Create or update an external incidentedit

Creates a new or updates an existing external incident from a SIEM case.

You can only send cases to external systems after you have created a connector. After you have sent the case to an external system, you must call Add external details to case to update the SIEM case with the returned external incident details.

Request URLedit

POST <kibana host>:<port>/api/action/<connector ID>/_execute

URL partsedit

The URL must include the connector ID. Call Get current connector to retrieve the currently used connector ID, or Find connectors to retrieve all connectors IDs.

Request bodyedit

A JSON object with these fields:

Name Type Description Required

params

params

Contains the SIEM case details for which you are opening or updating an external incident.

Yes

params schema

Name Type Description Required

subAction

String

The action to be performed. When opening or updating cases in external systems, must be: pushToService.

Yes

subActionParams

subActionParams

Case details to send to external systems.

Yes

subActionParams schema

Name

Type

Description

Required

caseId

String

The case ID.

Yes

createdAt

String

The time the case was created, using ISO 8601 with UTC notation. For example, 2020-03-31T06:40:21.674Z.

Yes

createdBy

Object

The user who created the case:

  • fullName (string): The user’s full name.
  • username (string): The user’s username.

Yes

comments

Object[]

Array containing case comments:

  • commentId (string, required): The comment ID.
  • comment (string, required): The comment text.
  • createdAt (string, required): The time the comment was created, using ISO 8601 with UTC notation.
  • createdBy (object, required): The user who created the comment, containing fullName and username fields.
  • updatedBy (object, optional): The user who last updated the comment, containing fullName and username fields.

No

description

String

The case description.

No

externalId

String

The external incident/issue ID.

No, only required when updating an existing ServiceNow incident or Jira issue.

title

String

The case title.

Yes

updatedAt

String

The time the case was updated, using ISO 8601 with UTC notation.

No

updatedBy

Object

The user who last updated the case:

  • fullName (string): The user’s full name.
  • username (string): The user’s username.

No

When updating an existing case, call Get case or Find cases to retrieve the externalId. In the case JSON object, the externalId value is stored in the external_service field.

Example requestsedit

Creates a new ServiceNow incident:

POST api/action/7349772f-421a-4de3-b8bb-2d9b22ccee30/_execute
{
  "params": {
    "subAction": "pushToService",
    "subActionParams": {
      "caseId": "c1472f70-732a-11ea-a0b2-c51ea50a58e2",
      "createdAt": "2020-03-31T08:36:45.661Z",
      "createdBy": {
        "fullName": "Alan Hunley",
        "username": "ahunley"
      },
      "comments": [
        {
          "commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2",
          "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.",
          "createdAt": "2020-03-31T08:37:33.240Z",
          "createdBy": {
            "fullName": "Ms Moneypenny",
            "username": "moneypenny"
          }
        }
      ],
      "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active.",
      "title": "This case will self-destruct in 5 seconds"
    }
  }
}

Updates an existing ServiceNow incident:

POST api/action/7349772f-421a-4de3-b8bb-2d9b22ccee30/_execute
{
  "params": {
    "subAction": "pushToService",
    "subActionParams": {
      "caseId": "c1472f70-732a-11ea-a0b2-c51ea50a58e2",
      "createdAt": "2020-03-31T08:36:45.661Z",
      "createdBy": {
        "fullName": "Alan Hunley",
        "username": "ahunley"
      },
      "comments": [
        {
          "commentId": "8ef6d660-732f-11ea-a0b2-c51ea50a58e2",
          "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.",
          "createdAt": "2020-03-31T09:11:08.736Z",
          "createdBy": {
            "fullName": "Ms Moneypenny",
            "username": "moneypenny"
          }
        }
      ],
      "externalId": "cc6ef44bdb7300106ba884da0b9619cf",
      "title": "This case will self-destruct in 5 seconds"
    }
  }
}

Response codeedit

200
Indicates a successful call.

Response payloadedit

A JSON object with the ID and the URL of the external incident.

You need the returned information to associate it with the original SIEM case. To add the external incident details to the SIEM case, call Add external details to case.

Example responseedit

{
  "status": "ok",
  "actionId": "61787f53-4eee-4741-8df6-8fe84fa616f7",
  "data": {
    "title": "INC0010012",
    "id": "62dc3c8bdb7300106ba884da0b9619ea",
    "pushedDate": "2020-03-31T09:01:33.000Z",
    "url": "https://dev78437.service-now.com/nav_to.do?uri=incident.do?sys_id=62dc3c8bdb7300106ba884da0b9619ea",
    "comments": [
      {
        "commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2",
        "pushedDate": "2020-03-31T09:01:34.000Z"
      }
    ]
  }
}