Implement functionality to add observables, procedures and custom fields to alerts for TheHive

docs/reference/connectors-kibana/thehive-action-type.md

@@ -70,6 +70,10 @@ Description
 Severity
 :   The severity of the incident: `LOW`, `MEDIUM`, `HIGH` or `CRITICAL`.
 
+    ::::{note}
+    While creating an alert, use the Keep severity from rule toggle to create an alert with the rule's severity. If the rule does not have a defined severity, the alert will have the default MEDIUM severity.
+    ::::
+
 TLP
 :   The traffic light protocol designation for the incident: `CLEAR`, `GREEN`, `AMBER`, `AMBER+STRICT` or `RED`.
 
@@ -88,6 +92,27 @@ Source
 Source reference
 :   A source reference for the alert.
 
+Body
+:   A Json payload specifying additional parameter, such as observables and procedures. It can be populated using a predefined template or customized using the `Custom Template` option. For example:
+
+    ```json
+    {
+      "observables": [
+        {
+          "dataType": "url",
+          "data": "http://example.org"
+        }
+      ],
+      "procedures": [
+        {
+          "patternId": "TA0001",
+          "occurDate": 1640000000000,
+          "tactic": "tactic-name"
+        }
+      ]
+    }
+    ```
+
 ## Connector networking configuration [thehive-connector-networking-configuration]
 
 Use the [Action configuration settings](/reference/configuration-reference/alerting-settings.md#action-settings) to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use `xpack.actions.customHostSettings` to set per-host configurations.

x-pack/platform/plugins/shared/stack_connectors/common/thehive/schema.ts

@@ -55,8 +55,10 @@ export const ExecutorSubActionCreateAlertParamsSchema = schema.object({
   source: schema.string(),
   sourceRef: schema.string(),
   severity: schema.nullable(schema.number({ defaultValue: TheHiveSeverity.MEDIUM })),
+  isRuleSeverity: schema.nullable(schema.boolean({ defaultValue: false })),
   tlp: schema.nullable(schema.number({ defaultValue: TheHiveTLP.AMBER })),
   tags: schema.nullable(schema.arrayOf(schema.string())),
+  body: schema.nullable(schema.string()),
 });
 
 export const ExecutorParamsSchema = schema.oneOf([

x-pack/platform/plugins/shared/stack_connectors/public/connector_types/thehive/params.test.tsx

@@ -9,7 +9,7 @@ import React from 'react';
 import { fireEvent, render } from '@testing-library/react';
 import { ActionConnector } from '@kbn/triggers-actions-ui-plugin/public/types';
 import TheHiveParamsFields from './params';
-import { SUB_ACTION } from '../../../common/thehive/constants';
+import { SUB_ACTION, TheHiveSeverity } from '../../../common/thehive/constants';
 import { ExecutorParams, ExecutorSubActionPushParams } from '../../../common/thehive/types';
 
 describe('TheHiveParamsFields renders', () => {
@@ -69,7 +69,7 @@ describe('TheHiveParamsFields renders', () => {
       'subActionParams',
       {
         tlp: 2,
-        severity: 2,
+        severity: TheHiveSeverity.MEDIUM,
         tags: [],
         sourceRef: '{{alert.uuid}}',
       },

x-pack/platform/plugins/shared/stack_connectors/public/connector_types/thehive/params.tsx

@@ -9,7 +9,7 @@ import React, { useState, useEffect, useRef, useMemo } from 'react';
 import { ActionParamsProps, ActionConnectorMode } from '@kbn/triggers-actions-ui-plugin/public';
 import { EuiFormRow, EuiSelect } from '@elastic/eui';
 import { eventActionOptions } from './constants';
-import { SUB_ACTION } from '../../../common/thehive/constants';
+import { SUB_ACTION, TheHiveSeverity } from '../../../common/thehive/constants';
 import { ExecutorParams } from '../../../common/thehive/types';
 import { TheHiveParamsAlertFields } from './params_alert';
 import { TheHiveParamsCaseFields } from './params_case';
@@ -80,7 +80,7 @@ const TheHiveParamsFields: React.FunctionComponent<ActionParamsProps<ExecutorPar
       eventActionType === SUB_ACTION.CREATE_ALERT
         ? {
             tlp: 2,
-            severity: 2,
+            severity: TheHiveSeverity.MEDIUM,
             tags: [],
             sourceRef: isTest ? undefined : '{{alert.uuid}}',
           }
@@ -123,6 +123,7 @@ const TheHiveParamsFields: React.FunctionComponent<ActionParamsProps<ExecutorPar
           index={index}
           errors={errors}
           messageVariables={messageVariables}
+          executionMode={executionMode}
         />
       )}
     </>

x-pack/platform/plugins/shared/stack_connectors/public/connector_types/thehive/params_alert.test.tsx

@@ -18,10 +18,12 @@ describe('TheHiveParamsFields renders', () => {
     description: 'description test',
     tlp: 2,
     severity: 2,
+    isRuleSeverity: false,
     tags: ['test1'],
     source: 'source test',
     type: 'sourceType test',
     sourceRef: 'sourceRef test',
+    body: null,
   };
   const actionParams: ExecutorParams = {
     subAction: SUB_ACTION.CREATE_ALERT,

x-pack/platform/plugins/shared/stack_connectors/public/connector_types/thehive/params_alert.tsx

@@ -10,8 +10,10 @@ import {
   TextFieldWithMessageVariables,
   TextAreaWithMessageVariables,
   ActionParamsProps,
+  JsonEditorWithMessageVariables,
+  ActionConnectorMode,
 } from '@kbn/triggers-actions-ui-plugin/public';
-import { EuiFormRow, EuiSelect, EuiComboBox } from '@elastic/eui';
+import { EuiFormRow, EuiSelect, EuiComboBox, EuiSwitch } from '@elastic/eui';
 import { ExecutorParams, ExecutorSubActionCreateAlertParams } from '../../../common/thehive/types';
 import { severityOptions, tlpOptions } from './constants';
 import * as translations from './translations';
@@ -22,6 +24,7 @@ export const TheHiveParamsAlertFields: React.FC<ActionParamsProps<ExecutorParams
   index,
   errors,
   messageVariables,
+  executionMode,
 }) => {
   const alert = useMemo(
     () =>
@@ -33,12 +36,14 @@ export const TheHiveParamsAlertFields: React.FC<ActionParamsProps<ExecutorParams
       } as unknown as ExecutorSubActionCreateAlertParams),
     [actionParams.subActionParams]
   );
+  const isTest = executionMode === ActionConnectorMode.Test;
 
   const [severity, setSeverity] = useState(alert.severity ?? severityOptions[1].value);
   const [tlp, setTlp] = useState(alert.tlp ?? tlpOptions[2].value);
   const [selectedOptions, setSelected] = useState<Array<{ label: string }>>(
     alert.tags?.map((tag) => ({ label: tag })) ?? []
   );
+  const [isRuleSeverity, setIsRuleSeverity] = useState<boolean>(Boolean(alert.isRuleSeverity));
 
   const onCreateOption = (searchValue: string) => {
     setSelected([...selectedOptions, { label: searchValue }]);
@@ -149,22 +154,46 @@ export const TheHiveParamsAlertFields: React.FC<ActionParamsProps<ExecutorParams
         }}
         errors={errors['createAlertParam.sourceRef'] as string[]}
       />
-      <EuiFormRow fullWidth label={translations.SEVERITY_LABEL}>
-        <EuiSelect
-          fullWidth
-          data-test-subj="severitySelectInput"
-          value={severity}
-          options={severityOptions}
-          onChange={(e) => {
-            editAction(
-              'subActionParams',
-              { ...alert, severity: parseInt(e.target.value, 10) },
-              index
-            );
-            setSeverity(parseInt(e.target.value, 10));
-          }}
-        />
-      </EuiFormRow>
+      {!isTest && Boolean(isRuleSeverity) && (
+        <EuiFormRow fullWidth>
+          <EuiSwitch
+            label={translations.IS_RULE_SEVERITY_LABEL}
+            checked={Boolean(isRuleSeverity)}
+            compressed={true}
+            data-test-subj="rule-severity-toggle"
+            onChange={(e) => {
+              setIsRuleSeverity(e.target.checked);
+              editAction(
+                'subActionParams',
+                {
+                  ...alert,
+                  isRuleSeverity: e.target.checked,
+                },
+                index
+              );
+            }}
+          />
+        </EuiFormRow>
+      )}
+      {!Boolean(isRuleSeverity) && (
+        <EuiFormRow fullWidth label={translations.SEVERITY_LABEL}>
+          <EuiSelect
+            fullWidth
+            data-test-subj="severitySelectInput"
+            disabled={isRuleSeverity}
+            value={severity}
+            options={severityOptions}
+            onChange={(e) => {
+              editAction(
+                'subActionParams',
+                { ...alert, severity: parseInt(e.target.value, 10) },
+                index
+              );
+              setSeverity(parseInt(e.target.value, 10));
+            }}
+          />
+        </EuiFormRow>
+      )}
       <EuiFormRow fullWidth label={translations.TLP_LABEL}>
         <EuiSelect
           fullWidth
@@ -187,6 +216,26 @@ export const TheHiveParamsAlertFields: React.FC<ActionParamsProps<ExecutorParams
           noSuggestions
         />
       </EuiFormRow>
+      {alert.body != null && (
+        <JsonEditorWithMessageVariables
+          messageVariables={messageVariables}
+          paramsProperty={'body'}
+          inputTargetValue={alert.body}
+          label={translations.BODY_LABEL}
+          ariaLabel={translations.BODY_DESCRIPTION}
+          errors={errors.body as string[]}
+          onDocumentsChange={(json: string) =>
+            editAction('subActionParams', { ...alert, body: json }, index)
+          }
+          dataTestSubj="thehive-body"
+          onBlur={() => {
+            if (!alert.body) {
+              editAction('subActionParams', { ...alert, body: null }, index);
+            }
+          }}
+          isOptionalField
+        />
+      )}
     </>
   );
 };

x-pack/platform/plugins/shared/stack_connectors/public/connector_types/thehive/thehive.test.tsx

@@ -92,6 +92,19 @@ describe('thehive createAlert action params validation', () => {
         type: 'type test',
         source: 'source test',
         sourceRef: 'source reference test',
+        body: JSON.stringify(
+          {
+            observables: [
+              {
+                dataType: 'ip',
+                data: '127.0.0.1',
+                tags: ['source.ip'],
+              },
+            ],
+          },
+          null,
+          2
+        ),
       },
       comments: [],
     };

x-pack/platform/plugins/shared/stack_connectors/public/connector_types/thehive/translations.ts

@@ -60,6 +60,13 @@ export const TLP_LABEL = i18n.translate(
   }
 );
 
+export const IS_RULE_SEVERITY_LABEL = i18n.translate(
+  'xpack.stackConnectors.components.thehive.isRuleSeverityToggleLabel',
+  {
+    defaultMessage: 'Use severity assigned to the rule',
+  }
+);
+
 export const SEVERITY_LABEL = i18n.translate(
   'xpack.stackConnectors.components.thehive.severitySelectFieldLabel',
   {
@@ -102,6 +109,34 @@ export const SOURCE_REF_LABEL = i18n.translate(
   }
 );
 
+export const TEMPLATE_LABEL = i18n.translate(
+  'xpack.stackConnectors.components.thehive.templateFieldLabel',
+  {
+    defaultMessage: 'Template',
+  }
+);
+
+export const BODY_LABEL = i18n.translate(
+  'xpack.stackConnectors.components.thehive.bodyFieldLabel',
+  {
+    defaultMessage: 'Body',
+  }
+);
+
+export const BODY_DESCRIPTION = i18n.translate(
+  'xpack.stackConnectors.components.thehive.bodyFieldDescription',
+  {
+    defaultMessage: 'Code Editor',
+  }
+);
+
+export const SELECT_BODY_TEMPLATE_POPOVER_BUTTON = i18n.translate(
+  'xpack.stackConnectors.components.thehive.selectBodyTemplatePopoverButton',
+  {
+    defaultMessage: 'Select body template',
+  }
+);
+
 export const TITLE_REQUIRED = i18n.translate(
   'xpack.stackConnectors.components.thehive.requiredTitleText',
   {