You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.

Configure external connections

Create and add external connectors to send cases to third-party systems.

You can push Elastic Security cases to these third-party systems:

  • ServiceNow ITSM
  • ServiceNow SecOps
  • Jira (including Jira Service Desk)
  • IBM Resilient
  • Swimlane
  • Webhook - Case Management

To push cases, you need to create a connector, which stores the information required to interact with an external system. After you have created a connector, you can set Elastic Security cases to automatically close when they are sent to external systems.

Requirements

To create connectors and send cases to external systems, you need the Security Analytics Complete project feature and the appropriate user role. For more information, refer to Cases prerequisites.

Create a new connector

  1. Go to Cases → Settings.

  2. From the Incident management system list, select Add new connector.

  3. Select the system to send cases to: ServiceNow, Jira, IBM Resilient, Swimlane, or Webhook - Case Management.

  4. Enter your required settings. For connector configuration details, refer to:

Mapped case fields

When you export an Elastic Security case to an external system, case fields are mapped to existing fields in ServiceNow, Jira, IBM Resilient, and Swimlane. For the Webhook - Case Management connector, case fields can be mapped to custom or pre-existing fields in the external system you're connecting to.

Once fields are mapped, you can push updates to external systems, and mapped fields are overwritten or appended. Retrieving data from external systems is not supported.

Case fieldMapped field

Title

The case Title field is mapped to corresponding fields in external systems. Mapped field values are overwritten when you push updates.

  • ServiceNow: Short description

  • Jira: Summary

  • IBM Resilient: Name

  • Swimlane: Description

Description

The case Description field is mapped to the Description field in all systems. Mapped field values are overwritten when you push updates.

Comments

The case Comments field is mapped to corresponding fields in external systems.

  • ServiceNow: Work Notes

  • Jira: Comments

  • IBM Resilient: Comments

  • Swimlane: Comments

New and edited comments are added to incident records when pushed to ServiceNow, Jira, or IBM Resilient. Comments pushed to Swimlane are appended to the Comment field in Swimlane and posted individually.

Close sent cases automatically

To close cases when they are sent to an external system, select Automatically close Security cases when pushing new incident to external system.

Change the default connector

To change the default connector used to send cases to external systems, go to Cases → Settings and select the required connector from the Incident management system list.

Add connectors

After you create a case, you can add connectors to it. From the case details page, go to External incident management system, then select a connector. A case can have multiple connectors, but only one connector can be selected at a time.

Modify connector settings

To change the settings of an existing connector:

  1. Go to Cases → Settings.
  2. Select the required connector from the Incident management system list.
  3. Click Update <connector name>.
  4. In the Edit connector flyout, modify the connector fields as required, then click Save & close to save your changes.

On this page