Actions API (for pushing cases to external systems)edit

You can push Elastic Security cases to these third-party systems:

  • ServiceNow
  • Jira (including Jira Service Desk)
  • IBM Resilient
  • Swimlane
  • Webhook - Case Management

To push cases, you need to create a connector, which stores the information required to communicate with the external system.

Elastic Security uses these external APIs to send cases:

  • ServiceNow: Import Set API

    ServiceNow ITSM and SecOps connectors created in Elastic Stack version 7.15.0 or earlier use the Table API. They are marked as deprecated after you upgrade to version 7.16.0 or later and must be updated to ensure you have access to new connector enhancements. For example, you can push incident updates from cases using connectors created in version 7.15.0 or earlier. However, pushing incident updates from rules is a newer enhancement and you must update your connector or create a new one to use it.

  • Jira: REST API v2
  • IBM Resilient: Resilient REST API
  • Swimlane: Swimlane REST API

To send cases to an external system and keep the Elastic Security UI updated:

  1. Create connector: Create the connector.
  2. Create case: Create a case with the connector from the previous step.
  3. Push case: Push the case to the external system.