The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
« Cases (beta) SIEM APIs »
Elastic Docs SIEM Guide [7.8] Cases (beta)

Configuring external connections

edit

Configuring external connections

edit

You can push new cases and case updates to ServiceNow and Jira. To do this, you need to create a connector, which stores the information required to push cases to external systems. For ServiceNow, cases are send via ServiceNow’s Table API. For Jira, the REST API v2 is used.

After you have created a connector, you can set SIEM cases to automatically close when they are sent to external systems.

To create connectors and send cases to external systems, you need the appropriate license.

Create a new connector

edit

  1. Go to SIEMCasesEdit external connection.

    cases ui connector
  2. From the Incident management system list, select Add new connector.

  3. Select one of these:

    • ServiceNow: To send cases to ServiceNow.
    • Jira: To send cases to Jira.

  4. Fill in the following:

    • Connector name: A name for the connector.
    • URL: The URL of the external system to which you want to send cases.
    • Username (ServiceNow connectors only): The username of the ServiceNow account used to access the ServiceNow instance.
    • Password (ServiceNow connectors only): The password of the ServiceNow account used to access the ServiceNow instance.
    • Project key (Jira connectors only): The key of the Jira project to which you are sending cases.
    • Email (Jira connectors only): The Jira account’s email address.
    • API token (Jira connectors only): The API token used to authenticate Jira updates.
  5. Save the connector.

To represent a SIEM case in an external system, SIEM case fields are mapped as follows:

  • For ServiceNow incidents:

    • Title: Mapped to the ServiceNow Short description field. When an update to a SIEM case title is sent to ServiceNow, the existing ServiceNow Short description field is overwritten.
    • Description: Mapped to the ServiceNow Description field. When an update to a SIEM case description is sent to ServiceNow, the existing ServiceNow Description field is overwritten.
    • Comments: Mapped to the ServiceNow Comments field. When a comment is updated in a SIEM case, a new comment is added to the ServiceNow incident.

  • For Jira issues:

    • Title: Mapped to the Jira Summary field. When an update to a SIEM case title is sent to Jira, the existing Jira Summary field is overwritten.
    • Description: Mapped to the Jira Description field. When an update to a SIEM case description is sent to Jira, the existing Jira Description field is overwritten.
    • Comments: Mapped to the Jira Comments field. When a comment is updated in a SIEM case, a new comment is added to the Jira incident.

Close sent cases automatically

edit

To close cases when they are sent to an external system, select Automatically close SIEM cases when pushing new incident to external system.

Change and update connectors

edit

You can create additional connectors, update existing connectors, and change the connector used to send cases to ServiceNow.

You can also configure which connector is used for each case individually (see Open a new case).

  1. To change the default connector used to send cases to external systems:

    1. Go to SIEMCasesEdit external connection.
    2. Select the required connector from the Incident management system list.

  2. To update an existing connector:

    1. Click Update <connector name>.
    2. Update the connector fields as required.
« Cases (beta) SIEM APIs »