IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Configuring external connections
editConfiguring external connections
editYou can push new cases and case updates to ServiceNow and Jira. To do this, you need to create a connector, which stores the information required to push cases to external systems. For ServiceNow, cases are send via ServiceNow’s Table API. For Jira, the REST API v2 is used.
After you have created a connector, you can set SIEM cases to automatically close when they are sent to external systems.
To create connectors and send cases to external systems, you need the appropriate license.
Create a new connector
edit-
Go to SIEM → Cases → Edit external connection.
-
From the
Incident management system
list, selectAdd new connector
. -
Select one of these:
- ServiceNow: To send cases to ServiceNow.
- Jira: To send cases to Jira.
-
Fill in the following:
- Connector name: A name for the connector.
- URL: The URL of the external system to which you want to send cases.
- Username (ServiceNow connectors only): The username of the ServiceNow account used to access the ServiceNow instance.
- Password (ServiceNow connectors only): The password of the ServiceNow account used to access the ServiceNow instance.
- Project key (Jira connectors only): The key of the Jira project to which you are sending cases.
- Email (Jira connectors only): The Jira account’s email address.
- API token (Jira connectors only): The API token used to authenticate Jira updates.
- Save the connector.
To represent a SIEM case in an external system, SIEM case fields are mapped as follows:
-
For ServiceNow incidents:
-
Title
: Mapped to the ServiceNowShort description
field. When an update to a SIEM case title is sent to ServiceNow, the existing ServiceNowShort description
field is overwritten. -
Description
: Mapped to the ServiceNowDescription
field. When an update to a SIEM case description is sent to ServiceNow, the existing ServiceNowDescription
field is overwritten. -
Comments
: Mapped to the ServiceNowComments
field. When a comment is updated in a SIEM case, a new comment is added to the ServiceNow incident.
-
-
For Jira issues:
-
Title
: Mapped to the JiraSummary
field. When an update to a SIEM case title is sent to Jira, the existing JiraSummary
field is overwritten. -
Description
: Mapped to the JiraDescription
field. When an update to a SIEM case description is sent to Jira, the existing JiraDescription
field is overwritten. -
Comments
: Mapped to the JiraComments
field. When a comment is updated in a SIEM case, a new comment is added to the Jira incident.
-
Close sent cases automatically
editTo close cases when they are sent to an external system, select Automatically close SIEM cases when pushing new incident to external system.
Change and update connectors
editYou can create additional connectors, update existing connectors, and change the connector used to send cases to ServiceNow.
You can also configure which connector is used for each case individually (see Open a new case).
-
To change the default connector used to send cases to external systems:
- Go to SIEM → Cases → Edit external connection.
-
Select the required connector from the
Incident management system
list.
-
To update an existing connector:
-
Click
Update <connector name>
. - Update the connector fields as required.
-
Click