Create or update an external incident
editCreate or update an external incident
editCreates a new or updates an existing external incident from a Elastic Security case.
The Kibana Console supports only Elasticsearch APIs. You cannot interact with the Kibana APIs with the Console and must use curl
or another HTTP tool instead. For more information, refer to Console.
You can only send cases to external systems after you have created a connector. After you have sent the case to an external system, you must call Add external details to case to update the Elastic Security case with the returned external incident details.
Request URL
editPOST <kibana host>:<port>/api/actions/action/<connector ID>/_execute
URL parts
editThe URL must include the connector ID. Call Get current connector to retrieve the currently used connector ID, or Find connectors to retrieve all connectors IDs.
Request body
editA JSON object with these fields:
Name | Type | Description | Required |
---|---|---|---|
|
Contains the Elastic Security case details for which you are opening or updating an external incident. |
Yes |
Name | Type | Description | Required |
---|---|---|---|
|
String |
The action to be performed. When opening or updating cases
in external systems, must be: |
Yes |
|
Case details to send to external systems. |
Yes |
Name |
Type |
Description |
Required |
|
The incident. |
Yes |
|
|
Object[] |
Array containing case comments:
|
No |
Name |
Type |
Description |
Required |
|
String |
The case description. |
No |
|
String |
The external incident/issue ID. |
No, only required when updating an existing issue. |
|
String |
ServiceNow incident impact. |
No. Valid only for ServiceNow connectors. |
|
String |
IBM Resilient incident types. |
No. Valid only for IBM Resilient connectors. |
|
String |
Jira issue type. |
No. Valid only for Jira connectors. |
|
String |
Jira issue labels. |
No. Valid only for Jira connectors. |
|
String |
IBM Resilient organization incident name. |
Yes. Valid only for IBM Resilient connectors. |
|
String |
Jira issue parent. |
No. Valid only for Jira connectors. |
|
String |
Jira issue priority. |
No. Valid only for Jira connectors. |
|
String |
ServiceNow incident severity. |
No. Valid only for ServiceNow connectors. |
|
String |
IBM Resilient incident severity code. |
No. Valid only for IBM Resilient connectors. |
|
String |
ServiceNow incident name. |
Yes. Valid only for ServiceNow connectors. |
|
String |
Jira issue title. |
Yes. Valid only for Jira connectors. |
|
String |
ServiceNow incident urgency. |
No. Valid only for ServiceNow connectors. |
When updating an existing case, call Get case or
Find cases to retrieve the externalId
. In the case JSON
object, the externalId
value is stored in the external_service
field.
Example requests
editCreates a new ServiceNow incident:
POST api/actions/action/7349772f-421a-4de3-b8bb-2d9b22ccee30/_execute { "params": { "subAction": "pushToService", "subActionParams": { "comments": [ { "commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2", "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.", } ], "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active.", "short_description": "This case will self-destruct in 5 seconds" } } }
Updates an existing ServiceNow incident:
POST api/actions/action/7349772f-421a-4de3-b8bb-2d9b22ccee30/_execute { "params": { "subAction": "pushToService", "subActionParams": { "comments": [ { "commentId": "8ef6d660-732f-11ea-a0b2-c51ea50a58e2", "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.", } ], "externalId": "cc6ef44bdb7300106ba884da0b9619cf", "short_description": "This case will self-destruct in 5 seconds" } } }
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON object with the ID and the URL of the external incident.
You need the returned information to associate it with the original Elastic Security case. To add the external incident details to the Elastic Security case, call Add external details to case.
Example response
edit{ "status": "ok", "actionId": "61787f53-4eee-4741-8df6-8fe84fa616f7", "data": { "title": "INC0010012", "id": "62dc3c8bdb7300106ba884da0b9619ea", "pushedDate": "2020-03-31T09:01:33.000Z", "url": "https://dev78437.service-now.com/nav_to.do?uri=incident.do?sys_id=62dc3c8bdb7300106ba884da0b9619ea", "comments": [ { "commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2", "pushedDate": "2020-03-31T09:01:34.000Z" } ] } }