The SIEM app is now a part of the Elastic Security solution.
Click
here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Actions API (for pushing cases to external systems)edit
This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
You can push SIEM cases to third-party systems, currently ServiceNow and Jira. This requires creating a connector using the Kibana Actions API, which stores the information required to interface with the external system. For ServiceNow, cases are send via ServiceNow’s Table API. For Jira, the REST API v2 is used.
To send cases to an external system and keep the SIEM UI updated:
- Create connector: Create the connector (Actions API).
- Set default SIEM UI connector or Update case configurations: If required, configure connector options (Cases API).
- Create or update an external incident: Send the case to an external system (Actions API). You must store the returned data as it is required for updating the the SIEM case.
- Add external details to case: Update the SIEM case with the associated external system data returned in step 3 (Cases API).