IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Cases Elastic Security APIs »
Elastic Docs Elastic Security Solution [7.13] Cases

Configure external connections

edit

Configure external connections

edit

You can push Elastic Security cases to these third-party systems:

  • ServiceNow ITSM
  • ServiceNow SecOps
  • Jira (including Jira Service Desk)
  • IBM Resilient

To push cases, you need to create a connector, which stores the information required to interact with an external system.

After you have created a connector, you can set Elastic Security cases to automatically close when they are sent to external systems.

To create connectors and send cases to external systems, you need the appropriate license.

Create a new connector

edit

  1. Go to CasesEdit external connection.

    cases ui connector
  2. From the Incident management system list, select Add new connector.

  3. Select one of these:

    • ServiceNow: To send cases to ServiceNow
    • Jira: To send cases to Jira or Jira Service Desk
    • IBM Resilient: To send cases to IBM Resilient

  4. Fill in the following:

    • Connector name: A name for the connector.
    • URL: The URL of the external system to which you want to send cases.
    • Organization ID (IBM Resilient connectors only): Your organization’s IBM Resilient ID number.
    • Username (ServiceNow connectors only): The username of the ServiceNow account used to access the ServiceNow instance.
    • Password (ServiceNow connectors only): The password of the ServiceNow account used to access the ServiceNow instance.
    • Project key (Jira connectors only): The key of the Jira project to which you are sending cases.
    • Email or Username (Jira connectors only): The Jira account’s username or email address.
    • API token or Password (Jira connectors only): The API token or password used to authenticate Jira updates.
    • API key ID (IBM Resilient connectors only): The API key used to authenticate IBM Resilient updates.
    • API key secret (IBM Resilient connectors only): The API key secret used to authenticate IBM Resilient updates.
  5. Save the connector.

To see how to connect Elastic Security to Jira, watch the tutorial at the end of this topic.

To represent an Elastic Security case in an external system, Elastic Security case fields are mapped as follows:

  • For ServiceNow incidents:

    • Title: Mapped to the ServiceNow Short description field. When an update to a Security case title is sent to ServiceNow, the existing ServiceNow Short description field is overwritten.
    • Description: Mapped to the ServiceNow Description field. When an update to a Security case description is sent to ServiceNow, the existing ServiceNow Description field is overwritten.
    • Comments: Mapped to the ServiceNow Comments field. When a comment is updated in a Security case, a new comment is added to the ServiceNow incident.

  • For Jira issues:

    • Title: Mapped to the Jira Summary field. When an update to a Security case title is sent to Jira, the existing Jira Summary field is overwritten.
    • Description: Mapped to the Jira Description field. When an update to a Security case description is sent to Jira, the existing Jira Description field is overwritten.
    • Comments: Mapped to the Jira Comments field. When a comment is updated in a Security case, a new comment is added to the Jira incident.

  • For IBM Resilient issues:

    • Title: Mapped to the IBM Resilient Name field. When an update to a Security case title is sent to IBM Resilient, the existing IBM Resilient Name field is overwritten.
    • Description: Mapped to the IBM Resilient Description field. When an update to a Security case description is sent to IBM Resilient, the existing IBM Resilient Description field is overwritten.
    • Comments: Mapped to the IBM Resilient Comments field. When a comment is updated in a Security case, a new comment is added to the IBM Resilient incident.

Close sent cases automatically

edit

To close cases when they are sent to an external system, select Automatically close Security cases when pushing new incident to external system.

Change and update connectors

edit

You can create additional connectors, update existing connectors, and change the connector used to send cases to external systems.

You can also configure which connector is used for each case individually (see Open a new case).

  1. To change the default connector used to send cases to external systems:

    1. Go to CasesEdit external connection.
    2. Select the required connector from the Incident management system list.

  2. To update an existing connector:

    1. Click Update <connector name>.
    2. Update the connector fields as required.

Tutorial: Connect Elastic Security to Jira

edit

To see how to connect Elastic Security to Jira, watch the following tutorial.


« Cases Elastic Security APIs »