM.
- Jira: To send cases to Jira or Jira Service Desk
- IBM Resilient: To send cases to IBM Resilient
- Swimlane: To send cases to Swimlane
-
Fill in the following:
- Connector name: A name for the connector.
- URL: The URL of the external system to which you want to send cases.
- ServiceNow instance URL (for ServiceNow connectors only): The URL of the ServiceNow to which you want to send cases.
- API Url (Swimlane connectors only): The URL of the Swimlane instance to which you want to send cases.
- Organization ID (IBM Resilient connectors only): Your organization’s IBM Resilient ID number.
- Application ID (Swimlane connectors only): The application ID of your Swimlane application. From Swimlane, you can find the application ID by checking your application’s settings or at the end of your application’s URL after you’ve opened it.
- Username (ServiceNow connectors only): The username of the ServiceNow account used to access the ServiceNow instance.
- Password (ServiceNow connectors only): The password of the ServiceNow account used to access the ServiceNow instance.
- Project key (Jira connectors only): The key of the Jira project to which you are sending cases.
- Email address (Jira connectors only): The Jira account’s username or email address.
- API token (Jira connectors only): The API token or password used to authenticate Jira updates.
- API key ID (IBM Resilient connectors only): The API key used to authenticate IBM Resilient updates.
- API key secret (IBM Resilient connectors only): The API key secret used to authenticate IBM Resilient updates.
- API token (Swimlane connectors only): The Swimlane API authentication token used for HTTP Basic authentication. This is the personal access token for your user role.
-
Choose the connector type (for Swimlane connectors only):
- All: You can choose to set all or no field mappings when creating your new Swimlane connector. However, note that if you don’t set field mappings now, you’ll be prompted to do so if you want to use the connector for a case or a rule. The prompts no longer display once you set up the required mappings.
- Alerts: Provide an alert ID and rule name.
- Cases: Provide a case ID, a case name, comments, and a description.
- Save the connector.
To represent an Elastic Security case in an external system, Elastic Security case fields are mapped as follows:
Data from mapped case fields can be pushed to external systems but cannot be pulled in.
-
For ServiceNow incidents:
-
Title: Mapped to the ServiceNow
Short description
field. When an update to a Security case title is sent to ServiceNow, the existing ServiceNowShort description
field is overwritten. -
Description: Mapped to the ServiceNow
Description
field. When an update to a Security case description is sent to ServiceNow, the existing ServiceNowDescription
field is overwritten. -
Comments: Mapped to the ServiceNow
Work Notes
field. When a comment is updated in a Security case, a new comment is added to the ServiceNow incident.
-
Title: Mapped to the ServiceNow
-
For Jira issues:
-
Title: Mapped to the Jira
Summary
field. When an update to a Security case title is sent to Jira, the existing JiraSummary
field is overwritten. -
Description: Mapped to the Jira
Description
field. When an update to a Security case description is sent to Jira, the existing JiraDescription
field is overwritten. -
Comments: Mapped to the Jira
Comments
field. When a comment is updated in a Security case, a new comment is added to the Jira incident.
-
Title: Mapped to the Jira
-
For IBM Resilient issues:
-
Title: Mapped to the IBM Resilient
Name
field. When an update to a Security case title is sent to IBM Resilient, the existing IBM ResilientName
field is overwritten. -
Description: Mapped to the IBM Resilient
Description
field. When an update to a Security case description is sent to IBM Resilient, the existing IBM ResilientDescription
field is overwritten. -
Comments: Mapped to the IBM Resilient
Comments
field. When a comment is updated in a Security case, a new comment is added to the IBM Resilient incident.
-
Title: Mapped to the IBM Resilient
-
For Swimlane records:
-
Title: Mapped to the Swimlane
caseName
field. When an update to a Security case title is sent to Swimlane, the field that is mapped to the SwimlanecaseName
field is overwritten. -
Description: Mapped to the Swimlane
Description
field. When an update to a Security case description is sent to Swimlane, the field that is mapped to the SwimlaneDescription
field is overwritten. -
Comments: Mapped to the Swimlane
Comments
field. When a new comment is added to a Security case, or an existing one is updated, the field that is mapped to the SwimlaneComment
field is appended. Comments are posted to the Swimlane incident record individually.
-
Title: Mapped to the Swimlane
Close sent cases automatically
editTo close cases when they are sent to an external system, select Automatically close Security cases when pushing new incident to external system.
Change the default connector
editTo change the default connector used to send cases to external systems, go to Cases → Edit external connection and select the required connector from the Incident management system list.
You can also configure which connector is used for each case individually. See Open a new case.
Modify connector settings
editTo change the settings of an existing connector:
- Go to Cases → Edit external connection.
- Select the required connector from the Incident management system list.
- Click Update <connector name>.
- In the Edit connector flyout, modify the connector fields as required, then click Save & close to save your changes.