Create connector
editCreate connector
editCreates a connector, which can then be used to open and update cases in external systems.
Request URL
editPOST <kibana host>:<port>/api/actions/action
Request body
editA JSON object with these fields:
Name | Type | Description | Required |
---|---|---|---|
|
String |
Must be one of these:
|
Yes |
|
Object containing the action’s configuration. |
Yes |
|
|
Object |
Object containing the third-party account information used to create and update incidents. For ServiceNow connectors:
For Jira connectors:
For IBM Resilient connectors:
|
Yes |
|
String |
The connector’s name. |
Yes |
Name | Type | Description | Required |
---|---|---|---|
|
Object |
Use
|
Yes |
|
String |
URL of the third-party instance. |
Yes |
|
String |
Jira project key. |
For Jira connectors, yes. For other connectors, no. |
|
String |
IBM Resilient organization ID. |
For IBM Resilient connectors, yes. For other connectors, no. |
|
Boolean |
Indicates a ServiceNow connector is used for Elastic Security cases.
Must be |
For ServiceNow connecters only, yes. For other connectors, no. |
Example requests
editCreates a ServiceNow connector:
POST api/actions/action { "actionTypeId": ".servicenow", "config": { "incidentConfiguration": { "mapping": [ { "source": "title", "target": "short_description", "actionType": "overwrite" }, { "source": "description", "target": "description", "actionType": "overwrite" }, { "source": "comments", "target": "comments", "actionType": "append" } ] }, "apiUrl": "https://dev87359.service-now.com", "isCaseOwned": true }, "secrets": { "username": "admin", "password": "securePassword123!" }, "name": "ServiceNow" }
Elastic Security case |
|
Elastic Security case |
|
Elastic Security case |
Creates a Jira connector:
POST api/actions/action { "actionTypeId": ".jira", "config": { "casesConfiguration": { "mapping": [ { "source": "title", "target": "summary", "actionType": "overwrite" }, { "source": "description", "target": "description", "actionType": "overwrite" }, { "source": "comments", "target": "comments", "actionType": "append" } ] }, "apiUrl": "https://hms.atlassian.net", "projectKey": "HMS" }, "secrets": { "email": "admin@hms.gov.co.uk", "apiToken": "my-api-token" }, "name": "Jira" }
Creates an IBM Resilient connector:
POST api/actions/action { "actionTypeId": ".resilient", "config": { "casesConfiguration": { "mapping": [ { "source": "title", "target": "name", "actionType": "overwrite" }, { "source": "description", "target": "description", "actionType": "overwrite" }, { "source": "comments", "target": "comments", "actionType": "append" } ] }, "apiUrl": "https://ibm-resilient.siem.estc.dev", "orgId": "201" }, "secrets": { "apiKeyId": "2ad2bbd3-7cd2-3096-9619-de13c5ab70ca", "apiKeySecret": "Hzol67ZoeATAR-8pQxSp3q_NPTDtWU6_QNBoCSCA-ic" }, "name": "IBM" }
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON object with a connector id
that is required to push cases to ServiceNow.
Example response
editServiceNow connector:
{ "id": "f07a60c7-a340-4cb1-93b8-1f5e35dc56b1", "actionTypeId": ".servicenow", "name": "SN API 2", "config": { "apiUrl": "https://dev185413.service-now.com", "incidentConfiguration": { "mapping": [ { "actionType": "overwrite", "source": "title", "target": "short_description" }, { "actionType": "overwrite", "source": "description", "target": "description" }, { "actionType": "append", "source": "comments", "target": "comments" } ] }, "isCaseOwned": true }, "isPreconfigured": false }