[Security Solution] [Cases] Swimlane Connector for Cases

[stephmilovic]

Summary

Adapted from an unmerged PR: #95109
Depends on: #101145

Two parter:

1. New action connector, type of .swimlane
2. Add .swimlane as a case connector type

Schema

params

Property	Description	Type
subAction	The subaction to perform. It can be pushToService.	string
subActionParams	The parameters of the subaction.	object

subActionParams (pushToService)

Property	Description	Type
incident	The Swimlane incident.	object
comments	The comments of the case. A comment is of the form { commentId: string, version: string, comment: string }.	object[] (optional)

The following table describes the properties of the incident object.

Property	Description	Type
alertId	The alert id.	string (optional)
ruleName	The rule name.	string (optional)
caseId	The case id of the incident.	string (optional)
caseName	The case name of the incident.	string (optional)
description	The description of the incident.	string (optional)
severity	The severity of the incident.	string (optional)

---

Cases

• 'cases-connector-mappings' are saved to map to caseName for title, description for description and comments for comments
• Actual field mappings are done at runtime by referencing the action config id values for caseName, description, and comments

Screenshots

List of connectors

Create connector: Instance configuration

Create connector: Mapping configuration

Create connector: Type Alerts

Create connector: Type Cases

Create alert

Error message on cases

Warning message on alerts

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)

[cnasikas]

@elasticmachine merge upstream

[cnasikas]

@elasticmachine merge upstream

[pmuellr]

LGTM - I made a few comments for things that looked like they weren't quite finished, or provide more diagnostic data, and a note about the DX on the SwimlaneMappingConfig type

[jonathan-buttner]

Nice work Christos, Steph, and Xavier! I noticed when testing a swimlane connector configured for alerts that it sends over {{rule.name}} and {{alert.id}} (testing through the creation page UI)

The actual values get populated though when a rule runs though:

Mostly just nit comments, and a few questions.

[jonathan-buttner]

I might have missed them but should we add some tests for this case?

[jonathan-buttner]

nit: we could probably get rid of this if by doing return validators[connector.actionTypeId]?.(connector); and have connectorValidator handle undefined | null as input.

[cnasikas]

I think is best to leave the check in a central place. I would like to avoid other developers to wonder what to return if the connector is null. If they return a message it will be a wrong return value.

[jonathan-buttner]

Just a note, we need to talk to the docs team to create this right?

[cnasikas]

I assume it will be created automatically from docs/management/connectors/action-types/swimlane.asciidoc that is included in this PR.

[jonathan-buttner]

Thanks for the comment!

[cnasikas]

I noticed when testing a swimlane connector configured for alerts that it sends over {{rule.name}} and {{alert.id}} (testing through the creation page UI)

Hey @jonathan-buttner! This is the expected behaviour. When you test a connector there is no alert created so that's why you get the mustache variables instead of real values.

[cnasikas]

@elasticmachine merge upstream

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 2bf467a
• Storybooks Preview
• Documentation Changes

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
cases	255	261	+6
triggersActionsUi	372	385	+13
total			+19

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
cases	507.8KB	516.9KB	+9.1KB
triggersActionsUi	1.7MB	1.7MB	+47.0KB
total			+56.1KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
cases	126.8KB	129.1KB	+2.3KB
securitySolution	197.7KB	197.7KB	+12.0B
triggersActionsUi	71.3KB	87.5KB	+16.2KB
total			+18.5KB

Unknown metric groups

async chunk count

id	before	after	diff
cases	14	15	+1
triggersActionsUi	60	64	+4
total			+5

History

• 💔 Build #133524 failed e16a51d
• 💚 Build #133316 succeeded c048432
• 💚 Build #133221 succeeded ae9b807
• 💔 Build #132584 failed fc46dcf
• 💔 Build #132505 failed cf9a26e

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[stephmilovic]

yayyyy!!!