Update connector

edit

Updates a connector.

Request URL

edit

PUT <kibana host>:<port>/api/actions/action/<connector ID>

URL parts

edit

The URL must include the connector ID of the connector you are updating. Call Find connectors to retrieve connector IDs.

Request body

edit

A JSON object with the fields you want to update:

Name Type Description Required

config

config

Object containing the action’s configuration.

Yes

secrets

Object

Object containing the third-party account information used to create and update incidents.

For ServiceNow connectors:

  • username (string): The account username.
  • password (string): The account password.

For Jira connectors:

  • email (string): The account email.
  • apiToken (string): Jira API authentication token.

For IBM Resilient connectors:

  • apiKeyId (string): The authentication key ID.
  • apiKeySecret (string): The authentication key secret.

Yes

name

String

The connector’s name.

Yes

config schema

Name Type Description Required

casesConfiguration

incidentConfiguration

Object

Use casesConfiguration for all connectors apart from ServiceNow. For ServiceNow, use incidentConfiguration. Contains a mapping array, which determines how Elastic Security case fields are mapped to external system fields:

  • source (string): The name of the Elastic Security case field, which can be title, description, or comments.
  • target (string): The name of the mapped exterals field. For example: short_description (ServiceNow), title (Jira), name (IBM Resilient), description, and comments.
  • actionType (string): Determines whether Elastic Security case updates overwrite or append to the mapped incident fields. Valid values are overwrite and append.

Yes

apiUrl

String

URL of the third-party instance.

Yes

projectKey

String

Jira project key.

For Jira connectors, yes. For other connectors, no.

orgId

String

IBM Resilient organization ID.

For IBM Resilient connectors, yes. For other connectors, no.

isCaseOwned

Boolean

Indicates a ServiceNow connector is used for Elastic Security cases. Must be true.

For ServiceNow connecters only, yes. For other connectors, no.

Example request

edit

Updates the description field mapping of connector ID 61787f53-4eee-4741-8df6-8fe84fa616f7:

PUT api/actions/action/61787f53-4eee-4741-8df6-8fe84fa616f7
{
  "config": {
    "apiUrl": "https://dev357417.service-now.com",
    "incidentConfiguration": {
      "mapping": [
        {
          "actionType": "overwrite",
          "source": "title",
          "target": "short_description"
        },
        {
          "actionType": "append",
          "source": "description",
          "target": "description"
        },
        {
          "actionType": "append",
          "source": "comments",
          "target": "comments"
        }
      ]
    },
    "isCaseOwned": true
  },
  "name": "SN API",
  "secrets": {
    "password": "stongpassword123!",
    "username": "admin"
  }
}

Response code

edit
200
Indicates a successful call.

Response payload

edit

The updated JSON connector object.

Example response

edit
{
  "id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
  "actionTypeId": ".servicenow",
  "name": "ServiceNow",
  "config": {
    "apiUrl": "https://dev78437.service-now.com",
    "casesConfiguration": {
      "mapping": [
        {
          "source": "title",
          "target": "short_description",
          "actionType": "overwrite"
        },
        {
          "source": "description",
          "target": "description",
          "actionType": "append"
        },
        {
          "source": "comments",
          "target": "comments",
          "actionType": "append"
        }
      ]
    }
  }
}