[Security Solution] Webhook - Case Management Connector

[stephmilovic]

Webhook - Case Management Connector

Webhook - Case Management is a new connector that allows user to add any third party case management system and have it work within the Cases app. This connector is available in Cases, Stack Management > Connectors, but is not available in Rule Actions. It requires the user to fill out endpoint and JSON data to send to the third party system. The endpoints covered are create incident, get incident, update incident, and create comment. The only non-required endpoint is create comment.

Create Connector

Connector Validation

Connector Test

Case Flow

Connector Test - No Comments

Case Flow - No Comments

Test credentials

Jira
ServiceNow

Fields

The configuration for each connector requires the following fields (* indicates required):

• Connector name*
  • name of connector
  • ex: Jira Webhook
• Require authentication*
  • If true, a username and password for login type authentication must be provided.
• Username (only required if require authentication is true*)
  • Username for HTTP basic authentication.
• Password (only required if require authentication is true*)
  • Password for HTTP basic authentication.
• Headers
  • A set of key-value pairs sent as headers with the request
  • For given examples, content-type: application/json is needed
• Create Incident Method
  • Rest API Method to create incident in third party system
  • ex: POST
• Create Incident URL*
  • Rest API URL to create incident in third party system
  • ex: https://siem-kibana.atlassian.net/rest/api/2/issue
• Create Incident Object*
  • JSON object to create incident (case.tags field not required)
  • ex:

    {
      "fields": {
        "labels": {{{case.tags}}},
        "summary": {{{case.title}}},
        "description": {{{case.description}}},
        "project":{"key":"ROC"},
        "issuetype":{"id":"10024"}
      }
    }
    

• Create Incident Response Incident Key*
  • JSON key in create incident response that contains the external incident id
  • ex: id
• Get Incident URL*
  • API URL to GET incident details JSON from external system.
  • ex: https://siem-kibana.atlassian.net/rest/api/2/issue/{{{external.system.id}}}
• Get Incident Response External Title Key*
  • JSON key in get incident response that contains the external incident title
  • ex: key
• Get Incident Response Created Date Key*
  • JSON key in get incident response that contains the date the incident was created.
  • ex: fields.created
• Get Incident Response Updated Date Key*
  • JSON key in get incident response that contains the date the incident was updated.
  • ex: fields.updated
• External Incident View URL*
  • URL to view incident in external system.
  • ex: https://siem-kibana.atlassian.net/browse/{{{external.system.title}}}
• Update Incident Method
  • Rest API Method to update incident in third party system
  • ex: PUT
• Update Incident URL*
  • API URL to update incident.
  • ex: https://siem-kibana.atlassian.net/rest/api/2/issue/{{{external.system.id}}}
• Update Incident Object*
  • JSON object to update incident. (case.tags field not required)
  • ex:

    {
      "fields": {
        "labels": {{{case.tags}}},
        "summary": {{{case.title}}},
        "description": {{{case.description}}},
        "project":{"key":"ROC"},
        "issuetype":{"id":"10024"}
      }
    }
    

• Create Comment Method
  • Rest API Method to update incident in third party system
  • ex: POST
• Create Comment URL
  • API URL to add comment to incident.
  • ex: https://siem-kibana.atlassian.net/rest/api/2/issue/{{{external.system.id}}}/comment
• Create Comment Object
  • JSON object to update incident
  • ex:

    {
      "body": {{{case.comment}}}
    }
    

Links

RFC: https://docs.google.com/document/d/16qvY3TmjAiokubAABBf_CVZNH9lFAwU9UXYdfW1M7L0/edit?usp=sharing
Epic: #124687
Customer enhancement requests: https://github.com/elastic/enhancements/issues/15899, https://github.com/elastic/enhancements/issues/14938

[stephmilovic]

@elasticmachine merge upstream

[stephmilovic]

@elasticmachine merge upstream

[stephmilovic]

@elasticmachine merge upstream

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: b9a23fa
• Storybooks Preview

Failed CI Steps

• Security Solution Tests #1

Test Failures

• [job] [logs] Security Solution Tests #1 / Alerts timeline Privileges: can crud "before each" hook for "should allow a user with crud privileges to attach alerts to cases"

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
cases	489	492	+3
triggersActionsUi	575	591	+16
total			+19

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
actions	259	261	+2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
cases	355.6KB	358.2KB	+2.6KB
triggersActionsUi	927.8KB	1014.0KB	+86.1KB
total			+88.7KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
cases	122.3KB	122.4KB	+121.0B
triggersActionsUi	90.6KB	91.6KB	+1.0KB
total			+1.2KB

Unknown metric groups

API count

id	before	after	diff
actions	264	266	+2

async chunk count

id	before	after	diff
cases	15	16	+1
triggersActionsUi	92	95	+3
total			+4

ESLint disabled in files

id	before	after	diff
triggersActionsUi	4	5	+1

ESLint disabled line counts

id	before	after	diff
cases	73	74	+1
triggersActionsUi	184	188	+4
total			+5

Total ESLint disabled count

id	before	after	diff
cases	89	90	+1
triggersActionsUi	188	193	+5
total			+6

History

• 💔 Build #60669 failed 92672bf
• 💔 Build #60654 failed 3dc2aaf
• 💔 Build #60638 failed 0fd363f
• 💔 Build #60569 failed 219018c
• 💚 Build #60491 succeeded 31f1303

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[angorayc]

Thanks Steph, followed the steps and ran it locally, all worked as expected!

[jonathan-buttner]

Great work Steph!

[cnasikas]

Great work Steph! Thank you for addressing our feedback. Some items can be done in another PR. Could you please open an issue for that:

• The method and the URL are not properly aligned in step 4:

• Docs
• Add more unit tests for React components and utility functions
• Remove real URLs from tests
• By introducing the isExperimental flag we show the experimental badge. There are some parts in the framework that do not show the experimental flag even though the flag is set. This is a bug in the framework. For example the edit connector flyout or in the connector add flyout

[cnasikas]

We should not commit real URLs in tests.

[cnasikas]

A unit test is missing for this case.

[cnasikas]

A unit test is missing for this case

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)