Skip to content

[Alerting][Connectors] Refactor IBM Resilient: Generic Implementation (phase one) #74357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 50 commits into from
Sep 11, 2020
Merged

[Alerting][Connectors] Refactor IBM Resilient: Generic Implementation (phase one) #74357

merged 50 commits into from
Sep 11, 2020

Conversation

@cnasikas
Copy link
Member

@cnasikas cnasikas commented Aug 5, 2020
edited
Loading

Summary

Summary

This PR refactors the Jira connector to be generic. Specifically:

  • Support for IBM Resilient alerts.
  • Creation of two subactions: incidentTypes and severity

When #73778 is merged x-pack/plugins/actions/server/builtin_action_types/case folder will be removed in this PR.

UI:

2020-09-02 12-52-22 2020-09-02 12_58_54

API

Push incident:

Pushes an incident to Jira

Endpoint: api/actions/action/<action_id>/_execute
Method: POST

Payload:

{
    "params": {
        "subAction": "pushToService",
        "subActionParams": {
            "title": "A title",
			"description": "A description",
            "savedObjectId": "1234",
            "incidentTypes": [
                1001,
                16,
                12
            ],
            "severityCode": 6,
            "comments": [
                {
                    "commentId": "b5b4c4d0-574e-11ea-9e2e-21b90f8a9631",
                    "comment": "A comment"
                },
                {
                    "commentId": "b5b4c4d0-574e-11ea-9e2e-21b90f8a9631",
                    "comment": "Another comment"
                }
            ]
        }
    }
}

Response

{
    "status": "ok",
    "data": {
        "title": "2158",
        "id": "2158",
        "pushedDate": "2020-09-02T09:40:04.640Z",
        "url": "https://ibm-resilient.siem.estc.dev/#incidents/2158",
        "comments": [
            {
                "commentId": "1",
                "pushedDate": "2020-09-02T09:40:06.261Z"
            }
        ]
    },
    "actionId": "a6dbda3d-0c24-472e-bada-a61fa39b146f"
}

Get issue types:

Get all incident types in IBM Resilient.

Endpoint: api/actions/action/<action_id>/_execute
Method: POST

Payload:

{
    "params": {
        "subAction": "incidentTypes",
        "subActionParams": {}
    }
}

Response

{
    "status": "ok",
    "data": [
        {
            "id": 17,
            "name": "Communication error (fax; email)"
        },
        {
            "id": 1001,
            "name": "Custom type"
        },
        {
            "id": 21,
            "name": "Denial of Service"
        },
        {
            "id": 6,
            "name": "Improper disposal: digital asset(s)"
        },
        {
            "id": 7,
            "name": "Improper disposal: documents / files"
        },
        {
            "id": 4,
            "name": "Lost documents / files / records"
        },
        {
            "id": 3,
            "name": "Lost PC / laptop / tablet"
        },
        {
            "id": 1,
            "name": "Lost PDA / smartphone"
        },
        {
            "id": 8,
            "name": "Lost storage device / media"
        },
        {
            "id": 19,
            "name": "Malware"
        },
        {
            "id": 23,
            "name": "Not an Issue"
        },
        {
            "id": 18,
            "name": "Other"
        },
        {
            "id": 22,
            "name": "Phishing"
        },
        {
            "id": 11,
            "name": "Stolen documents / files / records"
        },
        {
            "id": 12,
            "name": "Stolen PC / laptop / tablet"
        },
        {
            "id": 13,
            "name": "Stolen PDA / smartphone"
        },
        {
            "id": 14,
            "name": "Stolen storage device / media"
        },
        {
            "id": 20,
            "name": "System Intrusion"
        },
        {
            "id": 16,
            "name": "TBD / Unknown"
        },
        {
            "id": 15,
            "name": "Vendor / 3rd party error"
        }
    ],
    "actionId": "a6dbda3d-0c24-472e-bada-a61fa39b146f"
}

Get severity:

Get all severity codes in IBM Resilient.

Endpoint: api/actions/action/<action_id>/_execute
Method: POST

Payload:

{
    "params": {
        "subAction": "severity",
        "subActionParams": {}
    }
}

Response

{
    "status": "ok",
    "data": [
        {
            "id": 4,
            "name": "Low"
        },
        {
            "id": 5,
            "name": "Medium"
        },
        {
            "id": 6,
            "name": "High"
        }
    ],
    "actionId": "a6dbda3d-0c24-472e-bada-a61fa39b146f"
}

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@cnasikas cnasikas added Team:SIEM v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Team:ResponseOps Platform ResponseOps team (formerly the Cases and Alerting teams) t// v7.10.0 labels Aug 5, 2020
@cnasikas cnasikas self-assigned this Aug 5, 2020
@cnasikas cnasikas force-pushed the refactor_resilient_phase_one branch from 3b6bb94 to a99a0da Compare August 5, 2020 16:24
@cnasikas cnasikas force-pushed the refactor_resilient_phase_one branch from a99a0da to 0a1b5bb Compare August 24, 2020 10:39
@cnasikas cnasikas changed the title [Alerting][Connectors][skip-ci] Refactor IBM Resilient: Generic Implementation (phase one) [Alerting][Connectors] Refactor IBM Resilient: Generic Implementation (phase one) Aug 30, 2020
@cnasikas cnasikas mentioned this pull request Aug 30, 2020
Closed
7 tasks
@cnasikas cnasikas changed the title [Alerting][Connectors] Refactor IBM Resilient: Generic Implementation (phase one) [Alerting][Connectors][skip-ci] Refactor IBM Resilient: Generic Implementation (phase one) Aug 30, 2020
@cnasikas cnasikas force-pushed the refactor_resilient_phase_one branch from 0a1b5bb to dd5afb2 Compare August 30, 2020 18:57
@cnasikas cnasikas mentioned this pull request Aug 31, 2020
Open
@cnasikas cnasikas force-pushed the refactor_resilient_phase_one branch 2 times, most recently from da1d165 to 5d65f72 Compare September 2, 2020 09:49
@cnasikas cnasikas changed the title [Alerting][Connectors][skip-ci] Refactor IBM Resilient: Generic Implementation (phase one) [Alerting][Connectors] Refactor IBM Resilient: Generic Implementation (phase one) Sep 2, 2020
@cnasikas cnasikas marked this pull request as ready for review September 2, 2020 10:08
@cnasikas cnasikas requested review from a team as code owners September 2, 2020 10:08
@elasticmachine
Copy link
Contributor

elasticmachine commented Sep 2, 2020

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@elasticmachine
Copy link
Contributor

elasticmachine commented Sep 2, 2020

Pinging @elastic/siem (Team:SIEM)

@cnasikas
Copy link
Member Author

cnasikas commented Sep 2, 2020

@elasticmachine merge upstream

YulNaumenko
YulNaumenko requested changes Sep 3, 2020
View reviewed changes
Copy link
Contributor

@YulNaumenko YulNaumenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! LGTM in overall, but requested the same changes as for a Jira PR, because we want to keep the code cleaner and planning to work on the actions functionality improvements and connectors and actions responsibility splitting. cc @mikecote

@cnasikas cnasikas force-pushed the refactor_resilient_phase_one branch from f52c027 to 2fb4fe0 Compare September 10, 2020 12:50
YulNaumenko
YulNaumenko approved these changes Sep 10, 2020
View reviewed changes
Copy link
Contributor

@YulNaumenko YulNaumenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Just a few nits about white spaces

@cnasikas
Copy link
Member Author

cnasikas commented Sep 10, 2020

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

kibanamachine commented Sep 10, 2020

💚 Build Succeeded

Build metrics

@kbn/optimizer bundle module count

id value diff baseline
securitySolution 1957 -13 1970
triggers_actions_ui 251 +10 241
total -3

async chunks size

id value diff baseline
securitySolution 10.0MB -31.8KB 10.0MB
triggers_actions_ui 961.3KB +66.8KB 894.5KB
total +35.0KB

page load bundle size

id value diff baseline
securitySolution 793.0KB -16.8KB 809.8KB
triggers_actions_ui 287.4KB +12.8KB 274.6KB
total -4.0KB

distributable file count

id value diff baseline
default 45520 -2 45522

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@cnasikas cnasikas merged commit 22b4e40 into elastic:master Sep 11, 2020
@cnasikas cnasikas deleted the refactor_resilient_phase_one branch September 11, 2020 07:24
@cnasikas cnasikas mentioned this pull request Sep 11, 2020
Merged
cnasikas added a commit to cnasikas/kibana that referenced this pull request Sep 11, 2020
@cnasikas @elasticmachine
[Alerting][Connectors] Refactor IBM Resilient: Generic Implementation…
36ba742 
… (phase one) (elastic#74357)

Co-authored-by: Elastic Machine <[email protected]>
cnasikas added a commit that referenced this pull request Sep 11, 2020
@cnasikas @elasticmachine
[7.x] [Alerting][Connectors] Refactor IBM Resilient: Generic Implemen…
0ea3f83 
…tation (phase one) (#74357) (#77264)

Co-authored-by: Elastic Machine <[email protected]>

Co-authored-by: Elastic Machine <[email protected]>
jloleysens added a commit to jloleysens/kibana that referenced this pull request Sep 14, 2020
@jloleysens
Merge branch 'master' of github.com:elastic/kibana into ilm/data-tier…
50d99be 
…s-for-710

* 'master' of github.com:elastic/kibana: (65 commits)
  Separate url forwarding logic and legacy services (elastic#76892)
  Bump yargs-parser to v13.1.2+ (elastic#77009)
  [Ingest Manager] Shared Fleet agent policy action (elastic#76013)
  [Search] Re-add support for aborting when a connection is closed (elastic#76470)
  [Search] Remove long-running query pop-up (elastic#75385)
  [Monitoring] Fix UI error when alerting is not available (elastic#77179)
  do not log plugin id format warning in dist mode (elastic#77134)
  [ML] Improving client side error handling (elastic#76743)
  [Alerting][Connectors] Refactor IBM Resilient: Generic Implementation (phase one) (elastic#74357)
  [Docs] some basic searchsource api docs (elastic#77038)
  add  cGroupOverrides to the legacy config (elastic#77180)
  Change saved object bulkUpdate to work across multiple namespaces (elastic#75478)
  [Security Solution][Resolver] Replace Selectable popover with badges (elastic#76997)
  Removing ml-state index from archive (elastic#77143)
  [Security Solution] Add unit tests for histograms (elastic#77081)
  [Lens] Filters aggregation  (elastic#75635)
  [Enterprise Search] Update WS Overview logic to use new config data (elastic#77122)
  Cleanup type output before building new types (elastic#77211)
  [Security Solution] Use safe type in resolver backend (elastic#76969)
  Use proper lodash syntax (elastic#77105)
  ...

# Conflicts:
#	x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/components/node_allocation.tsx
@cnasikas cnasikas mentioned this pull request Sep 21, 2020
Merged
2 tasks
This was referenced Oct 1, 2020
Closed
Closed
@cnasikas cnasikas mentioned this pull request Oct 15, 2020
Merged
2 tasks
@cnasikas
Copy link
Member Author

cnasikas commented Oct 19, 2020
edited
Loading

@gchaps

API changes for creating an Jira IBM Resilient connector:

casesConfiguration renamed to incidentConfiguration
Added optional attributeisCaseOwned.

@cnasikas cnasikas added release_note:breaking and removed release_note:skip Skip the PR/issue when compiling release notes labels Oct 19, 2020
@gchaps
Copy link
Contributor

gchaps commented Oct 19, 2020

@cnasikas Do you mean "API changes for creating a IBM Resilient connector"?

@cnasikas
Copy link
Member Author

cnasikas commented Oct 20, 2020

@gchaps Yes. Sorry, my mistake.

@gchaps
Copy link
Contributor

gchaps commented Oct 20, 2020

@cnasikas as this PR is an API change, I think this should have the label release_note:plugin_api_change instead of release_note:breaking.

@cnasikas
Copy link
Member Author

cnasikas commented Oct 21, 2020

@gchaps Ok! What is the difference?

@cnasikas cnasikas added release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. and removed release_note:breaking labels Oct 21, 2020
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

elasticmachine commented Sep 23, 2021

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@XavierM XavierM XavierM approved these changes

@YulNaumenko YulNaumenko YulNaumenko approved these changes

Assignees

@cnasikas cnasikas

Labels

release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. Team:ResponseOps Platform ResponseOps team (formerly the Cases and Alerting teams) t// Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.10.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@cnasikas @elasticmachine @kibanamachine @gchaps @XavierM @YulNaumenko @MindyRS