elastic · lgestc · Aug 9, 2024 · Oct 14, 2024 · Oct 24, 2024 · Oct 24, 2024
@@ -169,6 +169,9 @@
     "external_service.pushed_by.full_name",
     "external_service.pushed_by.profile_uid",
     "external_service.pushed_by.username",
+    "observables",
+    "observables.typeKey",
+    "observables.value",
     "owner",
     "settings",
     "settings.syncAlerts",

@@ -585,6 +585,17 @@
           }
         }
       },
+      "observables": {
+        "properties": {
+          "typeKey": {
+            "type": "keyword"
+          },
+          "value": {
+            "type": "keyword"
+          }
+        },
+        "type": "nested"
+      },
       "owner": {
         "type": "keyword"
       },

@@ -73,7 +73,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "canvas-element": "cdedc2123eb8a1506b87a56b0bcce60f4ec08bc8",
         "canvas-workpad": "9d82aafb19586b119e5c9382f938abe28c26ca5c",
         "canvas-workpad-template": "c077b0087346776bb3542b51e1385d172cb24179",
-        "cases": "5433a9f1277f8f17bbc4fd20d33b1fc6d997931e",
+        "cases": "68e529e445a34d0bb61942f73bd4d87134d02ab3",
         "cases-comments": "5cb0a421588831c2a950e50f486048b8aabbae25",
         "cases-configure": "44ed7b8e0f44df39516b8870589b89e32224d2bf",
         "cases-connector-mappings": "f9d1ac57e484e69506c36a8051e4d61f4a8cfd25",

@@ -22,6 +22,8 @@ import {
   INTERNAL_DELETE_FILE_ATTACHMENTS_URL,
   CASE_FIND_ATTACHMENTS_URL,
   INTERNAL_PUT_CUSTOM_FIELDS_URL,
+  INTERNAL_CASE_OBSERVABLES_URL,
+  INTERNAL_CASE_OBSERVABLES_PATCH_URL,
 } from '../constants';
 
 export const getCaseDetailsUrl = (id: string): string => {
@@ -90,3 +92,14 @@ export const getCustomFieldReplaceUrl = (caseId: string, customFieldId: string):
     customFieldId
   );
 };
+
+export const getCaseCreateObservableUrl = (id: string): string => {
+  return INTERNAL_CASE_OBSERVABLES_URL.replace('{case_id}', id);
+};
+
+export const getCaseUpdateObservableUrl = (id: string, observableId: string): string => {
+  return INTERNAL_CASE_OBSERVABLES_PATCH_URL.replace('{case_id}', id).replace(
+    '{observable_id}',
+    observableId
+  );
+};
@@ -83,7 +83,12 @@ export const INTERNAL_DELETE_FILE_ATTACHMENTS_URL =
 export const INTERNAL_GET_CASE_CATEGORIES_URL = `${CASES_INTERNAL_URL}/categories` as const;
 export const INTERNAL_CASE_METRICS_URL = `${CASES_INTERNAL_URL}/metrics` as const;
 export const INTERNAL_CASE_METRICS_DETAILS_URL = `${CASES_INTERNAL_URL}/metrics/{case_id}` as const;
+export const INTERNAL_CASE_SIMILAR_CASES_URL = `${CASES_INTERNAL_URL}/_similar/{case_id}` as const;
 export const INTERNAL_PUT_CUSTOM_FIELDS_URL = `${CASES_INTERNAL_URL}/{case_id}/custom_fields/{custom_field_id}`;
+export const INTERNAL_CASE_OBSERVABLES_URL = `${CASES_INTERNAL_URL}/{case_id}/observables` as const;
+export const INTERNAL_CASE_OBSERVABLES_PATCH_URL =
+  `${INTERNAL_CASE_OBSERVABLES_URL}/{observable_id}` as const;
+
 /**
  * Action routes
  */
@@ -199,6 +204,7 @@ export const DEFAULT_USER_SIZE = 10;
 export const MAX_ASSIGNEES_PER_CASE = 10;
 export const NO_ASSIGNEES_FILTERING_KEYWORD = 'none';
 export const KIBANA_SYSTEM_USERNAME = 'elastic/kibana';
+export const MAX_OBSERVABLES_PER_CASE = 50;
 
 /**
  * Delays
@@ -257,3 +263,41 @@ export const CASES_CONNECTOR_TIME_WINDOW_REGEX = '^[1-9][0-9]*[d,w]$';
  * operation continues, otherwise we throw a 403.
  */
 export const OWNER_FIELD = 'owner';
+
+/**
+ * Exporting an array of built-in observable types for use in the application
+ */
+export const OBSERVABLE_TYPES_BUILTIN = [
+  {
+    label: 'IPv4',
+    key: 'observable-type-ipv4',
+  },
+  {
+    label: 'IPv6',
+    key: 'observable-type-ipv6',
+  },
+  {
+    label: 'URL',
+    key: 'observable-type-url',
+  },
+  {
+    label: 'Domain',
+    key: 'observable-type-domain',
+  },
+  {
+    label: 'Hostname',
+    key: 'observable-type-hostname',
+  },
+  {
+    label: 'File hash',
+    key: 'observable-type-file-hash',
+  },
+  {
+    label: 'File path',
+    key: 'observable-type-file-path',
+  },
+  {
+    label: 'Email',
+    key: 'observable-type-email',
+  },
+];
@@ -25,4 +25,6 @@ export enum CASE_VIEW_PAGE_TABS {
   ALERTS = 'alerts',
   ACTIVITY = 'activity',
   FILES = 'files',
+  OBSERVABLES = 'observables',
+  SIMILAR_CASES = 'similar_cases',
 }
@@ -124,6 +124,7 @@ const basicCase: Case = {
       value: 3,
     },
   ],
+  observables: [],
 };
 
 describe('CasePostRequestRt', () => {
@@ -834,6 +835,13 @@ describe('CasePatchRequestRt', () => {
       `The length of the value is too long. The maximum length is ${MAX_CUSTOM_FIELD_TEXT_VALUE_LENGTH}.`
     );
   });
+
+  it(`does not throw an error when observables are empty`, () => {
+    CasePatchRequestRt.decode({
+      ...defaultRequest,
+      observables: [],
+    });
+  });
 });
 
 describe('CasesPatchRequestRt', () => {

@@ -394,6 +394,23 @@ export const CasesFindResponseRt = rt.intersection([
   CasesStatusResponseRt,
 ]);
 
+export const SimilarityRt = rt.strict({
+  typeKey: rt.string,
+  value: rt.string,
+});
+
+export const SimilarCaseRt = rt.intersection([
+  CaseRt,
+  rt.strict({ similarities: rt.array(SimilarityRt) }),
+]);
+
+export const CasesSimilarResponseRt = rt.strict({
+  cases: rt.array(SimilarCaseRt),
+  page: rt.number,
+  per_page: rt.number,
+  total: rt.number,
+});
+
 /**
  * Delete cases
  */
@@ -452,7 +469,10 @@ export const CasePatchRequestRt = rt.intersection([
   /**
    * The saved object ID and version
    */
-  rt.strict({ id: rt.string, version: rt.string }),
+  rt.strict({
+    id: rt.string,
+    version: rt.string,
+  }),
 ]);
 
 export const CasesPatchRequestRt = rt.strict({
@@ -519,6 +539,8 @@ export const CasesByAlertIDRequestRt = rt.exact(
 
 export const GetRelatedCasesByAlertResponseRt = rt.array(RelatedCaseRt);
 
+export const SimilarCasesSearchRequestRt = paginationSchema({ maxPerPage: MAX_CASES_PER_PAGE });
+
 export type CasePostRequest = rt.TypeOf<typeof CasePostRequestRt>;
 export type CaseResolveResponse = rt.TypeOf<typeof CaseResolveResponseRt>;
 export type CasesDeleteRequest = rt.TypeOf<typeof CasesDeleteRequestRt>;
@@ -542,3 +564,7 @@ export type CaseRequestCustomFields = rt.TypeOf<typeof CaseRequestCustomFieldsRt
 export type CaseRequestCustomField = rt.TypeOf<typeof CustomFieldRt>;
 export type BulkCreateCasesRequest = rt.TypeOf<typeof BulkCreateCasesRequestRt>;
 export type BulkCreateCasesResponse = rt.TypeOf<typeof BulkCreateCasesResponseRt>;
+export type SimilarCasesSearchRequest = rt.TypeOf<typeof SimilarCasesSearchRequestRt>;
+export type CasesSimilarResponse = rt.TypeOf<typeof CasesSimilarResponseRt>;
+export type SimilarCase = rt.TypeOf<typeof SimilarCaseRt>;
+export type SimilarCases = SimilarCase[];
@@ -96,6 +96,24 @@ describe('configure', () => {
       });
     });
 
+    it('has expected attributes in request with observableTypes', () => {
+      const request = {
+        ...defaultRequest,
+        observableTypes: [
+          {
+            key: '371357ae-77ce-44bd-88b7-fbba9c80501f',
+            label: 'Example Label',
+          },
+        ],
+      };
+      const query = ConfigurationRequestRt.decode(request);
+
+      expect(query).toStrictEqual({
+        _tag: 'Right',
+        right: request,
+      });
+    });
+
     it(`limits customFields to ${MAX_CUSTOM_FIELDS_PER_CASE}`, () => {
       const customFields = new Array(MAX_CUSTOM_FIELDS_PER_CASE + 1).fill({
         key: 'text_custom_field',
@@ -171,6 +189,12 @@ describe('configure', () => {
       connector: serviceNow,
       closure_type: 'close-by-user',
       version: 'WzQ3LDFd',
+      observableTypes: [
+        {
+          label: 'Example Label',
+          key: '1e4650b3-b66b-4067-bc5d-6867be6ee73b',
+        },
+      ],
     };
 
     it('has expected attributes in request', () => {

@@ -24,7 +24,11 @@ import {
   CustomFieldNumberTypeRt,
 } from '../../domain';
 import type { Configurations, Configuration } from '../../domain/configure/v1';
-import { ConfigurationBasicWithoutOwnerRt, ClosureTypeRt } from '../../domain/configure/v1';
+import {
+  ConfigurationBasicWithoutOwnerRt,
+  ClosureTypeRt,
+  ObservableTypesConfigurationRt,
+} from '../../domain/configure/v1';
 import { CaseConnectorRt } from '../../domain/connector/v1';
 import { CaseBaseOptionalFieldsRequestRt } from '../case/v1';
 import {
@@ -167,6 +171,7 @@ export const ConfigurationRequestRt = rt.intersection([
     rt.partial({
       customFields: CustomFieldsConfigurationRt,
       templates: TemplatesConfigurationRt,
+      observableTypes: ObservableTypesConfigurationRt,
     })
   ),
 ]);
@@ -192,6 +197,7 @@ export const ConfigurationPatchRequestRt = rt.intersection([
       connector: ConfigurationBasicWithoutOwnerRt.type.props.connector,
       customFields: CustomFieldsConfigurationRt,
       templates: TemplatesConfigurationRt,
+      observableTypes: ObservableTypesConfigurationRt,
     })
   ),
   rt.strict({ version: rt.string }),

@@ -17,6 +17,7 @@ export * from './connector/latest';
 export * from './attachment/latest';
 export * from './metrics/latest';
 export * from './custom_field/latest';
+export * from './observable/latest';
 
 // V1
 export * as configureApiV1 from './configure/v1';
@@ -30,3 +31,4 @@ export * as connectorApiV1 from './connector/v1';
 export * as attachmentApiV1 from './attachment/v1';
 export * as metricsApiV1 from './metrics/v1';
 export * as customFieldsApiV1 from './custom_field/v1';
+export * as observableApiV1 from './observable/v1';
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export * from './v1';
@@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { AddObservableRequestRt } from './v1';
+
+describe('AddObservableRequestRT', () => {
+  it('has expected attributes in request', () => {
+    const defaultRequest = {
+      observable: {
+        description: undefined,
+        typeKey: 'ef528526-2af9-4345-9b78-046512c5bbd6',
+        value: '[email protected]',
+      },
+    };
+
+    const query = AddObservableRequestRt.decode(defaultRequest);
+
+    expect(query).toStrictEqual({
+      _tag: 'Right',
+      right: defaultRequest,
+    });
+  });
+});
@@ -0,0 +1,38 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as rt from 'io-ts';
+import { CaseObservableRt, ObservablePatch } from '../../domain';
+
+/**
+ * Observables
+ */
+
+export const AddObservableRequestRt = rt.strict({
+  observable: ObservablePatch,
+});
+
+export const UpdateObservableRequestRt = rt.strict({
+  observable: ObservablePatch,
+});
+
+export const BulkGetObservablesResponseRt = rt.strict({
+  observables: CaseObservableRt,
+  errors: rt.array(
+    rt.strict({
+      error: rt.string,
+      message: rt.string,
+      status: rt.union([rt.undefined, rt.number]),
+      attachmentId: rt.string,
+    })
+  ),
+});
+
+export type AddObservableRequest = rt.TypeOf<typeof AddObservableRequestRt>;
+export type UpdateObservableRequest = rt.TypeOf<typeof UpdateObservableRequestRt>;
+
+export type ObservableRequest = AddObservableRequest;
@@ -91,6 +91,7 @@ const basicCase = {
       value: 0,
     },
   ],
+  observables: [],
 };
 
 describe('RelatedCaseRt', () => {
@@ -204,6 +205,7 @@ describe('CaseAttributesRt', () => {
         value: 0,
       },
     ],
+    observables: [],
   };
 
   it('has expected attributes in request', () => {