Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] [Threat Hunting] [Cases] Allow User to Specify IBM Resilient fields from Cases UI #76222

Open
shimonmodi opened this issue Aug 28, 2020 · 4 comments
Open

[Security Solution] [Threat Hunting] [Cases] Allow User to Specify IBM Resilient fields from Cases UI #76222

shimonmodi opened this issue Aug 28, 2020 · 4 comments
Assignees
@cnasikas
Labels
Feature:Actions/ConnectorTypes Issues related to specific Connector Types on the Actions Framework Feature:Cases Cases feature Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@shimonmodi
Copy link

Describe the feature:
This feature will allow users to specify IBM Resilient incident fields when cases are being sent to Resilient.

Describe a specific use case for the feature:
Elastic's case feature supports analyst workflow to create a case based on an investigation of alerts and events in the Elastic Security solution. Using the case connector feature users can send a case from Elastic to IBM Resilient as an Incident. IBM Resilient offers users a number of different fields that can be set during the Incident creation process. We need to provide a way for users to be able to fill out these IBM Resilient Incident fields from our cases interface. When an analyst is ready to send a case from Elastic to IBM Resilient, they will be provided incident fields that are populated from IBM Resilient data model.

IBM Resilient fields that should be supported (as seen on front end - may be differently defined in REST API):

  • Incident Type
  • Date Discovered
  • Severity

Nice to have:

  • Team Formation Members
  • NIST Attack Vector
  • Incident Disposition

More information here
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@shimonmodi shimonmodi self-assigned this Aug 28, 2020
@cnasikas
Copy link
Member

cnasikas commented Aug 31, 2020
edited
Loading

#74357: Connector & Alerts.

@cnasikas cnasikas mentioned this issue Sep 14, 2020
Merged
7 tasks
@cnasikas
Copy link
Member

cnasikas commented Oct 6, 2020

Incident types and severity were implemented in #77327. The date discovered field is set as the date of the first push from Kibana to IBM Resilient.

@cnasikas cnasikas mentioned this issue Oct 16, 2020
Closed
@MindyRS MindyRS added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Cases Cases feature labels Oct 27, 2020
@cnasikas cnasikas added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Actions/ConnectorTypes Issues related to specific Connector Types on the Actions Framework and removed Team:SIEM v7.10.0 Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Jul 8, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cnasikas cnasikas

Labels
Feature:Actions/ConnectorTypes Issues related to specific Connector Types on the Actions Framework Feature:Cases Cases feature Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MindyRS @cnasikas @shimonmodi @elasticmachine