« Open and manage cases Elastic Security APIs »
Elastic Docs Elastic Security Solution [8.16] Investigation tools Cases

Configure case settings

edit

Configure case settings

edit

To change case closure options and add custom fields, templates, and connectors for external incident management systems, find Cases in the navigation menu or search for Security/Cases by using the global search field, then click Settings.

Shows the case settings page

To view and change case settings, you must have the appropriate Kibana feature privileges. Refer to Cases requirements.

Case closures

edit

If you close cases in your external incident management system, the cases will remain open in Elastic Security until you close them manually.

To close cases when they are sent to an external system, select Automatically close cases when pushing new incident to external system.

External incident management systems

edit

You can push Elastic Security cases to these third-party systems:

  • ServiceNow ITSM
  • ServiceNow SecOps
  • Jira (including Jira Service Desk)
  • IBM Resilient
  • Swimlane
  • Webhook - Case Management

To push cases, you need to create a connector, which stores the information required to interact with an external system. After you have created a connector, you can set Elastic Security cases to automatically close when they are sent to external systems.

To create connectors and send cases to external systems, you need the appropriate license, and your role needs All privileges for the Action and Connectors feature. For more information, refer to Cases requirements.

To create a new connector:

  1. From the Incident management system list, select Add new connector.
  2. Select the system to send cases to: ServiceNow, Jira, IBM Resilient, Swimlane, or Webhook - Case Management.

  3. Enter your required settings. For connector configuration details, refer to:

To change the settings of an existing connector:

  1. Select the required connector from the incident management system list.
  2. Click Update <connector name>.
  3. In the Edit connector flyout, modify the connector fields as required, then click Save & close to save your changes.

To change the default connector used to send cases to external systems, select the required connector from the incident management system list.

Mapped case fields
edit

When you export an Elastic Security case to an external system, case fields are mapped to existing fields in ServiceNow, Jira, IBM Resilient, and Swimlane. For the Webhook - Case Management connector, case fields can be mapped to custom or pre-existing fields in the external system you’re connecting to.

Once fields are mapped, you can push updates to external systems, and mapped fields are overwritten or appended. Retrieving data from external systems is not supported.

Case field

Mapped field

Title

The case Title field is mapped to corresponding fields in external systems. Mapped field values are overwritten when you push updates.

  • ServiceNow: Short description
  • Jira: Summary
  • IBM Resilient: Name
  • Swimlane: Description

Description

The case Description field is mapped to the Description field in all systems. Mapped field values are overwritten when you push updates.

Comments

The case Comments field is mapped to corresponding fields in external systems.

  • ServiceNow: Work Notes
  • Jira: Comments
  • IBM Resilient: Comments
  • Swimlane: Comments

New and edited comments are added to incident records when pushed to ServiceNow, Jira, or IBM Resilient. Comments pushed to Swimlane are appended to the Comment field in Swimlane and posted individually.

Custom fields

edit

You can add optional and required fields for customized case collaboration.

  1. In the Custom fields section, click Add field.

    Add a custom field in case settings
  2. You must provide a field label and type (text or toggle). You can optionally designate it as a required field and provide a default value.

When you create a custom field, it’s added to all new and existing cases. In existing cases, new custom text fields initially have null values.

You can subsequently remove or edit custom fields on the Settings page.

Templates

edit

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

You can make the case creation process faster and more consistent by adding templates. A template defines values for one or all of the case fields (such as severity, tags, description, and title) as well as any custom fields.

To create a template:

  1. In the Templates section, click Add template.

    Add a template in case settings
  2. You must provide a template name and case severity. You can optionally add template tags and a description, values for each case field, and a case connector.

When users create cases, they can optionally select a template and use its values or override them.

If you update or delete templates, existing cases are unaffected.

« Open and manage cases Elastic Security APIs »