Create or update an external incident
editCreate or update an external incident
editCreates a new or updates an existing ServiceNow incident from a SIEM case.
You can only send cases to external systems after you have created a connector. After you have sent the case to ServiceNow, you must call Add external details to case to update the SIEM case with the returned ServiceNow incident details.
Request URL
editPOST <kibana host>:<port>/api/action/<connector ID>/_execute
URL parts
editThe URL must include the ServiceNow connector ID. Call Get current connector to retrieve the currently used connector ID, or Find connectors to retrieve all connectors IDs.
Request body
editA JSON object with these fields:
| Name | Type | Description | Required |
|---|---|---|---|
|
Contains the SIEM case details for which you are opening a ServiceNow incident. |
Yes |
| Name | Type | Description | Required |
|---|---|---|---|
|
String |
The case ID. |
Yes |
|
String |
The time the case was created, using ISO 8601 with UTC
notation. For example, |
Yes |
|
Object |
The user who created the case:
|
Yes |
|
Object[] |
Array containing case comments:
|
No |
|
String |
The case description. |
No |
|
String |
The ServiceNow incident ID. Required when updating an existing ServiceNow incident. |
No |
|
String |
The case title. |
Yes |
|
String |
The time the case was updated, using ISO 8601 with UTC notation. |
No |
|
Object |
The user who last updated the case:
|
No |
When updating an existing case, call Get case or
Find cases to retrieve the incidentId. In the case JSON
object, the incidentId value is stored in the external_id field.
Example requests
editCreates a new ServiceNow incident:
POST api/action/7349772f-421a-4de3-b8bb-2d9b22ccee30/_execute
{
"params": {
"caseId": "c1472f70-732a-11ea-a0b2-c51ea50a58e2",
"createdAt": "2020-03-31T08:36:45.661Z",
"createdBy": {
"fullName": "Alan Hunley",
"username": "ahunley"
},
"comments": [
{
"commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2",
"comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.",
"createdAt": "2020-03-31T08:37:33.240Z",
"createdBy": {
"fullName": "Ms Moneypenny",
"username": "moneypenny"
}
}
],
"description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active.",
"title": "This case will self-destruct in 5 seconds"
}
}
Updates an existing ServiceNow incident:
POST api/action/7349772f-421a-4de3-b8bb-2d9b22ccee30/_execute
{
"params": {
"caseId": "c1472f70-732a-11ea-a0b2-c51ea50a58e2",
"createdAt": "2020-03-31T08:36:45.661Z",
"createdBy": {
"fullName": "Alan Hunley",
"username": "ahunley"
},
"comments": [
{
"commentId": "8ef6d660-732f-11ea-a0b2-c51ea50a58e2",
"comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.",
"createdAt": "2020-03-31T09:11:08.736Z",
"createdBy": {
"fullName": "Ms Moneypenny",
"username": "moneypenny"
}
}
],
"incidentId": "cc6ef44bdb7300106ba884da0b9619cf",
"title": "This case will self-destruct in 5 seconds"
}
}
Response code
edit-
200 - Indicates a successful call.
Response payload
editA JSON object with the ServiceNow incident number and link to the ServiceNow incident.
You need the returned information to associate it with the original SIEM case. To add the ServiceNow incident details to the SIEM case, call Add external details to case.
Example response
edit{
"status": "ok",
"actionId": "61787f53-4eee-4741-8df6-8fe84fa616f7",
"data": {
"number": "INC0010012",
"incidentId": "62dc3c8bdb7300106ba884da0b9619ea",
"pushedDate": "2020-03-31T09:01:33.000Z",
"url": "https://dev78437.service-now.com/nav_to.do?uri=incident.do?sys_id=62dc3c8bdb7300106ba884da0b9619ea",
"comments": [
{
"commentId": "dda30310-732a-11ea-a0b2-c51ea50a58e2",
"pushedDate": "2020-03-31T09:01:34.000Z"
}
]
}
}