A newer version is available. For the latest information, see the current release documentation.
« Actions API (for pushing cases to external systems) Update connector »
Elastic Docs SIEM Guide [7.7] SIEM APIs Actions API (for pushing cases to external systems)

Create connector

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Create connector

edit

Creates a ServiceNow connector, which can then be used to open ServiceNow incidents from SIEM cases.

Request URL

edit

POST <kibana host>:<port>/api/action

Request body

edit

A JSON object with these fields:

Name Type Description Required

actionTypeId

String

Must be: .servicenow.

Yes

config

config

Object containing the action’s configuration.

Yes

secrets

Object

Object containing the ServiceNow account credentials used to create and update incidents:

  • username (string): The account username.
  • password (string): The account password.

Yes

name

String

The registered ServiceNow connector.

Yes

config schema

Name Type Description Required

casesConfiguration

Object

Contains a mapping array, which determines how SIEM case fields are mapped to ServiceNow incident fields:

  • source (string): The name of the SIEM case field, which can be title, description, or comments.
  • target (string): The name of the mapped ServiceNow incident field. For example: short_description, description, and comments.
  • actionType (string): Determines whether SIEM case updates overwrite or append to the mapped ServiceNow incident fields. Valid values are overwrite and append.

Yes

apiUrl

String

URL of the ServiceNow instance.

Yes

Example request

edit
POST api/action
{
  "actionTypeId": ".servicenow",
  "config": {
    "casesConfiguration": {
      "mapping": [
        {
          "source": "title", 
          "target": "short_description",
          "actionType": "overwrite"
        },
        {
          "source": "description", 
          "target": "description",
          "actionType": "overwrite"
        },
        {
          "source": "comments", 
          "target": "comments",
          "actionType": "append"
        }
      ]
    },
    "apiUrl": "https://dev87359.service-now.com"
  },
  "secrets": {
    "username": "admin",
    "password": "securePassword123!"
  },
  "name": "ServiceNow"
}

SIEM case title fields are mapped to ServiceNow short_description fields. When a SIEM title field is updated and sent to ServiceNow, the ServiceNow short_description field is overwritten.

SIEM case description fields are mapped to ServiceNow description fields. When a SIEM description field is updated and sent to ServiceNow, the ServiceNow description field is overwritten.

SIEM case comments fields are mapped to ServiceNow comments fields. When a SIEM comments field is updated and sent to ServiceNow, the updated text is appended to the ServiceNow comments field.

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON object with a connector id that is required to push cases to ServiceNow.

Example response

edit
{
  "id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
  "actionTypeId": ".servicenow",
  "name": "ServiceNow",
  "config": {
    "casesConfiguration": {
      "mapping": [
        {
          "source": "title",
          "target": "short_description",
          "actionType": "overwrite"
        },
        {
          "source": "description",
          "target": "description",
          "actionType": "overwrite"
        },
        {
          "source": "comments",
          "target": "comments",
          "actionType": "append"
        }
      ]
    },
    "apiUrl": "https://dev78437.service-now.com"
  }
}
« Actions API (for pushing cases to external systems) Update connector »