IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs SIEM Guide [7.7] Cases (beta)
« Cases (beta) SIEM APIs »

Configuring external connectionsedit

You can push new cases and case updates to ServiceNow. To do this, you need to create a connector, which stores the information required to push cases to ServiceNow via ServiceNow’s Table API. After you have created a connector, you can set SIEM cases to automatically close when they are sent to ServiceNow.

To create a ServiceNow connector and send cases to ServiceNow, you need the appropriate license.

Create a new connectoredit

  1. Go to SIEMCasesEdit external connection.

    cases ui connector

  2. Click Add new connector option, and then click ServiceNow.

    cases ui sn connector

  3. Fill in the following:

    • Connector name: A name for the connector.
    • URL: The URL of the ServiceNow instance to which you want to send cases.
    • Username: The username of the ServiceNow account used to access the ServiceNow instance.
    • Password: The password of the ServiceNow account used to access the ServiceNow instance.

  4. To represent a SIEM case as a ServiceNow incident, these SIEM case fields are mapped to ServiceNow incidents fields as follows:

    • Title: Mapped to the ServiceNow Short description field. When an update to a SIEM case title is sent to ServiceNow, the existing ServiceNow Short description field is overwritten.
    • Description: Mapped to the ServiceNow Description field. When an update to a SIEM case description is sent to ServiceNow, the existing ServiceNow Description field is overwritten.
    • Comments: Mapped to the ServiceNow Comments field. When a comment is updated in a SIEM case, a new comment is added to the ServiceNow incident.
  5. Save the connector.

Close sent cases automaticallyedit

To close cases when they are sent to ServiceNow, select the Automatically close SIEM cases when pushing new incident to third-party option.

Change and update connectorsedit

You can create additional connectors, update existing connectors, and change the connector used to send cases to ServiceNow.

  1. To change the connector used to send cases to ServiceNow:

    1. Go to SIEMCasesEdit external connection.
    2. Select the required connector from the Incident management system list.

  2. To update an existing connector:

    1. Click Update connector.
    2. Update the connector fields as required.
« Cases (beta) SIEM APIs »