Elastic Cases events trigger an external SOAR

Hey all!

I have a big question for you guys. Does anybody know about the opportunity to trigger an external API from the Elastic Case?

I mean, Is there a way to implement some webhook or index in elastic that could collect and send somewhere events that occurred with Elastic Cases?

For example when the user creates a Case -> event "Case created" happens.

I'd like to automate some processes related to Elastic Security Cases using our SOAR system. At this point, we are migrating from TheHive to the full Elastic Security space and we are trying to integrate Elastic with our SOAR.

Now I have only two possible ways to do that:
send an event to the SOAR (something like webhook that collects events related to Elastic Security), or start some script manually from the Case body. But I don't know any possible ways to do it either.

Maybe someone has already been challenged with that.

Thank you!

Hey @yzaritskyi

Can this page be helpful to your question?

There is a webhook external integration option according to documentation:

You can push Elastic Security cases to these third-party systems:

  • ServiceNow ITSM
  • ServiceNow SecOps
  • Jira (including Jira Service Desk)
  • IBM Resilient
  • Swimlane
  • Webhook - Case Management

Page dedicated to webhook connector: Webhook - Case Management connector and action | Kibana Guide [8.4] | Elastic

Thanks, Vitalii

Hi @yzaritskyi

You'll want to use the Webhook - Case Management connector as @vitaliidm pointed out. You can configure API actions for create case, update case, and case comment. There is also a blog post detailing an implementation in Jira that may be helpful to follow along with.

Hello @vitaliidm and @stephmilovic. Thank you a lot for your help! That is actually what I was seeking.

I appreciate your help. Elastic Team Members are the best!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.