IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs SIEM Guide [7.7] SIEM APIs Actions API (for pushing cases to external systems)
« Actions API (for pushing cases to external systems) Update connector »

Create connectoredit

Creates a ServiceNow connector, which can then be used to open ServiceNow incidents from SIEM cases.

Request URLedit

POST <kibana host>:<port>/api/action

Request bodyedit

A JSON object with these fields:

Name Type Description Required

actionTypeId

String

Must be: .servicenow.

Yes

config

config

Object containing the action’s configuration.

Yes

secrets

Object

Object containing the ServiceNow account credentials used to create and update incidents:

  • username (string): The account username.
  • password (string): The account password.

Yes

name

String

The registered ServiceNow connector.

Yes

config schema

Name Type Description Required

casesConfiguration

Object

Contains a mapping array, which determines how SIEM case fields are mapped to ServiceNow incident fields:

  • source (string): The name of the SIEM case field, which can be title, description, or comments.
  • target (string): The name of the mapped ServiceNow incident field. For example: short_description, description, and comments.
  • actionType (string): Determines whether SIEM case updates overwrite or append to the mapped ServiceNow incident fields. Valid values are overwrite and append.

Yes

apiUrl

String

URL of the ServiceNow instance.

Yes

Example requestedit

POST api/action
{
  "actionTypeId": ".servicenow",
  "config": {
    "casesConfiguration": {
      "mapping": [
        {
          "source": "title", 
          "target": "short_description",
          "actionType": "overwrite"
        },
        {
          "source": "description", 
          "target": "description",
          "actionType": "overwrite"
        },
        {
          "source": "comments", 
          "target": "comments",
          "actionType": "append"
        }
      ]
    },
    "apiUrl": "https://dev87359.service-now.com"
  },
  "secrets": {
    "username": "admin",
    "password": "securePassword123!"
  },
  "name": "ServiceNow"
}

SIEM case title fields are mapped to ServiceNow short_description fields. When a SIEM title field is updated and sent to ServiceNow, the ServiceNow short_description field is overwritten.

SIEM case description fields are mapped to ServiceNow description fields. When a SIEM description field is updated and sent to ServiceNow, the ServiceNow description field is overwritten.

SIEM case comments fields are mapped to ServiceNow comments fields. When a SIEM comments field is updated and sent to ServiceNow, the updated text is appended to the ServiceNow comments field.

Response codeedit

200
Indicates a successful call.

Response payloadedit

A JSON object with a connector id that is required to push cases to ServiceNow.

Example responseedit

{
  "id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
  "actionTypeId": ".servicenow",
  "name": "ServiceNow",
  "config": {
    "casesConfiguration": {
      "mapping": [
        {
          "source": "title",
          "target": "short_description",
          "actionType": "overwrite"
        },
        {
          "source": "description",
          "target": "description",
          "actionType": "overwrite"
        },
        {
          "source": "comments",
          "target": "comments",
          "actionType": "append"
        }
      ]
    },
    "apiUrl": "https://dev78437.service-now.com"
  }
}
« Actions API (for pushing cases to external systems) Update connector »