A newer version is available. For the latest information, see the current release documentation.
« Cases (beta) SIEM APIs »
Elastic Docs SIEM Guide [7.7] Cases (beta)

Configuring external connections

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Configuring external connections

edit

You can push new cases and case updates to ServiceNow. To do this, you need to create a connector, which stores the information required to push cases to ServiceNow via ServiceNow’s Table API. After you have created a connector, you can set SIEM cases to automatically close when they are sent to ServiceNow.

To create a ServiceNow connector and send cases to ServiceNow, you need the appropriate license.

Create a new connector

edit

  1. Go to SIEMCasesEdit external connection.

    cases ui connector

  2. Click Add new connector option, and then click ServiceNow.

    cases ui sn connector

  3. Fill in the following:

    • Connector name: A name for the connector.
    • URL: The URL of the ServiceNow instance to which you want to send cases.
    • Username: The username of the ServiceNow account used to access the ServiceNow instance.
    • Password: The password of the ServiceNow account used to access the ServiceNow instance.

  4. To represent a SIEM case as a ServiceNow incident, these SIEM case fields are mapped to ServiceNow incidents fields as follows:

    • Title: Mapped to the ServiceNow Short description field. When an update to a SIEM case title is sent to ServiceNow, the existing ServiceNow Short description field is overwritten.
    • Description: Mapped to the ServiceNow Description field. When an update to a SIEM case description is sent to ServiceNow, the existing ServiceNow Description field is overwritten.
    • Comments: Mapped to the ServiceNow Comments field. When a comment is updated in a SIEM case, a new comment is added to the ServiceNow incident.
  5. Save the connector.

Close sent cases automatically

edit

To close cases when they are sent to ServiceNow, select the Automatically close SIEM cases when pushing new incident to third-party option.

Change and update connectors

edit

You can create additional connectors, update existing connectors, and change the connector used to send cases to ServiceNow.

  1. To change the connector used to send cases to ServiceNow:

    1. Go to SIEMCasesEdit external connection.
    2. Select the required connector from the Incident management system list.

  2. To update an existing connector:

    1. Click Update connector.
    2. Update the connector fields as required.
« Cases (beta) SIEM APIs »