[Connectors] ServiceNow ITSM & SIR Application

docs/developer/plugin-list.asciidoc

@@ -362,7 +362,8 @@ The plugin exposes the static DefaultEditorController class to consume.
 
 
 |{kib-repo}blob/{branch}/x-pack/plugins/cases/README.md[cases]
-|Case management in Kibana
+|[![Issues][issues-shield]][issues-url]
+[![Pull Requests][pr-shield]][pr-url]
 
 
 |{kib-repo}blob/{branch}/x-pack/plugins/cloud/README.md[cloud]

docs/management/action-types.asciidoc

@@ -35,10 +35,14 @@ a| <<server-log-action-type, ServerLog>>
 
 | Add a message to a Kibana log.
 
-a| <<servicenow-action-type, ServiceNow>>
+a| <<servicenow-action-type, ServiceNow ITSM>>
 
 | Create an incident in ServiceNow.
 
+a| <<servicenow-sir-action-type, ServiceNow SecOps>>
+
+| Create a security incident in ServiceNow.
+
 a| <<slack-action-type, Slack>>
 
 | Send a message to a Slack channel or user.

docs/management/connectors/action-types/servicenow-sir.asciidoc

@@ -0,0 +1,89 @@
+[role="xpack"]
+[[servicenow-sir-action-type]]
+=== ServiceNow connector and action
+++++
+<titleabbrev>ServiceNow SecOps</titleabbrev>
+++++
+
+The ServiceNow SecOps connector uses the https://docs.servicenow.com/bundle/orlando-application-development/page/integrate/inbound-rest/concept/c_TableAPI.html[V2 Table API] to create ServiceNow security incidents.
+
+[float]
+[[servicenow-sir-connector-configuration]]
+==== Connector configuration
+
+ServiceNow SecOps connectors have the following configuration properties.
+
+Name::      The name of the connector. The name is used to identify a  connector in the **Stack Management** UI connector listing, and in the connector list when configuring an action.
+URL::       ServiceNow instance URL.
+Username::  Username for HTTP Basic authentication.
+Password::  Password for HTTP Basic authentication.
+
+The ServiceNow user requires at minimum read, create, and update access to the Security Incident table and read access to the https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/localization/reference/r_ChoicesTable.html[sys_choice]. If you don't provide access to sys_choice, then the choices will not render.
+
+[float]
+[[servicenow-sir-connector-networking-configuration]]
+==== Connector networking configuration
+
+Use the <<action-settings, Action configuration settings>> to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use `xpack.actions.customHostSettings` to set per-host configurations.
+
+[float]
+[[Preconfigured-servicenow-sir-configuration]]
+==== Preconfigured connector type
+
+[source,text]
+--
+ my-servicenow-sir:
+   name: preconfigured-servicenow-connector-type
+   actionTypeId: .servicenow-sir
+   config:
+     apiUrl: https://dev94428.service-now.com/
+   secrets:
+     username: testuser
+     password: passwordkeystorevalue
+--
+
+Config defines information for the connector type.
+
+`apiUrl`:: An address that corresponds to *URL*.
+
+Secrets defines sensitive information for the connector type.
+
+`username`:: A string that corresponds to *Username*.
+`password`::  A string that corresponds to *Password*. Should be stored in the <<creating-keystore, {kib} keystore>>.
+
+[float]
+[[define-servicenow-sir-ui]]
+==== Define connector in Stack Management
+
+Define ServiceNow SecOps connector properties.
+
+[role="screenshot"]
+image::management/connectors/images/servicenow-sir-connector.png[ServiceNow SecOps connector]
+
+Test ServiceNow SecOps action parameters.
+
+[role="screenshot"]
+image::management/connectors/images/servicenow-sir-params-test.png[ServiceNow SecOps params test]
+
+[float]
+[[servicenow-sir-action-configuration]]
+==== Action configuration
+
+ServiceNow SecOps actions have the following configuration properties.
+
+Short description::    A short description for the incident, used for searching the contents of the knowledge base.
+Source Ips::           A list of source IPs related to the incident. The IPs will be added as observables to the security incident.
+Destination Ips::      A list of destination IPs related to the incident. The IPs will be added as observables to the security incident.
+Malware URLs::         A list of malware URLs related to the incident. The URLs will be added as observables to the security incident.
+Malware Hashes::       A list of malware hashes related to the incident. The hashes  will be added as observables to the security incident.
+Priority::             The priority of the incident.
+Category::             The category of the incident.
+Subcategory::          The subcategory of the incident.
+Description::          The details about the incident.
+Additional comments::  Additional information for the client, such as how to troubleshoot the issue.
+
+[float]
+[[configuring-servicenow-sir]]
+==== Configure ServiceNow SecOps
+
+ServiceNow offers free https://developer.servicenow.com/dev.do#!/guides/madrid/now-platform/pdi-guide/obtaining-a-pdi[Personal Developer Instances], which you can use to test incidents.

docs/management/connectors/action-types/servicenow.asciidoc

@@ -2,16 +2,16 @@
 [[servicenow-action-type]]
 === ServiceNow connector and action
 ++++
-<titleabbrev>ServiceNow</titleabbrev>
+<titleabbrev>ServiceNow ITSM</titleabbrev>
 ++++
 
-The ServiceNow connector uses the https://docs.servicenow.com/bundle/orlando-application-development/page/integrate/inbound-rest/concept/c_TableAPI.html[V2 Table API] to create ServiceNow incidents.
+The ServiceNow ITSM connector uses the https://docs.servicenow.com/bundle/orlando-application-development/page/integrate/inbound-rest/concept/c_TableAPI.html[V2 Table API] to create ServiceNow incidents.
 
 [float]
 [[servicenow-connector-configuration]]
 ==== Connector configuration
 
-ServiceNow connectors have the following configuration properties.
+ServiceNow ITSM connectors have the following configuration properties.
 
 Name::      The name of the connector. The name is used to identify a  connector in the **Stack Management** UI connector listing, and in the connector list when configuring an action.
 URL::       ServiceNow instance URL.
@@ -55,12 +55,12 @@ Secrets defines sensitive information for the connector type.
 [[define-servicenow-ui]]
 ==== Define connector in Stack Management
 
-Define ServiceNow connector properties.
+Define ServiceNow ITSM connector properties.
 
 [role="screenshot"]
 image::management/connectors/images/servicenow-connector.png[ServiceNow connector]
 
-Test ServiceNow action parameters.
+Test ServiceNow ITSM action parameters.
 
 [role="screenshot"]
 image::management/connectors/images/servicenow-params-test.png[ServiceNow params test]
@@ -69,11 +69,13 @@ image::management/connectors/images/servicenow-params-test.png[ServiceNow params
 [[servicenow-action-configuration]]
 ==== Action configuration
 
-ServiceNow actions have the following configuration properties.
+ServiceNow ITSM actions have the following configuration properties.
 
 Urgency::              The extent to which the incident resolution can delay.
 Severity::             The severity of the incident.
 Impact::               The effect an incident has on business. Can be measured by the number of affected users or by how critical it is to the business in question.
+Category::             The category of the incident.
+Subcategory::          The category of the incident.
 Short description::    A short description for the incident, used for searching the contents of the knowledge base.
 Description::          The details about the incident.
 Additional comments::  Additional information for the client, such as how to troubleshoot the issue.

docs/management/connectors/index.asciidoc

@@ -6,6 +6,7 @@ include::action-types/teams.asciidoc[]
 include::action-types/pagerduty.asciidoc[]
 include::action-types/server-log.asciidoc[]
 include::action-types/servicenow.asciidoc[]
+include::action-types/servicenow-sir.asciidoc[]
 include::action-types/swimlane.asciidoc[]
 include::action-types/slack.asciidoc[]
 include::action-types/webhook.asciidoc[]