Configure external connections

edit

Configure external connections

edit

You can push Elastic Security cases to these third-party systems:

  • ServiceNow ITSM
  • ServiceNow SecOps
  • Jira (including Jira Service Desk)
  • IBM Resilient
  • Swimlane

To push cases, you need to create a connector, which stores the information required to interact with an external system. After you have created a connector, you can set Elastic Security cases to automatically close when they are sent to external systems.

To create connectors and send cases to external systems, you need the appropriate license, and your role needs All privileges for the Action and Connectors feature. For more information, refer to Cases prerequisites.

Create a new connector

edit
  1. Go to InvestigateCasesEdit external connection.

    Shows the page for creating connectors
  2. From the Incident management system list, select Add new connector.
  3. Select the system to send cases to: ServiceNow, Jira, IBM Resilient, or Swimlane.

    If you’ve upgraded from Elastic Stack version 7.15.0 or earlier to 7.16.0 or later, you must complete several prerequisites before creating a new ServiceNow ITSM or ServiceNow SecOps connector. For more information, refer to prerequisites for ServiceNow ITSM and ServiceNow SecOps.

  4. Enter your required settings.

    Connector name

    Name for the connector.

    URL

    (IBM Resilient and Jira only) The URL of the external system to which you want to send cases.

    ServiceNow instance URL

    (ServiceNow only) The URL of the ServiceNow instance to which you want to send cases.

    Use OAuth authentication

    (ServiceNow only) Enable this to use open authorization (OAuth) to authenticate a connection between Elastic and ServiceNow.

    To use open authorization (OAuth), you must create an RSA keypair and add an X.509 Certificate and also create an OAuth JWT API endpoint for external clients with a JWT Verifiers Map.

    API URL

    (Swimlane only) The URL of the Swimlane instance to which you want to send cases.

    Organization ID

    (IBM Resilient only) Your organization’s IBM Resilient ID number.

    Application ID

    (Swimlane only) The application ID of your Swimlane application. From Swimlane, you can find the application ID by checking your application’s settings or at the end of your application’s URL after you’ve opened it.

    Username

    (ServiceNow only and displays if Use OAuth authentication is turned off) The username of the ServiceNow account used to access the ServiceNow instance.

    Password

    (ServiceNow only and displays if Use OAuth authentication is turned off) The password of the ServiceNow account used to access the ServiceNow instance.

    Client ID

    (ServiceNow only and displays if Use OAuth authentication is turned on) The client ID assigned to your OAuth application.

    User Identifier

    (ServiceNow only and displays if Use OAuth authentication is turned on) Identifier to use for OAuth type authentication. Use the value you entered into the User field when you created an OAuth JWT API endpoint for external clients.

    JWT Verifier Key ID

    (ServiceNow only and displays if Use OAuth authentication is turned on) The key ID assigned to the JWT Verifier Map of your OAuth application.

    Client Secret

    (ServiceNow only and displays if Use OAuth authentication is turned on) The client secret assigned to your OAuth application.

    Private Key

    (ServiceNow only and displays if Use OAuth authentication is turned on) The RSA private key generated when you created an RSA keypair.

    Private Key Password

    (ServiceNow only and displays only if Use OAuth authentication is turned on) The The password for the RSA private key generated during setup, if set.

    Project key

    (Jira only) The key of the Jira project to which you are sending cases.

    Email address

    (Jira only) The Jira account username or email.

    API token

    (Jira only) The API token or password is used to authenticate Jira updates.

    API key ID

    (IBM Resilient only) The API key is used to authenticate IBM Resilient updates.

    API key secret

    (IBM Resilient only) The API key secret is used to authenticate IBM Resilient updates.

    API token

    (Swimlane only) The Swimlane API authentication token is used for HTTP Basic authentication. This is the personal access token for your user role.

  5. Choose the connector type (Swimlane only):

    All

    You can choose to set all or no field mappings when creating your new Swimlane connector. However, note that if you don’t set field mappings now, you’ll be prompted to do so if you want to use the connector for a case or a rule.

    Alerts

    Provide an alert ID and rule name.

    Cases

    Provide a case ID, a case name, comments, and a description.

  6. Save the connector.

To learn how to connect Elastic Security to Jira, check out the tutorial at the end of this topic.

Mapped case fields

edit

To represent an Elastic Security case in an external system, Elastic Security case fields are mapped as follows:

Data from mapped case fields can be pushed to external systems but cannot be pulled in.

  • For ServiceNow incidents:

    Title

    Mapped to the ServiceNow Short description field. When an update to a case title is sent to ServiceNow, the existing ServiceNow Short description field is overwritten.

    Description

    Mapped to the ServiceNow Description field. When an update to a case description is sent to ServiceNow, the existing ServiceNow Description field is overwritten.

    Comments

    Mapped to the ServiceNow Work Notes field. When a comment is updated in a case, a new comment is added to the ServiceNow incident.

  • For Jira issues:

    Title

    Mapped to the Jira Summary field. When an update to a case title is sent to Jira, the existing Jira Summary field is overwritten.

    Description

    Mapped to the Jira Description field. When an update to a case description is sent to Jira, the existing Jira Description field is overwritten.

    Comments

    Mapped to the Jira Comments field. When a comment is updated in a case, a new comment is added to the Jira incident.

  • For IBM Resilient issues:

    Title

    Mapped to the IBM Resilient Name field. When an update to a case title is sent to IBM Resilient, the existing IBM Resilient Name field is overwritten.

    Description

    Mapped to the IBM Resilient Description field. When an update to a case description is sent to IBM Resilient, the existing IBM Resilient Description field is overwritten.

    Comments

    Mapped to the IBM Resilient Comments field. When a comment is updated in a case, a new comment is added to the IBM Resilient incident.

  • For Swimlane records:

    Title

    Mapped to the Swimlane caseName field. When an update to a case title is sent to Swimlane, the field that is mapped to the Swimlane caseName field is overwritten.

    Description

    Mapped to the Swimlane Description field. When an update to a case description is sent to Swimlane, the field that is mapped to the Swimlane Description field is overwritten.

    Comments

    Mapped to the Swimlane Comments field. When a new comment is added to a case, or an existing one is updated, the field that is mapped to the Swimlane Comment field is appended. Comments are posted to the Swimlane incident record individually.

Close sent cases automatically

edit

To close cases when they are sent to an external system, select Automatically close Security cases when pushing new incident to external system.

Change the default connector

edit

To change the default connector used to send cases to external systems, go to CasesEdit external connection and select the required connector from the Incident management system list.

Shows list of available connectors

Add connectors

edit

After you create a case, you can add connectors to it. From the case details page, go to External incident management system, then select a connector. A case can have multiple connectors, but only one connector can be selected at a time.

add connectors

Modify connector settings

edit

To change the settings of an existing connector:

  1. Go to InvestigateCasesEdit external connection.
  2. Select the required connector from the Incident management system list.
  3. Click Update <connector name>.
  4. In the Edit connector flyout, modify the connector fields as required, then click Save & close to save your changes.
cases modify connector

Tutorial: Connect Elastic Security to Jira

edit

To learn how to connect Elastic Security to Jira, check out the following tutorial.