Push case
editPush case
editPush case to an external service.
The Kibana Console supports only Elasticsearch APIs. You cannot interact with the Kibana APIs with the Console and must use curl
or another HTTP tool instead. For more information, refer to Console.
Request URL
editPOST <kibana host>:<port>/api/cases/configure/connectors/<connector ID>/push
Request body
editA JSON object with these fields:
Name | Type | Description | Required |
---|---|---|---|
|
String |
The type of the connector. Must be one of these:
|
Yes |
|
Contains the Elastic Security case details for which you are opening or updating an external incident. |
Yes |
Name | Type | Description | Required |
---|---|---|---|
|
String |
The time the case was created, using ISO 8601 with UTC
notation. For example, |
Yes |
|
Object |
The user who created the case:
|
Yes |
|
Object[] |
Array containing case comments:
|
No |
|
String |
The case description. |
No |
|
String |
The external incident/issue ID. |
No, only required when updating an existing issue. |
|
String |
ServiceNow incident impact. |
No. Valid only for ServiceNow connectors. |
|
String |
IBM Resilient incident types. |
No. Valid only for IBM Resilient connectors. |
|
String |
Jira issue type. |
No. Valid only for Jira connectors. |
|
String |
Jira issue labels. |
No. Valid only for Jira connectors. |
|
String |
IBM Resilient organization incident name. |
Yes. Valid only for IBM Resilient connectors. |
|
String |
Jira issue parent. |
No. Valid only for Jira connectors. |
|
String |
Jira issue priority. |
No. Valid only for Jira connectors. |
|
String |
The case’s ID. |
Yes |
|
String |
ServiceNow incident severity. |
No. Valid only for ServiceNow connectors. |
|
String |
IBM Resilient incident severity code. |
No. Valid only for IBM Resilient connectors. |
|
String |
ServiceNow incident name. |
Yes. Valid only for ServiceNow connectors. |
|
String |
Jira issue title. |
Yes. Valid only for Jira connectors. |
|
String |
The case title. |
Yes |
|
String |
The time the case was updated, using ISO 8601 with UTC notation. |
No |
|
Object |
The user who last updated the case:
|
No |
|
String |
ServiceNow incident urgency. |
No. Valid only for ServiceNow connectors. |
Example request
editCreates a new ServiceNow incident:
POST api/cases/configure/connectors/7349772f-421a-4de3-b8bb-2d9b22ccee30/push { "connector_type": ".servicenow", "params": { "savedObjectId": "7528e530-5f32-11eb-a713-e1e769fa873c", "createdAt": "2021-01-25T17:26:27.990Z", "createdBy": { "fullName": "Alan Hunley", "username": "ahunley" }, "comments": [], "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active.", "externalId": null, "title": "This case will self-destruct in 5 seconds" "impact": "2", "severity": "1", "urgency": "2", "updatedAt": null, "updatedBy": null } }
Updates an existing ServiceNow incident:
POST api/cases/configure/connectors/7349772f-421a-4de3-b8bb-2d9b22ccee30/push { "connector_type": ".servicenow", "params": { "savedObjectId": "7528e530-5f32-11eb-a713-e1e769fa873c", "createdAt": "2021-01-25T17:26:27.990Z", "createdBy": { "fullName": "Alan Hunley", "username": "ahunley" }, "comments": [ { "commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2", "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.", "createdAt": "2020-03-31T08:37:33.240Z", "createdBy": { "fullName": "Ms Moneypenny", "username": "moneypenny" } } ], "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active.", "externalId": "ba6defa32f3520107616c886f699b630", "title": "This case will self-destruct in 15 seconds" "impact": "2", "severity": "1", "urgency": "2", "updatedAt": "2021-01-25T17:27:10.925Z", "updatedBy": { "fullName": "Alan Hunley", "username": "ahunley" } } }
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON object with the ID and the URL of the external incident.
You need the returned information to associate it with the original Elastic Security case. To add the external incident details to the Elastic Security case, call Add external details to case.
Example response
edit{ "status": "ok", "actionId": "61787f53-4eee-4741-8df6-8fe84fa616f7", "data": { "title": "INC0010012", "id": "62dc3c8bdb7300106ba884da0b9619ea", "pushedDate": "2020-03-31T09:01:33.000Z", "url": "https://dev78437.service-now.com/nav_to.do?uri=incident.do?sys_id=62dc3c8bdb7300106ba884da0b9619ea", "comments": [ { "commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2", "pushedDate": "2020-03-31T09:01:34.000Z" } ] } }