Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Case] ServiceNow SIR Connector #88655

Merged
merged 47 commits into from
Feb 9, 2021

Conversation

cnasikas
Copy link
Member

@cnasikas cnasikas commented Jan 19, 2021

Summary

Release Notes: Adds ServiceNow SIR case connector

This PR implements the case's fields for the ServiveNow SIR connector.

Create case:

Create.case.SIR.mp4

Push case to SIR:

SIR.push.mp4

Technical details:

  • Merge routes api/cases/configure/connectors/<connector_id>/push and api/cases/<case_id>/_push into one route. The new route endpoint is case/<case_id>/connector/<connector_id>/_push.
  • Moved all push to external incident logic from the front-end to the back-end.
  • Create ServiceNow SIR case fields.
  • Move Case settings registry to the x-pack/plugins/security_solution/public/cases/components/connectors folder.
  • Rename Case settings registry to Case connectors registry.
  • Get fields of ServiceNow ITSM connector dynamically. It uses the new sub action getChoices introduced in [Alerts] ServiceNow SIR Connector #88190.
  • Add mapping for ServiceNow SIR.
  • Enhanced code to support external service formatters for each connector. Each service formatter have access to all alerts attach to the case.
  • Rename ServiceNow SIR to ServiceNow SecOps.
  • Create get case client method. It returns a case.
  • Create getUserActions case client method. It returns the case's user action.
  • Create getAlerts case client method. It returns the requested alerts.
  • Push comments of ServiceNow SIR to work_notes.
  • Create push case client method. It push a case to an external service.
  • Alert fields destination.ip, source.ip, file.hash.sha256, and url.full are pushed to ServiceNow SIR in dest_ip, source_ip, malware_hash, and malware_url accordingly. The values of the fields are constructed from all alerts attach to a case. Example dest_ip: 192.168.1.1,192.168.1.2,...

Depends on #88190

Meta issue: #82676

Release note

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@cnasikas cnasikas force-pushed the cases_servicenow_sir_fields branch from 9b60537 to 222688f Compare January 21, 2021 09:10
@cnasikas cnasikas changed the title [Security Solution][Case][skip-ci] ServiceNow SIR Connector [Security Solution][Case] ServiceNow SIR Connector Jan 21, 2021
@cnasikas cnasikas force-pushed the cases_servicenow_sir_fields branch 3 times, most recently from f7e6bd4 to 277b184 Compare January 25, 2021 11:22
@cnasikas cnasikas force-pushed the cases_servicenow_sir_fields branch 4 times, most recently from fe99938 to 961ba01 Compare February 1, 2021 08:56
@cnasikas cnasikas self-assigned this Feb 2, 2021
@cnasikas cnasikas added release_note:feature Makes this part of the condensed release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team v7.12.0 v8.0.0 labels Feb 2, 2021
@cnasikas cnasikas force-pushed the cases_servicenow_sir_fields branch 2 times, most recently from 42e992b to c3549f0 Compare February 2, 2021 13:04
@cnasikas cnasikas changed the title [Security Solution][Case] ServiceNow SIR Connector [Security Solution][Case][skip-ci] ServiceNow SIR Connector Feb 2, 2021
@cnasikas cnasikas force-pushed the cases_servicenow_sir_fields branch 2 times, most recently from f8c4c49 to 81b2189 Compare February 3, 2021 12:35
@cnasikas cnasikas changed the title [Security Solution][Case][skip-ci] ServiceNow SIR Connector [Security Solution][Case] ServiceNow SIR Connector Feb 3, 2021
@cnasikas cnasikas marked this pull request as ready for review February 3, 2021 14:38
@cnasikas cnasikas requested review from a team as code owners February 3, 2021 14:38
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@cnasikas cnasikas added the release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. label Feb 3, 2021
Copy link
Contributor

@YulNaumenko YulNaumenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alerting related changes LGTM.

@cnasikas cnasikas force-pushed the cases_servicenow_sir_fields branch from 67ff678 to 3e3bb25 Compare February 8, 2021 08:44
Copy link
Contributor

@XavierM XavierM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really exciting feature for our user, as always your code is clean and readable. Thanks a lot for getting this new connector.

@cnasikas cnasikas requested review from a team as code owners February 9, 2021 07:34
@cnasikas cnasikas force-pushed the cases_servicenow_sir_fields branch from 6601a48 to 47ef8e5 Compare February 9, 2021 08:16
@cnasikas cnasikas merged commit a0d4b04 into elastic:master Feb 9, 2021
@cnasikas cnasikas deleted the cases_servicenow_sir_fields branch February 9, 2021 10:28
jloleysens added a commit to jloleysens/kibana that referenced this pull request Feb 9, 2021
…timeline-and-rollover-info

* 'master' of github.com:elastic/kibana: (47 commits)
  [Fleet] Use TS project references (elastic#87574)
  before/beforeEach clean up (elastic#90663)
  [Vega] user should be able to set a specific tilemap service using the mapStyle property (elastic#88440)
  [Security Solution][Case] ServiceNow SIR Connector (elastic#88655)
  [Search Sessions] Enable extend from management (elastic#90558)
  [ILM] Delete phase redesign (rework) (elastic#90291)
  [APM-UI][E2E] use withGithubStatus step (elastic#90651)
  Add folding in kb-monaco and update some viewers (elastic#90152)
  [Grok Debugger] Changed test to wait for grok debugger container to exist to fix test flakiness (elastic#90543)
  Strongly typed EUI theme for styled-components (elastic#90106)
  Fix vega renovate label (elastic#90591)
  [Uptime] Migrate to TypeScript project references (elastic#90510)
  [Monitoring] Migrate data source for legacy alerts to monitoring data directly (elastic#87377)
  [Upgrade Assistant] Add A11y Tests (elastic#90265)
  [Time to Visualize] Adds functional tests for linking/unlinking panel from embeddable library (elastic#89612)
  [dev-utils/ship-ci-stats] fail when CI stats is down (elastic#90678)
  chore(NA): remove write permissions on Bazel remote cache for PRs (elastic#90652)
  chore(NA): move bazel workspace status from bash script into nodejs executable (elastic#90560)
  Use default ES distribution for functional tests (elastic#88737)
  [Alerts] Jira: Disallow labels with spaces (elastic#90548)
  ...

# Conflicts:
#	x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/components/timeline/timeline.tsx
#	x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/lib/absolute_timing_to_relative_timing.test.ts
#	x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/lib/absolute_timing_to_relative_timing.ts
cnasikas added a commit that referenced this pull request Feb 9, 2021
@kibanamachine
Copy link
Contributor

kibanamachine commented Mar 16, 2021

💔 Build Failed

Failed CI Steps

Metrics [docs]

‼️ ERROR: metrics for 47ef8e5 were not reported

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:feature Makes this part of the condensed release notes release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team v7.12.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants