Elastic Security

1. Overview

Elastic Security is a comprehensive security solution that unifies SIEM (Security Information and Event Management), endpoint security, and cloud security to detect, investigate, and respond to threats in real-time. It is built on the Elastic Stack (Elasticsearch, Kibana, Beats, and Logstash), enabling powerful search, analysis, and visualization of security data.

The GoInsight Elastic Security node allows you to automate your security operations and incident response workflows. You can manage the entire lifecycle of security cases directly within your automated processes, including:

• Case Management: Create, retrieve, update, and delete security cases to track incidents.
• Case Enrichment: Add, remove, and retrieve comments and tags to enrich cases with contextual information.
• System Integration: Create connectors to integrate Elastic Security with other third-party systems like Jira, Slack, or ServiceNow.

2. Prerequisites

Before using this node, you must have a valid Elastic Security account with an active deployment. You will also need to generate an API Key with the necessary permissions to manage cases and connectors. You may need administrator-level access to your Elastic deployment to create these credentials.

3. Credentials

For a detailed guide on how to obtain and configure your credentials, please refer to our official documentation: Credentials Configuration Guide.

4. Supported Operations

Summary

This node provides operations centered around managing security Cases, their associated Comments and Tags, and system Connectors.

Operation Details

Create a Case

Creates a new case in Elastic Security

Input Parameters:

• Title: Case title (required)
• Owner: Case owner - values: cases, observability, or securitySolution (required)
• Description: Case description (optional)

Options:

• ConnectorId: Connector ID or 'none' for no connector (default: 'none')
• ConnectorName: Connector name (default: 'none')
• ConnectorType: Connector type - values: .none, .jira, .servicenow, etc. (default: '.none')
• Severity: Severity level - values: critical, high, medium, low (default: 'low')
• Tags: Comma-separated tags (optional)
• Assignees: Comma-separated user profile UIDs (optional)
• SpaceId: Kibana space ID (default: 'default')

Output:

• CaseId (string): The unique identifier of the newly created case.
• Title (string): The title of the case.
• Description (string): The description of the case.
• Status (string): The status of the case.
• Severity (string): The severity level of the case.
• Owner (string): The owner of the case.
• CreatedAt (string): The timestamp when the case was created in ISO 8601 format.
• CreatedBy (string): The username of the user who created the case.
• Tags (string-array): The tags associated with the case.
• Assignees (string-array): The user profile UIDs assigned to the case.
• TotalAlerts (number): The total number of alerts associated with the case.
• TotalComments (number): The total number of comments on the case.
• Version (string): The version of the case.
• StatusCode (number): Operation status code: 200 (created successfully), 400 (bad request), 401 (authentication error), 403 (forbidden), 404 (not found), 409 (conflict), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

Delete a Case

Deletes one or more cases in Elastic Security

Input Parameters:

• CaseIds: Comma-separated case IDs to delete (required)

Options:

• SpaceId: Kibana space ID (default: 'default')

Output:

• DeletedCount (number): The number of cases successfully deleted.
• FailedCount (number): The number of cases that failed to delete.
• FailedItems (object-array): A list of failed deletion items with fields: CaseId, ErrorMessage.
• StatusCode (number): Operation status code: 204 (all succeeded), 400 (bad request), 401 (unauthorized), 403 (forbidden), 404 (not found), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

Get a Case

Retrieves detailed information about a specific case in Elastic Security

Input Parameters:

• CaseId: The ID of the case to retrieve (required)

Options:

• IncludeComments: Whether to include comments in the response (default: false)
• SpaceId: Kibana space ID (default: 'default')

Output:

• CaseId (string): The unique identifier of the case.
• Title (string): The title of the case.
• Description (string): The description of the case.
• Status (string): The status of the case.
• Severity (string): The severity level of the case.
• Owner (string): The owner of the case.
• CreatedAt (string): The timestamp when the case was created in ISO 8601 format.
• CreatedBy (string): The username of the user who created the case.
• UpdatedAt (string): The timestamp when the case was last updated in ISO 8601 format.
• UpdatedBy (string): The username of the user who last updated the case.
• Tags (string-array): The tags associated with the case.
• Assignees (object-array): The user profile UIDs assigned to the case.
• TotalAlerts (number): The total number of alerts associated with the case.
• TotalComments (number): The total number of comments on the case.
• Comments (object-array): The comments associated with the case (only if IncludeComments is true).
• Version (string): The version of the case.
• StatusCode (number): Operation status code: 200 (success), 400 (bad request), 401 (authentication error), 403 (forbidden), 404 (not found), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

Get many Cases

Retrieves multiple cases from Elastic Security with pagination, filtering, and sorting support

Options:

• Page: Page number for pagination (default: 1)
• PerPage: Number of cases per page (default: 20, max: 100)
• SortField: Field to sort by: createdAt, updatedAt, title, status, severity (default: createdAt)
• SortOrder: Sort order: asc or desc (default: desc)
• Search: Search keyword to filter cases
• SearchFields: Comma-separated search fields (e.g., title,description)
• Status: Filter by status: open, in-progress, closed
• Owner: Filter by owner: cases, observability, securitySolution
• Assignees: Comma-separated assignee UIDs to filter by
• SpaceId: Kibana space ID (default: 'default')

Output:

• Cases (object-array): Array of case objects
• Page (number): Current page number
• PerPage (number): Number of cases per page
• Total (number): Total number of cases matching the filter
• StatusCode (number): Operation status code: 200 (success), 400 (bad request), 401 (authentication error), 403 (forbidden), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

Get the Status of a Case

Retrieves the status and key information of a specific case from Elastic Security

Input Parameters:

• CaseId: Case ID to retrieve status for

Options:

• SpaceId: Kibana space ID (default: 'default')

Output:

• CaseId (string): Case ID
• Title (string): Case title
• Status (string): Case status: open, in-progress, closed
• Severity (string): Case severity: critical, high, medium, low
• Owner (string): Case owner: cases, observability, securitySolution
• UpdatedAt (string): Last update time
• UpdatedBy (string): Last updated by username
• TotalAlerts (number): Total number of associated alerts
• TotalComments (number): Total number of comments
• StatusCode (number): Operation status code: 200 (success), 400 (bad request), 401 (authentication error), 403 (forbidden), 404 (not found), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

Update a Case

Updates an existing case in Elastic Security

Input Parameters:

• CaseId: Case ID to update (required)
• Version: Case version for concurrency control (required)

Options:

• Title: New case title (optional)
• Description: New case description (optional)
• Status: New case status - values: open, in-progress, closed (optional)
• Severity: New severity level - values: critical, high, medium, low (optional)
• Tags: Comma-separated tags (optional)
• Assignees: Comma-separated user profile UIDs (optional)
• SpaceId: Kibana space ID (default: 'default')

Output:

• CaseId (string): The unique identifier of the updated case.
• Title (string): The title of the case.
• Description (string): The description of the case.
• Status (string): The status of the case.
• Severity (string): The severity level of the case.
• Owner (string): The owner of the case.
• UpdatedAt (string): The timestamp when the case was updated in ISO 8601 format.
• UpdatedBy (string): The username of the user who updated the case.
• Tags (string-array): The tags associated with the case.
• Assignees (string-array): The user profile UIDs assigned to the case.
• Version (string): The version of the case.
• StatusCode (number): Operation status code: 200 (updated successfully), 400 (bad request), 401 (authentication error), 403 (forbidden), 404 (not found), 409 (version conflict), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

Add a Comment to a Case

Adds a comment to an existing case in Elastic Security

Input Parameters:

• CaseId: Case ID to add comment to (required)
• Comment: Comment content (required)

Options:

• CommentType: Comment type - values: user, alert (default: 'user')
• AlertId: Alert ID (required when comment type is 'alert')
• SpaceId: Kibana space ID (default: 'default')

Output:

• CommentId (string): The unique identifier of the comment.
• CaseId (string): The case ID associated with the comment.
• Comment (string): The comment content.
• Type (string): The comment type (user or alert).
• CreatedAt (string): The timestamp when the comment was created in ISO 8601 format.
• CreatedBy (string): The username of the user who created the comment.
• UpdatedAt (string): The timestamp when the comment was last updated in ISO 8601 format.
• UpdatedBy (string): The username of the user who last updated the comment.
• Version (string): The version of the comment.
• StatusCode (number): Operation status code: 200 (success), 400 (bad request), 401 (authentication error), 403 (forbidden), 404 (not found), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

Get a Case Comment

Retrieves a specific comment from a case in Elastic Security

Input Parameters:

• CaseId: Case ID (required)
• CommentId: Comment ID (required)

Options:

• SpaceId: Kibana space ID (default: 'default')

Output:

• CommentId (string): The unique identifier of the comment.
• CaseId (string): The unique identifier of the case.
• Type (string): The type of comment - either 'user' or 'alert'.
• Comment (string): The content of the comment.
• CreatedAt (string): The timestamp when the comment was created in ISO 8601 format.
• CreatedBy (string): The username of the user who created the comment.
• UpdatedAt (string): The timestamp when the comment was last updated in ISO 8601 format.
• UpdatedBy (string): The username of the user who last updated the comment.
• Version (string): The version of the comment.
• StatusCode (number): Operation status code: 200 (retrieved successfully), 400 (bad request), 401 (authentication error), 403 (forbidden), 404 (not found), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

Get many Case Comments

Retrieves multiple comments from a case in Elastic Security with pagination support

Input Parameters:

• CaseId: Case ID (required)

Options:

• Page: Page number for pagination (default: 1)
• PerPage: Number of comments per page (default: 20)
• SpaceId: Kibana space ID (default: 'default')

Output:

• Comments (object-array): Array of comment objects from the case.
• Page (number): The current page number.
• PerPage (number): The number of comments per page.
• Total (number): The total number of comments in the case.
• StatusCode (number): Operation status code: 200 (retrieved successfully), 400 (bad request), 401 (authentication error), 403 (forbidden), 404 (not found), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

Remove a Comment from a Case

Removes a comment from a case in Elastic Security

Input Parameters:

• CaseId: Case ID (required)
• CommentId: Comment ID to remove (required)

Options:

• SpaceId: Kibana space ID (default: 'default')

Output:

• Deleted (bool): Indicates whether the comment was successfully deleted.
• CaseId (string): The case ID from which the comment was removed.
• CommentId (string): The comment ID that was removed.
• StatusCode (number): Operation status code: 204 (deleted successfully), 400 (bad request), 401 (authentication error), 403 (forbidden), 404 (not found), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

Update a Comment from a Case

Updates an existing comment in a case in Elastic Security

Input Parameters:

• CaseId: Case ID (required)
• CommentId: Comment ID to update (required)
• Comment: New comment content (required)
• Version: Comment version for concurrency control (required)

Options:

• SpaceId: Kibana space ID (default: 'default')

Output:

• CommentId (string): The unique identifier of the updated comment.
• CaseId (string): The case ID containing the comment.
• Type (string): The type of comment (e.g., 'user' or 'alert').
• Comment (string): The updated comment content.
• CreatedAt (string): The timestamp when the comment was originally created in ISO 8601 format.
• CreatedBy (string): The username of the user who originally created the comment.
• UpdatedAt (string): The timestamp when the comment was last updated in ISO 8601 format.
• UpdatedBy (string): The username of the user who last updated the comment.
• Version (string): The new version of the comment after the update.
• StatusCode (number): Operation status code: 200 (updated successfully), 400 (bad request), 401 (authentication error), 403 (forbidden), 404 (not found), 409 (conflict), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

Add a Tag to a Case

Adds one or more tags to a case in Elastic Security

Input Parameters:

• CaseId: Case ID (required)
• Tags: Comma-separated tags to add (required)

Options:

• SpaceId: Kibana space ID (default: 'default')

Output:

• Tags (string-array): Array of all tags currently associated with the case after the operation.
• StatusCode (number): Operation status code: 200 (tags added successfully), 400 (bad request), 401 (authentication error), 403 (forbidden), 404 (not found), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

Remove a Tag from a Case

Removes one or more tags from a case in Elastic Security

Input Parameters:

• CaseId: Case ID (required)
• Tags: Comma-separated tags to remove (required)

Options:

• SpaceId: Kibana space ID (default: 'default')

Output:

• Tags (string-array): Array of remaining tags on the case after the operation.
• StatusCode (number): Operation status code: 200 (tags removed successfully), 400 (bad request), 401 (authentication error), 403 (forbidden), 404 (not found), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

Create a Connector

Creates a new connector in Elastic Security for integrating with external systems

Input Parameters:

• Name: Connector name (required)
• ConnectorTypeId: Connector type ID - select from available options (required)
• Config: Connector configuration as object or JSON string (required)
• Secrets: Connector secrets as object or JSON string (required)

Options:

• Description: Connector description (optional)

Output:

• ConnectorId (string): The unique identifier of the created connector.
• Name (string): The name of the connector.
• ConnectorTypeId (string): The type ID of the connector.
• Description (string): The description of the connector.
• Config (object): The configuration object of the connector.
• CreatedAt (string): The timestamp when the connector was created (ISO 8601 format).
• CreatedBy (string): The user who created the connector.
• UpdatedAt (string): The timestamp when the connector was last updated (ISO 8601 format).
• UpdatedBy (string): The user who last updated the connector.
• StatusCode (number): Operation status code: 200 (connector created successfully), 400 (bad request), 401 (authentication error), 403 (forbidden), 404 (not found), 500 (server error), -1 (parameter error).
• ErrorMessage (string): Error description if the operation fails, empty string on success.

5. Example Usage

This section will guide you through creating a simple workflow to automatically open a new security case in Elastic Security whenever a specific trigger occurs.

The workflow will consist of a Start node, an Elastic Security tool node, and an Answer node.

Step 1: Add the Tool Node

1. In the workflow canvas, click the + button to add a new node.
2. Select the "Tool" tab in the pop-up panel.
3. Find and select Elastic Security from the list of tools.
4. From the list of supported operations for Elastic Security, click on Create a Case. This will add the node to your canvas.

Step 2: Configure the Node

1. Click on the newly added Create a Case node to open its configuration panel on the right.
2. Credentials Configuration: Find the credentials field at the top of the panel. Click the dropdown menu and select the Elastic Security credential you have already configured.
3. Parameter Configuration: Fill in the required input parameters for the operation.
   • Title: Enter a descriptive title for the case. You can use variables from previous nodes. For example: Suspicious Login from {{ $start.body.ip_address }}.
   • Owner: Select the appropriate owner from the dropdown list, such as securitySolution.
   • Description: Provide a detailed description of the incident. This can also include variables for dynamic content. For example: A high-risk login attempt was detected from IP address {{ $start.body.ip_address }} at {{ $start.body.timestamp }}. Please investigate.
   • Severity: (Optional) Set a severity level like high to prioritize the case.

Step 3: Run and Validate

1. Once all required parameters are correctly filled, any error indicators on the node will disappear.
2. Click the "Run" button in the top-right corner of the canvas to execute the workflow.
3. After a successful run, you can click the log icon in the top-right corner to view the detailed inputs and outputs of the node, confirming that the case was created and retrieving its CaseId.

After completing these steps, your workflow is fully configured. When triggered, it will automatically create a new, detailed case in your Elastic Security instance, ready for investigation by your security team.

6. FAQs

Q: What should I do if I receive a 401 Unauthorized or 403 Forbidden error?

A: These errors typically indicate a problem with your API credentials. Please check the following:

• Ensure your API Key is correct and has not expired.
• Verify that the API Key has the necessary permissions (privileges) in Elastic Security to perform the requested action (e.g., create/read/update cases).

Q: Why did my 'Update a Case' operation fail with a 409 Conflict error?

A: A 409 Conflict error occurs when the Version number you provided in the request does not match the current version of the case on the server. This is a concurrency control mechanism to prevent overwriting simultaneous updates. To resolve this, you should first use the Get a Case operation to fetch the latest case details, including the current Version, and then use that Version number in your update request.

Q: How do I format the Config and Secrets parameters for the 'Create a Connector' operation?

A: The Config and Secrets parameters expect a JSON object. You can either pass a valid JSON object directly from a previous node or provide a string that represents a valid JSON. For example, for a simple webhook connector, the Config might be a JSON string like {"url": "https://my.webhook.url/endpoint", "method": "post"}.

7. Official Documentation

For more in-depth information about the Elastic Security API, please refer to the official documentation:

Elastic Security Cases API Documentation