IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Update connector Elastic Security fields and object schemas »
Elastic Docs Elastic Security Solution [7.10] Elastic Security APIs Actions API (for pushing cases to external systems)

Create or update an external incident

edit

Create or update an external incident

edit

Creates a new or updates an existing external incident from a Elastic Security case.

You can only send cases to external systems after you have created a connector. After you have sent the case to an external system, you must call Add external details to case to update the Elastic Security case with the returned external incident details.

Request URL

edit

POST <kibana host>:<port>/api/actions/action/<connector ID>/_execute

URL parts

edit

The URL must include the connector ID. Call Get current connector to retrieve the currently used connector ID, or Find connectors to retrieve all connectors IDs.

Request body

edit

A JSON object with these fields:

Name Type Description Required

params

params

Contains the Elastic Security case details for which you are opening or updating an external incident.

Yes

params schema

Name Type Description Required

subAction

String

The action to be performed. When opening or updating cases in external systems, must be: pushToService.

Yes

subActionParams

subActionParams

Case details to send to external systems.

Yes

subActionParams schema

Name

Type

Description

Required

createdAt

String

The time the case was created, using ISO 8601 with UTC notation. For example, 2020-03-31T06:40:21.674Z.

Yes

createdBy

Object

The user who created the case:

  • fullName (string): The user’s full name.
  • username (string): The user’s username.

Yes

comments

Object[]

Array containing case comments:

  • commentId (string, required): The comment ID.
  • comment (string, required): The comment text.
  • createdAt (string, required): The time the comment was created, using ISO 8601 with UTC notation.
  • createdBy (object, required): The user who created the comment, containing fullName and username fields.
  • updatedBy (object, optional): The user who last updated the comment, containing fullName and username fields.

No

description

String

The case description.

No

externalId

String

The external incident/issue ID.

No, only required when updating an existing issue.

savedObjectId

String

The case’s ID.

Yes

title

String

The case title.

Yes

updatedAt

String

The time the case was updated, using ISO 8601 with UTC notation.

No

updatedBy

Object

The user who last updated the case:

  • fullName (string): The user’s full name.
  • username (string): The user’s username.

No

When updating an existing case, call Get case or Find cases to retrieve the externalId. In the case JSON object, the externalId value is stored in the external_service field.

Example requests

edit

Creates a new ServiceNow incident:

POST api/actions/action/7349772f-421a-4de3-b8bb-2d9b22ccee30/_execute
{
  "params": {
    "subAction": "pushToService",
    "subActionParams": {
      "savedObjectId": "c1472f70-732a-11ea-a0b2-c51ea50a58e2",
      "createdAt": "2020-03-31T08:36:45.661Z",
      "createdBy": {
        "fullName": "Alan Hunley",
        "username": "ahunley"
      },
      "comments": [
        {
          "commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2",
          "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.",
          "createdAt": "2020-03-31T08:37:33.240Z",
          "createdBy": {
            "fullName": "Ms Moneypenny",
            "username": "moneypenny"
          }
        }
      ],
      "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active.",
      "title": "This case will self-destruct in 5 seconds"
    }
  }
}

Updates an existing ServiceNow incident:

POST api/actions/action/7349772f-421a-4de3-b8bb-2d9b22ccee30/_execute
{
  "params": {
    "subAction": "pushToService",
    "subActionParams": {
      "savedObjectId": "c1472f70-732a-11ea-a0b2-c51ea50a58e2",
      "createdAt": "2020-03-31T08:36:45.661Z",
      "createdBy": {
        "fullName": "Alan Hunley",
        "username": "ahunley"
      },
      "comments": [
        {
          "commentId": "8ef6d660-732f-11ea-a0b2-c51ea50a58e2",
          "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.",
          "createdAt": "2020-03-31T09:11:08.736Z",
          "createdBy": {
            "fullName": "Ms Moneypenny",
            "username": "moneypenny"
          }
        }
      ],
      "externalId": "cc6ef44bdb7300106ba884da0b9619cf",
      "title": "This case will self-destruct in 5 seconds"
    }
  }
}

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON object with the ID and the URL of the external incident.

You need the returned information to associate it with the original Elastic Security case. To add the external incident details to the Elastic Security case, call Add external details to case.

Example response

edit
{
  "status": "ok",
  "actionId": "61787f53-4eee-4741-8df6-8fe84fa616f7",
  "data": {
    "title": "INC0010012",
    "id": "62dc3c8bdb7300106ba884da0b9619ea",
    "pushedDate": "2020-03-31T09:01:33.000Z",
    "url": "https://dev78437.service-now.com/nav_to.do?uri=incident.do?sys_id=62dc3c8bdb7300106ba884da0b9619ea",
    "comments": [
      {
        "commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2",
        "pushedDate": "2020-03-31T09:01:34.000Z"
      }
    ]
  }
}
« Update connector Elastic Security fields and object schemas »