[Security Solution] [Cases] Swimlane Connector for Cases

x-pack/plugins/actions/README.md

@@ -54,6 +54,10 @@ Table of Contents
       - [`subActionParams (getFields)`](#subactionparams-getfields-2)
       - [`subActionParams (incidentTypes)`](#subactionparams-incidenttypes)
       - [`subActionParams (severity)`](#subactionparams-severity)
+  - [Swimlane](#swimlane)
+    - [`params`](#params-3)
+      - [`subActionParams (pushToService)`](#subactionparams-pushtoservice-3)
+      - [`subActionParams (createRecord)`](#subactionparams-createRecord)
 - [Command Line Utility](#command-line-utility)
 - [Developing New Action Types](#developing-new-action-types)
   - [licensing](#licensing)
@@ -394,6 +398,45 @@ No parameters for the `incidentTypes` subaction. Provide an empty object `{}`.
 
 No parameters for the `severity` subaction. Provide an empty object `{}`.
 
+---
+## Swimlane
+
+
+### `params`
+
+| Property        | Description                                                                                        | Type   |
+| --------------- | -------------------------------------------------------------------------------------------------- | ------ |
+| subAction       | The subaction to perform. It can be `pushToService` or `createRecord`. | string |
+| subActionParams | The parameters of the subaction.                                                                   | object |
+
+#### `subActionParams (createRecord)`
+
+| Property      | Description                                                                                                                  | Type                  |
+| ------------- | ---------------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| alertName     | The alert name of the incident.                                                                                                 | string    |
+| alertSource     | The alert source of the incident.                                                                                             | string _(optional)_   |
+| caseId     | The case id of the incident.                                                                                             | string _(optional)_   |
+| caseName     | The case name of the incident.                                                                                             | string _(optional)_   |
+| comments     | The comments of the incident.                                                                                             | string _(optional)_   |
+| severity     | The severity of the incident.                                                                                             | string _(optional)_   |
+
+`subActionParams (pushToService)`
+
+| Property | Description                                                                                                   | Type                  |
+| -------- | ------------------------------------------------------------------------------------------------------------- | --------------------- |
+| incident | The Swimlane incident.                                                                                   | object                |
+| comments | The comments of the case. A comment is of the form `{ commentId: string, version: string, comment: string }`. | object[] _(optional)_ |
+
+The following table describes the properties of the `incident` object.
+
+| Property      | Description                                                                                                                  | Type                  |
+| ------------- | ---------------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| alertName     | The alert name of the incident.                                                                                                 | string    |
+| alertSource     | The alert source of the incident.                                                                                             | string _(optional)_   |
+| caseId     | The case id of the incident.                                                                                             | string _(optional)_   |
+| caseName     | The case name of the incident.                                                                                             | string _(optional)_   |
+| comments     | The comments of the incident.                                                                                             | string _(optional)_   |
+| severity     | The severity of the incident.
 ---
 # Command Line Utility
 

x-pack/plugins/actions/server/builtin_action_types/index.test.ts

@@ -21,6 +21,7 @@ const ACTION_TYPE_IDS = [
   '.pagerduty',
   '.server-log',
   '.slack',
+  '.swimlane',
   '.teams',
   '.webhook',
 ];

x-pack/plugins/actions/server/builtin_action_types/index.ts

@@ -12,6 +12,7 @@ import { Logger } from '../../../../../src/core/server';
 import { getActionType as getEmailActionType } from './email';
 import { getActionType as getIndexActionType } from './es_index';
 import { getActionType as getPagerDutyActionType } from './pagerduty';
+import { getActionType as getSwimlaneActionType } from './swimlane';
 import { getActionType as getServerLogActionType } from './server_log';
 import { getActionType as getSlackActionType } from './slack';
 import { getActionType as getWebhookActionType } from './webhook';
@@ -65,6 +66,7 @@ export function registerBuiltInActionTypes({
   );
   actionTypeRegistry.register(getIndexActionType({ logger }));
   actionTypeRegistry.register(getPagerDutyActionType({ logger, configurationUtilities }));
+  actionTypeRegistry.register(getSwimlaneActionType({ logger, configurationUtilities }));
   actionTypeRegistry.register(getServerLogActionType({ logger }));
   actionTypeRegistry.register(getSlackActionType({ logger, configurationUtilities }));
   actionTypeRegistry.register(getWebhookActionType({ logger, configurationUtilities }));

x-pack/plugins/actions/server/builtin_action_types/jira/schema.ts

@@ -25,14 +25,6 @@ export const ExternalIncidentServiceSecretConfigurationSchema = schema.object(
   ExternalIncidentServiceSecretConfiguration
 );
 
-export const ExecutorSubActionSchema = schema.oneOf([
-  schema.literal('getIncident'),
-  schema.literal('pushToService'),
-  schema.literal('handshake'),
-  schema.literal('issueTypes'),
-  schema.literal('fieldsByIssueType'),
-]);
-
 export const ExecutorSubActionPushParamsSchema = schema.object({
   incident: schema.object({
     summary: schema.string(),

x-pack/plugins/actions/server/builtin_action_types/jira/types.ts

@@ -16,10 +16,10 @@ import {
   ExecutorSubActionGetIncidentParamsSchema,
   ExecutorSubActionHandshakeParamsSchema,
   ExecutorSubActionGetCapabilitiesParamsSchema,
-  ExecutorSubActionGetIssueTypesParamsSchema,
   ExecutorSubActionGetFieldsByIssueTypeParamsSchema,
   ExecutorSubActionGetIssuesParamsSchema,
   ExecutorSubActionGetIssueParamsSchema,
+  ExecutorSubActionCommonFieldsParamsSchema,
 } from './schema';
 import { ActionsConfigurationUtilities } from '../../actions_config';
 import { Logger } from '../../../../../../src/core/server';
@@ -124,8 +124,8 @@ export type ExecutorSubActionGetCapabilitiesParams = TypeOf<
   typeof ExecutorSubActionGetCapabilitiesParamsSchema
 >;
 
-export type ExecutorSubActionGetIssueTypesParams = TypeOf<
-  typeof ExecutorSubActionGetIssueTypesParamsSchema
+export type ExecutorSubActionCommonFieldsParams = TypeOf<
+  typeof ExecutorSubActionCommonFieldsParamsSchema
 >;
 
 export type ExecutorSubActionGetFieldsByIssueTypeParams = TypeOf<
@@ -157,12 +157,12 @@ export interface HandshakeApiHandlerArgs extends ExternalServiceApiHandlerArgs {
 
 export interface GetIssueTypesHandlerArgs {
   externalService: ExternalService;
-  params: ExecutorSubActionGetIssueTypesParams;
+  params: ExecutorSubActionCommonFieldsParams;
 }
 
 export interface GetCommonFieldsHandlerArgs {
   externalService: ExternalService;
-  params: ExecutorSubActionGetIssueTypesParams;
+  params: ExecutorSubActionCommonFieldsParams;
 }
 
 export interface GetFieldsByIssueTypeHandlerArgs {

x-pack/plugins/actions/server/builtin_action_types/resilient/schema.ts

@@ -25,14 +25,6 @@ export const ExternalIncidentServiceSecretConfigurationSchema = schema.object(
   ExternalIncidentServiceSecretConfiguration
 );
 
-export const ExecutorSubActionSchema = schema.oneOf([
-  schema.literal('getIncident'),
-  schema.literal('pushToService'),
-  schema.literal('handshake'),
-  schema.literal('incidentTypes'),
-  schema.literal('severity'),
-]);
-
 export const ExecutorSubActionPushParamsSchema = schema.object({
   incident: schema.object({
     name: schema.string(),

x-pack/plugins/actions/server/builtin_action_types/servicenow/schema.ts

@@ -24,14 +24,6 @@ export const ExternalIncidentServiceSecretConfigurationSchema = schema.object(
   ExternalIncidentServiceSecretConfiguration
 );
 
-export const ExecutorSubActionSchema = schema.oneOf([
-  schema.literal('getFields'),
-  schema.literal('getIncident'),
-  schema.literal('pushToService'),
-  schema.literal('handshake'),
-  schema.literal('getChoices'),
-]);
-
 const CommentsSchema = schema.nullable(
   schema.arrayOf(
     schema.object({

x-pack/plugins/actions/server/builtin_action_types/swimlane/api.test.ts

@@ -0,0 +1,96 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { api } from './api';
+import { ExternalService } from './types';
+import { externalServiceMock, recordResponseCreate, recordResponseUpdate } from './mocks';
+import { Logger } from '@kbn/logging';
+let mockedLogger: jest.Mocked<Logger>;
+const params = {
+  alertName: 'alert name',
+  caseName: 'case name',
+  severity: 'critical',
+  alertSource: 'elastic',
+  caseId: '123456',
+  comments: 'some comments',
+};
+describe('api', () => {
+  let externalService: jest.Mocked<ExternalService>;
+
+  beforeEach(() => {
+    externalService = externalServiceMock.create();
+  });
+
+  describe('createRecord', () => {
+    test('it creates a record correctly with a comment', async () => {
+      const res = await api.createRecord({
+        externalService,
+        logger: mockedLogger,
+        params: {
+          alertName: 'alert name',
+          caseName: 'case name',
+          severity: 'critical',
+          alertSource: 'elastic',
+          caseId: '123456',
+          comments: 'some comments',
+        },
+      });
+      expect(res).toEqual(recordResponseCreate);
+    });
+  });
+
+  describe('pushToService', () => {
+    test('it pushes a new record', async () => {
+      const res = await api.pushToService({
+        externalService,
+        logger: mockedLogger,
+        params: {
+          incident: {
+            ...params,
+            externalId: null,
+          },
+          comments: [],
+        },
+      });
+      expect(externalService.createComment).not.toHaveBeenCalled();
+      expect(externalService.createRecord).toHaveBeenCalled();
+      expect(externalService.updateRecord).not.toHaveBeenCalled();
+      expect(res).toEqual(recordResponseCreate);
+    });
+    test('it pushes a new record with a comment', async () => {
+      await api.pushToService({
+        externalService,
+        logger: mockedLogger,
+        params: {
+          incident: {
+            ...params,
+            externalId: null,
+          },
+          comments: [{ comment: 'some comments', commentId: '123' }],
+        },
+      });
+      expect(externalService.createComment).toHaveBeenCalled();
+    });
+    test('updates existing record', async () => {
+      const res = await api.pushToService({
+        externalService,
+        logger: mockedLogger,
+        params: {
+          incident: {
+            ...params,
+            externalId: '1234',
+          },
+          comments: [{ comment: 'some comments', commentId: '123' }],
+        },
+      });
+      expect(externalService.createComment).toHaveBeenCalled();
+      expect(externalService.createRecord).not.toHaveBeenCalled();
+      expect(externalService.updateRecord).toHaveBeenCalled();
+      expect(res).toEqual(recordResponseUpdate);
+    });
+  });
+});

x-pack/plugins/actions/server/builtin_action_types/swimlane/api.ts

@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import {
+  CreateRecordApiHandlerArgs,
+  ExternalServiceIncidentResponse,
+  ExternalServiceApi,
+  Incident,
+  PushToServiceApiHandlerArgs,
+} from './types';
+
+const createRecordHandler = async ({
+  externalService,
+  params,
+}: CreateRecordApiHandlerArgs): Promise<ExternalServiceIncidentResponse> => {
+  return await externalService.createRecord({ incident: { ...params, externalId: null } });
+};
+
+const pushToServiceHandler = async ({
+  externalService,
+  params,
+}: PushToServiceApiHandlerArgs): Promise<ExternalServiceIncidentResponse> => {
+  const { comments } = params;
+  let res: ExternalServiceIncidentResponse;
+  const incident: Incident = params.incident;
+  if (incident.externalId != null) {
+    res = await externalService.updateRecord({
+      incidentId: incident.externalId,
+      incident,
+    });
+  } else {
+    res = await externalService.createRecord({ incident });
+  }
+
+  const createdDate = new Date().toISOString();
+
+  if (comments && Array.isArray(comments) && comments.length > 0) {
+    for (const currentComment of comments) {
+      await externalService.createComment({
+        incidentId: res.id,
+        comment: currentComment,
+        createdDate,
+      });
+    }
+  }
+
+  return res;
+};
+
+export const api: ExternalServiceApi = {
+  createRecord: createRecordHandler,
+  pushToService: pushToServiceHandler,
+};

x-pack/plugins/actions/server/builtin_action_types/swimlane/helpers.test.ts

@@ -0,0 +1,76 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { MappingConfigType } from './types';
+import { getBodyForEventAction } from './helpers';
+
+describe('Create Record Mapping', () => {
+  let mappingConfig: MappingConfigType;
+  const appId = '45678';
+
+  beforeAll(() => {
+    mappingConfig = {
+      alertSourceConfig: {
+        id: 'adnjls',
+        name: 'Alert Source',
+        key: 'alert-source',
+        fieldType: 'text',
+      },
+      severityConfig: {
+        id: 'adnlas',
+        name: 'Severity',
+        key: 'severity',
+        fieldType: 'text',
+      },
+      alertNameConfig: {
+        id: 'adnfls',
+        name: 'Alert Name',
+        key: 'alert-name',
+        fieldType: 'text',
+      },
+      caseIdConfig: {
+        id: 'a6sst',
+        name: 'Case Id',
+        key: 'case-id-name',
+        fieldType: 'text',
+      },
+      caseNameConfig: {
+        id: 'a6fst',
+        name: 'Case Name',
+        key: 'case-name',
+        fieldType: 'text',
+      },
+      commentsConfig: {
+        id: 'a6fdf',
+        name: 'Comments',
+        key: 'comments',
+        fieldType: 'text',
+      },
+    };
+  });
+
+  test('Mapping is Successful', () => {
+    const params = {
+      alertName: 'Alert Name',
+      severity: 'Critical',
+      alertSource: 'Elastic',
+      caseName: 'Case Name',
+      caseId: 'es3456789',
+      comments: 'This is a comment',
+      externalId: null,
+    };
+    const data = getBodyForEventAction(appId, mappingConfig, params);
+    expect(data?.values?.[mappingConfig.alertSourceConfig?.id ?? 0]).toEqual(params.alertSource);
+    expect(data?.values?.[mappingConfig.alertNameConfig.id]).toEqual(params.alertName);
+    // @ts-ignore
+    expect(data?.values?.[mappingConfig.caseNameConfig.id]).toEqual(params.caseName);
+    expect(data?.values?.[mappingConfig.caseIdConfig?.id ?? 0]).toEqual(params.caseId);
+    // @ts-ignore
+    expect(data?.values?.[mappingConfig.commentsConfig.id]).toEqual(params.comments);
+    expect(data?.values?.[mappingConfig?.severityConfig?.id ?? 0]).toEqual(params.severity);
+  });
+});