Configure external connections
editConfigure external connections
editYou can push Elastic Security cases to these third-party systems:
- ServiceNow ITSM
- ServiceNow SecOps
- Jira (including Jira Service Desk)
- IBM Resilient
To push cases, you need to create a connector, which stores the information required to interact with an external system.
After you have created a connector, you can set Elastic Security cases to automatically close when they are sent to external systems.
To create connectors and send cases to external systems, you need the appropriate license.
Create a new connector
edit-
Go to Cases → Edit external connection.
- From the Incident management system list, select Add new connector.
-
Select one of these:
- ServiceNow: To send cases to ServiceNow
- Jira: To send cases to Jira or Jira Service Desk
- IBM Resilient: To send cases to IBM Resilient
-
Fill in the following:
- Connector name: A name for the connector.
- URL: The URL of the external system to which you want to send cases.
- Organization ID (IBM Resilient connectors only): Your organization’s IBM Resilient ID number.
- Username (ServiceNow connectors only): The username of the ServiceNow account used to access the ServiceNow instance.
- Password (ServiceNow connectors only): The password of the ServiceNow account used to access the ServiceNow instance.
- Project key (Jira connectors only): The key of the Jira project to which you are sending cases.
- Email or Username (Jira connectors only): The Jira account’s username or email address.
- API token or Password (Jira connectors only): The API token or password used to authenticate Jira updates.
- API key ID (IBM Resilient connectors only): The API key used to authenticate IBM Resilient updates.
- API key secret (IBM Resilient connectors only): The API key secret used to authenticate IBM Resilient updates.
- Save the connector.
To see how to connect Elastic Security to Jira, watch the tutorial at the end of this topic.
To represent an Elastic Security case in an external system, Elastic Security case fields are mapped as follows:
-
For ServiceNow incidents:
-
Title: Mapped to the ServiceNow
Short description
field. When an update to a Security case title is sent to ServiceNow, the existing ServiceNowShort description
field is overwritten. -
Description: Mapped to the ServiceNow
Description
field. When an update to a Security case description is sent to ServiceNow, the existing ServiceNowDescription
field is overwritten. -
Comments: Mapped to the ServiceNow
Comments
field. When a comment is updated in a Security case, a new comment is added to the ServiceNow incident.
-
Title: Mapped to the ServiceNow
-
For Jira issues:
-
Title: Mapped to the Jira
Summary
field. When an update to a Security case title is sent to Jira, the existing JiraSummary
field is overwritten. -
Description: Mapped to the Jira
Description
field. When an update to a Security case description is sent to Jira, the existing JiraDescription
field is overwritten. -
Comments: Mapped to the Jira
Comments
field. When a comment is updated in a Security case, a new comment is added to the Jira incident.
-
Title: Mapped to the Jira
-
For IBM Resilient issues:
-
Title: Mapped to the IBM Resilient
Name
field. When an update to a Security case title is sent to IBM Resilient, the existing IBM ResilientName
field is overwritten. -
Description: Mapped to the IBM Resilient
Description
field. When an update to a Security case description is sent to IBM Resilient, the existing IBM ResilientDescription
field is overwritten. -
Comments: Mapped to the IBM Resilient
Comments
field. When a comment is updated in a Security case, a new comment is added to the IBM Resilient incident.
-
Title: Mapped to the IBM Resilient
Close sent cases automatically
editTo close cases when they are sent to an external system, select Automatically close Security cases when pushing new incident to external system.
Change and update connectors
editYou can create additional connectors, update existing connectors, and change the connector used to send cases to external systems.
You can also configure which connector is used for each case individually (see Open a new case).
-
To change the default connector used to send cases to external systems:
- Go to Cases → Edit external connection.
- Select the required connector from the Incident management system list.
-
To update an existing connector:
- Click Update <connector name>.
- Update the connector fields as required.
Tutorial: Connect Elastic Security to Jira
editTo see how to connect Elastic Security to Jira, watch the following tutorial.