Configure external connectionsedit
You can push Elastic Security cases to these third-party systems:
- ServiceNow ITSM
- ServiceNow SecOps
- Jira (including Jira Service Desk)
- IBM Resilient
- Swimlane
To push cases, you need to create a connector, which stores the information required to interact with an external system. After you have created a connector, you can set Elastic Security cases to automatically close when they are sent to external systems.
To create connectors and send cases to external systems, you need the appropriate license, and your role needs All privileges for the Action and Connectors feature. For more information, refer to Cases prerequisites.
Create a new connectoredit
-
Go to Investigate → Cases → Edit external connection.
- From the Incident management system list, select Add new connector.
-
Select the system to send cases to: ServiceNow, Jira, IBM Resilient, or Swimlane.
If you’ve upgraded from Elastic Stack version 7.15.0 or earlier to 7.16.0 or later, you must complete several prerequisites before creating a new ServiceNow ITSM or ServiceNow SecOps connector. For more information, refer to prerequisites for ServiceNow ITSM and ServiceNow SecOps.
-
Enter your required settings.
Connector name
Name for the connector.
URL
(IBM Resilient and Jira only) The URL of the external system to which you want to send cases.
ServiceNow instance URL
(ServiceNow only) The URL of the ServiceNow instance to which you want to send cases.
Use OAuth authentication
(ServiceNow only) Enable this to use open authorization (OAuth) to authenticate a connection between Elastic and ServiceNow.
To use open authorization (OAuth), you must create an RSA keypair and add an X.509 Certificate and also create an OAuth JWT API endpoint for external clients with a JWT Verifiers Map.
API URL
(Swimlane only) The URL of the Swimlane instance to which you want to send cases.
Organization ID
(IBM Resilient only) Your organization’s IBM Resilient ID number.
Application ID
(Swimlane only) The application ID of your Swimlane application. From Swimlane, you can find the application ID by checking your application’s settings or at the end of your application’s URL after you’ve opened it.
Username
(ServiceNow only and displays if Use OAuth authentication is turned off) The username of the ServiceNow account used to access the ServiceNow instance.
Password
(ServiceNow only and displays if Use OAuth authentication is turned off) The password of the ServiceNow account used to access the ServiceNow instance.
Client ID
(ServiceNow only and displays if Use OAuth authentication is turned on) The client ID assigned to your OAuth application.
User Identifier
(ServiceNow only and displays if Use OAuth authentication is turned on) Identifier to use for OAuth type authentication. Use the value you entered into the User field when you created an OAuth JWT API endpoint for external clients.
JWT Verifier Key ID
(ServiceNow only and displays if Use OAuth authentication is turned on) The key ID assigned to the JWT Verifier Map of your OAuth application.
Client Secret
(ServiceNow only and displays if Use OAuth authentication is turned on) The client secret assigned to your OAuth application.
Private Key
(ServiceNow only and displays if Use OAuth authentication is turned on) The RSA private key generated when you created an RSA keypair.
Private Key Password
(ServiceNow only and displays only if Use OAuth authentication is turned on) The The password for the RSA private key generated during setup, if set.
Project key
(Jira only) The key of the Jira project to which you are sending cases.
Email address
(Jira only) The Jira account username or email.
API token
(Jira only) The API token or password is used to authenticate Jira updates.
API key ID
(IBM Resilient only) The API key is used to authenticate IBM Resilient updates.
API key secret
(IBM Resilient only) The API key secret is used to authenticate IBM Resilient updates.
API token
(Swimlane only) The Swimlane API authentication token is used for HTTP Basic authentication. This is the personal access token for your user role.
-
Choose the connector type (Swimlane only):
All
You can choose to set all or no field mappings when creating your new Swimlane connector. However, note that if you don’t set field mappings now, you’ll be prompted to do so if you want to use the connector for a case or a rule.
Alerts
Provide an alert ID and rule name.
Cases
Provide a case ID, a case name, comments, and a description.
- Save the connector.
To learn how to connect Elastic Security to Jira, check out the tutorial at the end of this topic.
Mapped case fieldsedit
To represent an Elastic Security case in an external system, Elastic Security case fields are mapped as follows:
Data from mapped case fields can be pushed to external systems but cannot be pulled in.
-
For ServiceNow incidents:
Title
Mapped to the ServiceNow
Short descriptionfield. When an update to a case title is sent to ServiceNow, the existing ServiceNowShort descriptionfield is overwritten.Description
Mapped to the ServiceNow
Descriptionfield. When an update to a case description is sent to ServiceNow, the existing ServiceNowDescriptionfield is overwritten.Comments
Mapped to the ServiceNow
Work Notesfield. When a comment is updated in a case, a new comment is added to the ServiceNow incident. -
For Jira issues:
Title
Mapped to the Jira
Summaryfield. When an update to a case title is sent to Jira, the existing JiraSummaryfield is overwritten.Description
Mapped to the Jira
Descriptionfield. When an update to a case description is sent to Jira, the existing JiraDescriptionfield is overwritten.Comments
Mapped to the Jira
Commentsfield. When a comment is updated in a case, a new comment is added to the Jira incident. -
For IBM Resilient issues:
Title
Mapped to the IBM Resilient
Namefield. When an update to a case title is sent to IBM Resilient, the existing IBM ResilientNamefield is overwritten.Description
Mapped to the IBM Resilient
Descriptionfield. When an update to a case description is sent to IBM Resilient, the existing IBM ResilientDescriptionfield is overwritten.Comments
Mapped to the IBM Resilient
Commentsfield. When a comment is updated in a case, a new comment is added to the IBM Resilient incident. -
For Swimlane records:
Title
Mapped to the Swimlane
caseNamefield. When an update to a case title is sent to Swimlane, the field that is mapped to the SwimlanecaseNamefield is overwritten.Description
Mapped to the Swimlane
Descriptionfield. When an update to a case description is sent to Swimlane, the field that is mapped to the SwimlaneDescriptionfield is overwritten.Comments
Mapped to the Swimlane
Commentsfield. When a new comment is added to a case, or an existing one is updated, the field that is mapped to the SwimlaneCommentfield is appended. Comments are posted to the Swimlane incident record individually.
Close sent cases automaticallyedit
To close cases when they are sent to an external system, select Automatically close Security cases when pushing new incident to external system.
Change the default connectoredit
To change the default connector used to send cases to external systems, go to Cases → Edit external connection and select the required connector from the Incident management system list.
Add connectorsedit
After you create a case, you can add connectors to it. From the case details page, go to External incident management system, then select a connector. A case can have multiple connectors, but only one connector can be selected at a time.
Modify connector settingsedit
To change the settings of an existing connector:
- Go to Investigate → Cases → Edit external connection.
- Select the required connector from the Incident management system list.
- Click Update <connector name>.
- In the Edit connector flyout, modify the connector fields as required, then click Save & close to save your changes.
Tutorial: Connect Elastic Security to Jiraedit
To learn how to connect Elastic Security to Jira, check out the following tutorial.
