Configure external connectionsedit

You can push Elastic Security cases to these third-party systems:

  • ServiceNow ITSM
  • ServiceNow SecOps
  • Jira (including Jira Service Desk)
  • IBM Resilient
  • Swimlane

To push cases, you need to create a connector, which stores the information required to interact with an external system.

Preconfigured connectors cannot be used with cases.

After you have created a connector, you can set Elastic Security cases to automatically close when they are sent to external systems.

To create connectors and send cases to external systems, you need the appropriate license and your role needs All privileges for the Action and Connectors feature. For more information, see Cases prerequisites.

Create a new connectoredit

  1. Go to InvestigateCasesEdit external connection.

    Shows the page for creating connectors
  2. From the Incident management system list, select Add new connector.
  3. Select one of these:

    • ServiceNow: To send cases to ServiceNow

    If you’ve upgraded from Elastic Stack version 7.15.0 or earlier to version 7.16.0 or later, you must install Elastic for ITSM or Elastic for Security Operations (SecOps) on your ServiceNow instance and complete additional configuration steps before creating a new ServiceNow ITSM or SecOps connector. If you don’t, an error message displays and you cannot create the new connector. For more information, refer to ServiceNow SecOps and ServiceNow ITSM.

    • Jira: To send cases to Jira or Jira Service Desk
    • IBM Resilient: To send cases to IBM Resilient
    • Swimlane: To send cases to Swimlane
  4. Fill in the following:

    • Connector name: A name for the connector.
    • URL: The URL of the external system to which you want to send cases.
    • ServiceNow instance URL (for ServiceNow connectors only): The URL of the ServiceNow to which you want to send cases.
    • API Url (Swimlane connectors only): The URL of the Swimlane instance to which you want to send cases.
    • Organization ID (IBM Resilient connectors only): Your organization’s IBM Resilient ID number.
    • Application ID (Swimlane connectors only): The application ID of your Swimlane application. From Swimlane, you can find the application ID by checking your application’s settings or at the end of your application’s URL after you’ve opened it.
    • Username (ServiceNow connectors only): The username of the ServiceNow account used to access the ServiceNow instance.
    • Password (ServiceNow connectors only): The password of the ServiceNow account used to access the ServiceNow instance.
    • Project key (Jira connectors only): The key of the Jira project to which you are sending cases.
    • Email address (Jira connectors only): The Jira account’s username or email address.
    • API token (Jira connectors only): The API token or password used to authenticate Jira updates.
    • API key ID (IBM Resilient connectors only): The API key used to authenticate IBM Resilient updates.
    • API key secret (IBM Resilient connectors only): The API key secret used to authenticate IBM Resilient updates.
    • API token (Swimlane connectors only): The Swimlane API authentication token used for HTTP Basic authentication. This is the personal access token for your user role.
  5. Choose the connector type (for Swimlane connectors only):

    • All: You can choose to set all or no field mappings when creating your new Swimlane connector. However, note that if you don’t set field mappings now, you’ll be prompted to do so if you want to use the connector for a case or a rule. The prompts no longer display once you set up the required mappings.
    • Alerts: Provide an alert ID and rule name.
    • Cases: Provide a case ID, a case name, comments, and a description.
  6. Save the connector.

To see how to connect Elastic Security to Jira, watch the tutorial at the end of this topic.

To represent an Elastic Security case in an external system, Elastic Security case fields are mapped as follows:

Data from mapped case fields can be pushed to external systems but cannot be pulled in.

  • For ServiceNow incidents:

    • Title: Mapped to the ServiceNow Short description field. When an update to a Security case title is sent to ServiceNow, the existing ServiceNow Short description field is overwritten.
    • Description: Mapped to the ServiceNow Description field. When an update to a Security case description is sent to ServiceNow, the existing ServiceNow Description field is overwritten.
    • Comments: Mapped to the ServiceNow Work Notes field. When a comment is updated in a Security case, a new comment is added to the ServiceNow incident.
  • For Jira issues:

    • Title: Mapped to the Jira Summary field. When an update to a Security case title is sent to Jira, the existing Jira Summary field is overwritten.
    • Description: Mapped to the Jira Description field. When an update to a Security case description is sent to Jira, the existing Jira Description field is overwritten.
    • Comments: Mapped to the Jira Comments field. When a comment is updated in a Security case, a new comment is added to the Jira incident.
  • For IBM Resilient issues:

    • Title: Mapped to the IBM Resilient Name field. When an update to a Security case title is sent to IBM Resilient, the existing IBM Resilient Name field is overwritten.
    • Description: Mapped to the IBM Resilient Description field. When an update to a Security case description is sent to IBM Resilient, the existing IBM Resilient Description field is overwritten.
    • Comments: Mapped to the IBM Resilient Comments field. When a comment is updated in a Security case, a new comment is added to the IBM Resilient incident.
  • For Swimlane records:

    • Title: Mapped to the Swimlane caseName field. When an update to a Security case title is sent to Swimlane, the field that is mapped to the Swimlane caseName field is overwritten.
    • Description: Mapped to the Swimlane Description field. When an update to a Security case description is sent to Swimlane, the field that is mapped to the Swimlane Description field is overwritten.
    • Comments: Mapped to the Swimlane Comments field. When a new comment is added to a Security case, or an existing one is updated, the field that is mapped to the Swimlane Comment field is appended. Comments are posted to the Swimlane incident record individually.

Close sent cases automaticallyedit

To close cases when they are sent to an external system, select Automatically close Security cases when pushing new incident to external system.

Change the default connectoredit

To change the default connector used to send cases to external systems, go to CasesEdit external connection and select the required connector from the Incident management system list.

You can also configure which connector is used for each case individually. See Open a new case.

Shows list of available connectors

Modify connector settingsedit

To change the settings of an existing connector:

  1. Go to InvestigateCasesEdit external connection.
  2. Select the required connector from the Incident management system list.
  3. Click Update <connector name>.
  4. In the Edit connector flyout, modify the connector fields as required, then click Save & close to save your changes.
cases modify connector

Tutorial: Connect Elastic Security to Jiraedit

To see how to connect Elastic Security to Jira, watch the following tutorial.