[SIEM][CASE] ServiceNow executor

[cnasikas]

Summary

This PR implements a ServiceNow connector where one can create or update incidents to ServiceNow. The action is needed for the Case Management System.

Usage

Create action:

Create a ServiceNow action. See README for more information about the parameters.

Endpoint: api/action
Method: POST

Payload:

{
    "name": "ServiceNow",
    "actionTypeId": ".servicenow",
    "secrets": {
        "username": "username",
        "password": "password"
    },
    "config": {
        "apiUrl": "https://<instance>.service-now.com",
        "casesConfiguration": {
            "mapping": [
                {
                    "source": "title",
                    "target": "short_description",
                    "actionType": "nothing"
                },
                {
                    "source": "description",
                    "target": "description",
                    "actionType": "nothing"
                },
                {
                    "source": "comments",
                    "target": "comments",
                    "actionType": "nothing"
                }
            ]
        }
    }
}

Response:

{
    "id": "6dfba6ca-8efa-442c-9ab8-d91a50e5b430",
    "actionTypeId": ".servicenow",
    "name": "ServiceNow",
    "config": {
        "apiUrl": "https://<instance>.service-now.com",
        "casesConfiguration": {
            "mapping": [
                {
                    "source": "title",
                    "target": "short_description",
                    "actionType": "nothing"
                },
                {
                    "source": "description",
                    "target": "description",
                    "actionType": "nothing"
                },
                {
                    "source": "comments",
                    "target": "comments",
                    "actionType": "nothing"
                }
            ]
        }
    }
}

Create an incident:

Create an incident to ServiceNow. When the incidentId attribute is not in params the executor will create the incident.

Endpoint: api/action/<action_id>/_execute
Method: POST

Payload:

{
    "params": {
    	"caseId": "d4387ac5-0899-4dc2-bbfa-0dd605c934aa",
        "title": "A new incident",
        "description": "A description",
        "comments": [
            {
                "commentId": "b5b4c4d0-574e-11ea-9e2e-21b90f8a9631",
                "version": "WzU3LDFd",
                "comment": "A comment"
            }
        ]
    }
}

Response

{
    "status": "ok",
    "actionId": "f631be57-0a59-4e28-8833-16fc3b309374",
    "data": {
        "incidentId": "7d7aad9c072fc0100e48fbbf7c1ed0c2",
        "number": "INC0010044",
        "pushedDate": "2020-03-10T13:02:59.000Z",
        "comments": [
            {
                "commentId": "b5b4c4d0-574e-11ea-9e2e-21b90f8a9631",
                "pushedDate": "2020-03-10T13:03:00.000Z"
            }
        ]
    }
}

Update an incident:

Update an incident to ServiceNow. When the incidentId attribute is in params the executor will update the incident.

Endpoint: api/action/<action_id>/_execute
Method: POST

Payload:

{
    "params": {
    	"caseId": "d4387ac5-0899-4dc2-bbfa-0dd605c934aa",
        "incidentId": "7d7aad9c072fc0100e48fbbf7c1ed0c2"
        "title": "A new incident",
        "description": "A description",
        "comments": [
            {
                "commentId": "b5b4c4d0-574e-11ea-9e2e-21b90f8a9631",
                "version": "WzU3LDFd",
                "comment": "A comment"
            }
        ]
    }
}

Response

{
    "status": "ok",
    "actionId": "f631be57-0a59-4e28-8833-16fc3b309374",
    "data": {
        "incidentId": "7d7aad9c072fc0100e48fbbf7c1ed0c2",
        "number": "INC0010044",
        "pushedDate": "2020-03-10T13:02:59.000Z",
        "comments": [
            {
                "commentId": "b5b4c4d0-574e-11ea-9e2e-21b90f8a9631",
                "pushedDate": "2020-03-10T13:03:00.000Z"
            }
        ]
    }
}

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[cnasikas]

@elasticmachine merge upstream

[peterschretlen]

• I noticed we don't have any docs regarding ServiceNow within plugins/actions/README.md. @peterschretlen I know you're converting those to asciidoc. Is the README still a place we should add documentation for ServiceNow or you've started something already?

Adding to the README would be great. If there's a README description I will take care of the asciidoc conversion when the time comes.

[YulNaumenko]

LGTM

[cnasikas]

@mikecote @YulNaumenko Thanks a lot for your review. I did a few small changes to the logic of the executor, especially how we treat comments. @mikecote I made the changes you requested.

[mikecote]

LGTM 👍 just one comment about the README.

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: c7f4844

History

• 💚 Build #32378 succeeded c7f4844
• 💚 Build #32272 succeeded 5dc8062
• 💔 Build #32239 failed 42110b3
• 💔 Build #32218 failed da2edb952fe2890397025c539b6e3635473ee27d
• 💔 Build #32180 failed 68f9b6c48b6fff213510fb9c456894de49eb316e

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream