Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Need generic (webhook) connector for Cases #124687

Closed
4 tasks
MikePaquette opened this issue Feb 4, 2022 · 2 comments
Closed
4 tasks

[Security Solution] Need generic (webhook) connector for Cases #124687

MikePaquette opened this issue Feb 4, 2022 · 2 comments
Labels
8.2 candidate considered, but not committed, for 8.2 release 8.3 candidate 8.4 candidate epic Feature:Actions/ConnectorTypes Issues related to specific Connector Types on the Actions Framework Feature:Cases Cases feature NeededFor:Security Solution SIEM, Endpoint, Timeline, Analyzer, Cases Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Threat Hunting:Explore Team:Threat Hunting Security Solution Threat Hunting Team Theme: case_soar_connectors Relating to connectors to case, ticket, incident management systems or SOAR solutions v8.2.0 v8.4.0

Comments

@MikePaquette
Copy link

MikePaquette commented Feb 4, 2022

Scope: This epic covers the creation of a new generic (webhook?) case connector to allow users to send cases and case updates to a custom third-party case/ticket management system.

Security Solution Initiatives

  • Enable SecOps Workflows via Case Workflow Integration / Case Management
  • Integrate Security-Relevant Data Sources as modules/packages

Security Solution Themes

  • Case / Ticket Management / SOAR Connectors

Problem to solve/Customer Benefit: The vision of Elastic Security for SIEM is to be able to integrate with the various security-related tools that our users have in place within their security operations teams to create workflows that enable them to successfully complete their missions. Typical SOC workflows can be represented by the following sequence:
detect/alert->triage->investigate->escalate->respond

This issue affects escalate and respond worfklows.

The Elastic Security and Observability solutions currently provide a set of action connectors that can be used to push/send/update. Cases, which have been created in the Stack or solution, to a third-party system

As of this writing the set of case-capable connectors includes:

  • Jira
  • Service Now ITSM (formerly Service Now)
  • Service Now SecOps/Incident Response
  • IBM Resilient
  • Swimlane

One common challenge faced by operations teams is that they may use custom or home-grown tools for managing or communicating cases, and they'd like to have an easy way to integrate Elastic Cases into these systems. Many of these systems expose API's for creating/updating cases, and users are willing to "customize" a generic connector to meet the specific requirements of their case/ticket management system.

Brief Description/Workflow: Allow the analyst to push and update cases in an external case/ticket management system for which Elastic has not provided a dedicated case connector.

Dependencies: None

Licensing Level: Gold+ - since this is an external connector, it falls into the category of features that require a paid subscription.

Planned Supportability-level at Introduction: {Experimental, Beta, GA}

Capability Discussion
Provide a generic (webhook?) connector for cases such that, after configuration by the users, users can push/send and update cases in their custom REST API-based external case/ticket management systems.

User Success Criteria
When such a capability is deployed, users will be able to push/send and update cases in their custom external case/ticket management systems

Value/Impact:
This capability will help users integrate Elastic Security into theirr organization’s ecosystems.

This capability may also be useful in non-security use cases such as Observability.

Meta-Issue-Level Tasks/Release checklist

  • Decide if webhook connector is the right approach
  • If so, enhance webhook connector to support case push/send operation
  • If so, enhance webhook connector to support case update operation
  • Connector works properly with cases from security and observability
@MikePaquette MikePaquette added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Cases Cases feature NeededFor:Security Solution SIEM, Endpoint, Timeline, Analyzer, Cases Feature:Actions/ConnectorTypes Issues related to specific Connector Types on the Actions Framework 8.2 candidate considered, but not committed, for 8.2 release labels Feb 4, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops-cases (Feature:Cases)

@MindyRS MindyRS added the Team:Threat Hunting Security Solution Threat Hunting Team label Feb 23, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.2 candidate considered, but not committed, for 8.2 release 8.3 candidate 8.4 candidate epic Feature:Actions/ConnectorTypes Issues related to specific Connector Types on the Actions Framework Feature:Cases Cases feature NeededFor:Security Solution SIEM, Endpoint, Timeline, Analyzer, Cases Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Threat Hunting:Explore Team:Threat Hunting Security Solution Threat Hunting Team Theme: case_soar_connectors Relating to connectors to case, ticket, incident management systems or SOAR solutions v8.2.0 v8.4.0
Projects
None yet
Development

No branches or pull requests

5 participants