[SIEM][Cases] Static fields for Case connector

[SHolzhauer]

This would make it possible to set values for fields in the third party system (specifically ServiceNow) which will be propagated upon creation/updating. So these are static values.
You now have to manually go into the third party system and set the fields to the corresponding values.

Describe a specific use case for the feature:
When creating a case these values are automatically set.
On the configure external connector screen you get the option to set the name for an external field and its value.

Example fields

• caller_id
• category
• impact
• urgency

These are default SNOW fields.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[cnasikas]

Hi @SHolzhauer. Thank you for your feedback!

When an incident is created to ServiceNow the fields have the following defaults:

• category: Inquire / Help
• impact: 3 - Low
• urgency: 3 - Low

To my understanding, you need a way to provide different default values for these fields each time a case is being pushed to ServiceNow, right?

The caller_id can only be set to the user creating the incident (the user that is set up in the configure external connector).

[SHolzhauer]

Hi @SHolzhauer. Thank you for your feedback!

When an incident is created to ServiceNow the fields have the following defaults:

• category: Inquire / Help
• impact: 3 - Low
• urgency: 3 - Low

To my understanding, you need a way to provide different default values for these fields each time a case is being pushed to ServiceNow, right?

The caller_id we can only be set to the user creating the incident (the user that is set up in the configure external connector).

Hello @cnasikas

Sorry, I mistakingly put caller_id in there...

I would indeed like the ability to specify (other) values for fields present in ServiceNow. ServiceNow incidents consist of multiple fields and the ability to populate them from Kibana instead of having to go into ServiceNow to populate them would be great.

Example
Lets say you have a case which seems to be quite severe, in the current situation you'd create the incident in ServiceNow, open up ServiceNow and set the fields "impact" & "urgency" to 1.

[cnasikas]

That's an interesting feature. We discussed it with the team and we put it to our backlog. Thanks a lot for your contribution.

[SHolzhauer]

@cnasikas is there anything I could potentially help with on this?

[cnasikas]

Hi @SHolzhauer!

Sorry for the late reply. Thank you for your thought! We are working on it :). As you already have found, you can keep track of this issue: #75622.

[SHolzhauer]

@cnasikas No worries, I came across the other one.
I believe this issue is now a duplicate, if so it can be closed.

[cnasikas]

Closed in favor of #75622

[cnasikas]

Urgency, severity, and impact were implemented in #77327.