Get started with the Elasticsearch - Incident Enrichment integration

Elasticsearch is a distributed, RESTful search and analytics engine that easily integrates with Security Operations. Before you can use the Elasticsearch - Incident Enrichment integration, you must download it from the ServiceNow Store and add the appropriate API Base URL and login credentials.

Before you begin

Role required: sn_si.admin

Procedure

  1. Download the integration from the ServiceNow Store.
  2. When the installation is complete, access Elasticsearch and obtain the API Base URL under your Elasticsearch profile.
  3. In your instance, navigate to Security Operations > Integrations > Integration Configurations.
    The available security integrations appear as a series of cards.
  4. In the Elasticsearch - Incident Enrichment card, click New.
    Elastic configuration
  5. Fill in the fields, as needed.
    Note: Configuring this integration activates workflows. To manage the workflows, navigate to the Workflow Editor.
  6. Click Submit.
    The integration configuration card displays.
  7. When viewing the new configuration card, you can click Configure or Delete to change or delete the configuration, respectively.
  8. To return to the original list of integration configuration cards, select No from the Show Configurations drop-down list.

Result

After it is configured, the Elasticsearch - Incident Enrichment integration can be selected for publishing observables to watchlists in Security Incident Response.