Create or update an external incidentedit
Creates a new or updates an existing ServiceNow incident from a SIEM case.
You can only send cases to external systems after you have created a connector. After you have sent the case to ServiceNow, you must call Add external details to case to update the SIEM case with the returned ServiceNow incident details.
Request URLedit
POST <kibana host>:<port>/api/action/<connector ID>/_execute
URL partsedit
The URL must include the ServiceNow connector ID. Call Get current connector to retrieve the currently used connector ID, or Find connectors to retrieve all connectors IDs.
Request bodyedit
A JSON object with these fields:
| Name | Type | Description | Required |
|---|---|---|---|
|
Contains the SIEM case details for which you are opening a ServiceNow incident. |
Yes |
| Name | Type | Description | Required |
|---|---|---|---|
|
String |
The case ID. |
Yes |
|
String |
The time the case was created, using ISO 8601 with UTC
notation. For example, |
Yes |
|
Object |
The user who created the case:
|
Yes |
|
Object[] |
Array containing case comments:
|
No |
|
String |
The case description. |
No |
|
String |
The ServiceNow incident ID. Required when updating an existing ServiceNow incident. |
No |
|
String |
The case title. |
Yes |
|
String |
The time the case was updated, using ISO 8601 with UTC notation. |
No |
|
Object |
The user who last updated the case:
|
No |
When updating an existing case, call Get case or
Find cases to retrieve the incidentId. In the case JSON
object, the incidentId value is stored in the external_id field.
Example requestsedit
Creates a new ServiceNow incident:
POST api/action/7349772f-421a-4de3-b8bb-2d9b22ccee30/_execute
{
"params": {
"caseId": "c1472f70-732a-11ea-a0b2-c51ea50a58e2",
"createdAt": "2020-03-31T08:36:45.661Z",
"createdBy": {
"fullName": "Alan Hunley",
"username": "ahunley"
},
"comments": [
{
"commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2",
"comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.",
"createdAt": "2020-03-31T08:37:33.240Z",
"createdBy": {
"fullName": "Ms Moneypenny",
"username": "moneypenny"
}
}
],
"description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active.",
"title": "This case will self-destruct in 5 seconds"
}
}
Updates an existing ServiceNow incident:
POST api/action/7349772f-421a-4de3-b8bb-2d9b22ccee30/_execute
{
"params": {
"caseId": "c1472f70-732a-11ea-a0b2-c51ea50a58e2",
"createdAt": "2020-03-31T08:36:45.661Z",
"createdBy": {
"fullName": "Alan Hunley",
"username": "ahunley"
},
"comments": [
{
"commentId": "8ef6d660-732f-11ea-a0b2-c51ea50a58e2",
"comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.",
"createdAt": "2020-03-31T09:11:08.736Z",
"createdBy": {
"fullName": "Ms Moneypenny",
"username": "moneypenny"
}
}
],
"incidentId": "cc6ef44bdb7300106ba884da0b9619cf",
"title": "This case will self-destruct in 5 seconds"
}
}
Response codeedit
-
200 - Indicates a successful call.
Response payloadedit
A JSON object with the ServiceNow incident number and link to the ServiceNow incident.
You need the returned information to associate it with the original SIEM case. To add the ServiceNow incident details to the SIEM case, call Add external details to case.
Example responseedit
{
"status": "ok",
"actionId": "61787f53-4eee-4741-8df6-8fe84fa616f7",
"data": {
"number": "INC0010012",
"incidentId": "62dc3c8bdb7300106ba884da0b9619ea",
"pushedDate": "2020-03-31T09:01:33.000Z",
"url": "https://dev78437.service-now.com/nav_to.do?uri=incident.do?sys_id=62dc3c8bdb7300106ba884da0b9619ea",
"comments": [
{
"commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2",
"pushedDate": "2020-03-31T09:01:34.000Z"
}
]
}
}