[SIEM] [Case] Service Now Kibana Action

[stephmilovic]

Summary

Resolves #53891

Kibana action for posting new incidents to Service Now.

Testing instructions:

You will need an instance of ServiceNow. Either create your own, or @stephmilovic has an instance that falls asleep after 24 hours. Slack me if it has fallen asleep and I can wake it. The url and credentials for that instance are here.

1. POST a new ServiceNow Kibana action with your credentials:
   POST http://localhost:5601/api/action

{
 "name": "name-your-servicenow-action",
 "actionTypeId": ".servicenow",
 "secrets": {
 	"username": "username",
 	"password": "password"
 },
 "config": {
 	"apiUrl": "https://your-service-now-url.com"
 }
}

2. Use the id returned from your successful Kibana action POST to create a new service now incident.
   POST http://localhost:5601/api/action/123-the-kbn-action-id/_execute

{
    "params": {
        "short_description": "Test incident creation through Kibana actions",
        "comments": "These are my comments"
    }
}

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

• This was checked for cross-browser compatibility, including a check against IE11
• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• This was checked for keyboard-only and screenreader accessibility

For maintainers

• This was checked for breaking API changes and was labeled appropriately
• This includes a feature addition or change that requires a release note and was labeled appropriately

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[stephmilovic]

@elasticmachine merge upstream

[pmuellr]

LGTM, thx!

I noted that since the url to ServiceNow is configurable, a FTS simulator endpoint for ServiceNow should be created, so we can add some FT tests. Feel free to create an issue to do that, not really required for the PR, but would be happy to see it. Note the newly created issue in this PR.

[pmuellr]

@stephmilovic did you want this merged for 7.6? (sorry, I prolly already asked but can't find it ATM). I'd like another reviewer, but the usual reviewers won't be available till just before FF. I could round up someone else tho, LMK.

[peterschretlen]

Looks great! Just curious what you think about additional fields. If we don't need those, I think the server-side code is good to go.

It would be great if you could add this to the list of built-in types in actions/README.md with some docs on the parameters.

Do you intend to do the UI portion as well (as a separate PR, not here) ?

[stephmilovic]

Looks great! Just curious what you think about additional fields. If we don't need those, I think the server-side code is good to go.

It would be great if you could add this to the list of built-in types in actions/README.md with some docs on the parameters.

Do you intend to do the UI portion as well (as a separate PR, not here) ?

@peterschretlen Thanks for the review! I am building out a Case Management workflow for SIEM, which will include third party integrations such as ServiceNow. As we are doing a little planning while developing, I only included the comments and short_description fields for this ServiceNow plugin as the product team hammers out which fields we sill actually use. I was going to come back to add these in a separate PR, unless you think I should just include all available fields as optional? My concern with that... if you look at what the ServiceNow incident JSON looks like (response on the right column), there are about 90 fields we can post. Would you want me to include all of those? SIEM will probably use 2-3 in the Case Management MVP. #50103

[peterschretlen]

Discussed with @stephmilovic. It sounds like more incident fields will be taken into consideration later, but for the MVP only comments and short description are needed. We'll use the minimal set for now, add additional fields if/when needed.

[peterschretlen]

LGTM

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: cd17532

History

• 💔 Build #20629 failed 38ab128
• 💚 Build #18761 succeeded 17dc225
• 💚 Build #18209 succeeded 25fcdb7
• 💔 Build #18113 failed d7215c9
• 💔 Build #17573 failed 958ece5

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[cnasikas]

Kibana's Actions Documentation moved here.