[Security Solution] Tines action connector #140066
Assignees
Labels
Comments
semd
added
Team:Threat Hunting
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
semd
added a commit
that referenced
this issue
Nov 14, 2022
## Summary Issue: #140066 Doc: https://docs.google.com/document/d/14BY-6CIin1CUH5bwJJgfrGl37hWO-CeNMdl_35agpvk/edit?usp=sharing Create a new connector type that offers low friction/low effort approach to augmenting Elastic capabilities with SOAR capabilities of Tines. ## Implementation Tines connector implements subActionConnector. With 4 subActions configured: - **stories**: Retrieves the User available Story objects from Tines, to render the Story selector options in the params form. It uses the `email` and `token` authentication headers from the configuration. It is requested only when the form opens and when the connector instance changes. - **webhooks**: Retrieves the Story available Webhooks objects from Tines, to render the Webhook selector in the params form. It uses the `email` and `token` authentication headers from the configuration and the `story_id` parameter. There is no filter for `type` in the actions (a.k.a. agents) endpoint, so we have to request all actions and filter them by `type === 'Agents::WebhookAgent'` on our side. It is requested every time the selected story changes. - **run**: The main action execution. It sends the alerts to the Tines configured webhook, using webhook' `path` and `secret` values. There's no template to render, the data coming from the execution is just pruned (the `kibana` entry is removed from all `context.alerts`) and sent directly using the same format to Tines. - **test**: The test form execution. It ends up calling **run** but using a parametrized body. ### Pagination Both **stories** and **webhooks** subActions need pagination, since Tines do not expose any search endpoint for them. The current hard limit is 100 pages. The `paginatedRequest` function in the connector implementation encapsulates this logic. ## Testing 1- Create a [Tines](https://www.tines.com/) free account. 2- Create a [new Story](https://www.tines.com/docs/quickstart/simple-story) and attach a [Webhook Action](https://www.tines.com/docs/quickstart/creating-an-action) to start receiving events. 3- Create an [API token](https://www.tines.com/api/authentication) 4- Configure the Tines Connector in Kibana using the Tines tenant URL that has been generated in the Tines app, the email used to sign in, and the API token generated. [docs](https://github.com/semd/kibana/blob/140066_tines_connector/docs/management/connectors/action-types/tines.asciidoc#connector-configuration) 5- Attach the Tines Connector to a Detection Rule, selecting the Story and Webhooks created. [docs](https://github.com/semd/kibana/blob/140066_tines_connector/docs/management/connectors/action-types/tines.asciidoc#actions) 6- After each rule execution, events should appear in the Tines webhook action. ## Screenshots Configure a Tines connector   Use the Tines connector   Tines events  ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios(https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Jonathan Buttner <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
Create a new action connector for Tines.
Description
Implement an out-of-the-box integration that customers can leverage to send alerts from Elastic to Tines. Users can then take actions or run playbooks (Tines calls them stories, example here) based on these alerts.
Tines provides a webhook action, which is the entry point from SIEMs or other applications. Relevant docs here.
It must provide a low friction/low effort approach to augmenting Elastic capabilities with Tines, eliminating the need for deduplication, formatting, and cleaning in the Tines workflow:
Tines pre-configured Elastic (or any custom) story will need to be created by the user in advance, in order to configure the connector parameters in Kibana:
Connector definition
Configuration form:
Auth:
Parameters form:
Execution
The connector execution must:
Tasks:
sub_actionframeworkThe text was updated successfully, but these errors were encountered: