[Security Solution][Case] Case action type #80870

cnasikas · 2020-10-16T16:32:35Z

Summary

This PR creates the case connector.

Depends on: #81018

API

Create case action

URI: /api/actions/action
Method: POST

Body:

{
    "name": "Case connector",
    "actionTypeId": ".case"
}

Response:

{
    "id": "c7a092de-f2aa-4cbb-9fc4-aebfaadc8bef",
    "actionTypeId": ".case",
    "name": "Case connector",
    "config": {},
    "isPreconfigured": false
}

Create case

URI: /api/actions/action/<id>/_execute
Method: POST

Body:

{
    "params": {
        "subAction": "create",
        "subActionParams": {
            "title": "My case",
            "tags": [
                "case",
                "connector"
            ],
            "connector": {
                "id": "5b376853-e1d7-4edc-9750-2659bcf81699",
                "name": "Jira",
                "type": ".jira",
                "fields": {
                    "issueType": "10006",
                    "priority": "Low",
                    "parent": null
                }
            },
            "description": "case description!"
        }
    }
}

Response:

{
    "status": "ok",
    "data": {
        "id": "f577cbd0-1cfb-11eb-9d04-b39bf0ec0bef",
        "version": "WzIyOSwxXQ==",
        "comments": [],
        "totalComment": 0,
        "title": "My case",
        "tags": [
            "case",
            "connector"
        ],
        "connector": {
            "id": "5b376853-e1d7-4edc-9750-2659bcf81699",
            "name": "Jira",
            "type": ".jira",
            "fields": {
                "issueType": "10006",
                "priority": "Low",
                "parent": null
            }
        },
        "description": "case description!",
        "closed_at": null,
        "closed_by": null,
        "created_at": "2020-11-02T11:10:03.971Z",
        "created_by": {
            "email": null,
            "full_name": null,
            "username": null
        },
        "external_service": null,
        "status": "open",
        "updated_at": null,
        "updated_by": null
    },
    "actionId": "b530c59c-822c-460a-9109-ac2cff54cc9b"
}

Update case

URI: /api/actions/action/<id>/_execute
Method: POST

Body:

{
    "params": {
        "subAction": "update",
        "subActionParams": {
            "id": "1ab03bc0-1cf3-11eb-9d04-b39bf0ec0bef",
            "version": "WzE0MiwxXQ==",
            "title": "Update case from connector",
            "tags": [
                "updated"
            ],
            "description": "update description"
        }
    }
}

Response:

{
    "status": "ok",
    "data": [
        {
            "id": "1ab03bc0-1cf3-11eb-9d04-b39bf0ec0bef",
            "version": "WzE0NiwxXQ==",
            "comments": [],
            "totalComment": 0,
            "title": "Update case from connector",
            "tags": [
                "updated"
            ],
            "description": "update description",
            "connector": {
                "id": "5b376853-e1d7-4edc-9750-2659bcf81699",
                "name": "Jira",
                "type": ".jira",
                "fields": {
                    "issueType": "10006",
                    "parent": null,
                    "priority": "High"
                }
            },
            "closed_at": null,
            "closed_by": null,
            "created_at": "2020-11-02T10:06:40.953Z",
            "created_by": {
                "email": "[email protected]",
                "full_name": "Elastic",
                "username": "elastic"
            },
            "external_service": null,
            "status": "open",
            "updated_at": "2020-11-02T10:08:22.791Z",
            "updated_by": {
                "email": null,
                "full_name": null,
                "username": null
            }
        }
    ],
    "actionId": "b530c59c-822c-460a-9109-ac2cff54cc9b"
}

Add comment to case

URI: /api/actions/action/<id>/_execute
Method: POST

Body:

{
    "params": {
        "subAction": "addComment",
        "subActionParams": {
            "caseId": "1ab03bc0-1cf3-11eb-9d04-b39bf0ec0bef",
            "comment": {
                "comment": "A comment from a case connector!",
                "type": "user"
            }
        }
    }
}

Response:

{
    "status": "ok",
    "data": {
        "id": "1ab03bc0-1cf3-11eb-9d04-b39bf0ec0bef",
        "version": "WzE1OCwxXQ==",
        "comments": [
            {
                "id": "fc4c0da0-1cf5-11eb-9d04-b39bf0ec0bef",
                "version": "WzE1OSwxXQ==",
                "comment": "A comment from a case connector!",
                "type": "user",
                "created_at": "2020-11-02T10:27:18.617Z",
                "created_by": {
                    "email": null,
                    "full_name": null,
                    "username": null
                },
                "pushed_at": null,
                "pushed_by": null,
                "updated_at": null,
                "updated_by": null
            }
        ],
        "totalComment": 1,
        "title": "Update case from connector",
        "tags": [
            "updated"
        ],
        "description": "update description",
        "connector": {
            "id": "5b376853-e1d7-4edc-9750-2659bcf81699",
            "name": "Jira",
            "type": ".jira",
            "fields": {
                "issueType": "10006",
                "parent": null,
                "priority": "High"
            }
        },
        "closed_at": null,
        "closed_by": null,
        "created_at": "2020-11-02T10:06:40.953Z",
        "created_by": {
			"email": "[email protected]",
			"full_name": "Elastic",
			"username": "elastic"
        },
        "external_service": null,
        "status": "open",
        "updated_at": "2020-11-02T10:27:18.617Z",
        "updated_by": {
            "username": null,
            "full_name": null,
            "email": null
        }
    },
    "actionId": "b530c59c-822c-460a-9109-ac2cff54cc9b"
}

Breaking changes:

A new field was introduced to cases' comments. It must be provided when adding a comment to a case. Specifically:

Name	Type	Description	Required
type	`user`	The case’s new comment type	Yes

Checklist

Delete any items that are not applicable to this PR.

Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
Documentation was added for features that require explanation or tutorials
Unit or functional tests were updated or added to match the most common scenarios

For maintainers

This was checked for breaking API changes and was labeled appropriately

elasticmachine · 2020-10-27T11:41:37Z

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

elasticmachine · 2020-10-27T11:41:39Z

Pinging @elastic/siem (Team:SIEM)

x-pack/plugins/case/server/connectors/case/index.test.ts

x-pack/plugins/case/server/connectors/case/index.ts

stephmilovic · 2020-11-02T16:18:38Z

x-pack/plugins/case/server/connectors/case/index.ts

+  const { savedObjectsClient } = services;
+  const caseClient = createCaseClient({
+    savedObjectsClient,
+    request: {} as KibanaRequest,


I'm confused about why we're passing an empty object and typing it. Instead can this value be undefined? Can we change the type?

x-pack/plugins/case/server/connectors/case/index.ts

x-pack/plugins/case/server/connectors/index.ts

x-pack/plugins/case/server/routes/api/utils.test.ts

stephmilovic · 2020-11-02T16:48:19Z

.../plugins/security_solution/public/cases/components/user_action_tree/user_action_username.tsx

 interface UserActionUsernameProps {
-  username: string;
-  fullName?: string;
+  username?: string | null;


is it true that username will only be undefined when type: alert?? can we check for this and say something like Automated Alert (maybe ask product) instead of Unknown?

A non authenticated user can create cases. In this case, the username will be null. I agree about asking product about a suitable name.

maybe user is Kibana?

Co-authored-by: Mike Côté <[email protected]>

YulNaumenko · 2020-11-04T00:03:01Z

Overall the PR looks great! It is a very promising first iteration for introducing a Case as a connector across Kibana.
A couple of findings that I think should be addressed:

Test tab for a Case connector looks confusing:

Maybe it make sense to disable/hide the test tab for the Case connector? cc @mikecote
My nit personal observation from the point of 'a lot of files to review', that Case Comment Type related work could be easier to have in the separate PR :-)

cnasikas · 2020-11-04T10:01:43Z

Overall the PR looks great! It is a very promising first iteration for introducing a Case as a connector across Kibana.
A couple of findings that I think should be addressed:

Test tab for a Case connector looks confusing:

Maybe it make sense to disable/hide the test tab for the Case connector? cc @mikecote

My nit personal observation from the point of 'a lot of files to review', that Case Comment Type related work could be easier to have in the separate PR :-)

Thanks a lot for your review! About 1) this PR is gonna add the parameters for the action. You are right about moving Case Comment Type related work to another PR. Sorry about that!

* Init connector * Add test * Improve comment type * Add integration tests * Fix i18n * Improve tests * Show unknown when username is null * Improve comment type * Pass connector to case client * Improve type after PR elastic#82125 * Add comment migration test * Fix integration tests * Fix reporter on table * Create case connector ui * Add connector to README * Improve casting on executor * Translate name * Improve test * Create comment type enum * Fix type * Fix i18n * Move README to cases * Filter out case connector from alerting Co-authored-by: Mike Côté <[email protected]> Co-authored-by: Mike Côté <[email protected]>

* Init connector * Add test * Improve comment type * Add integration tests * Fix i18n * Improve tests * Show unknown when username is null * Improve comment type * Pass connector to case client * Improve type after PR #82125 * Add comment migration test * Fix integration tests * Fix reporter on table * Create case connector ui * Add connector to README * Improve casting on executor * Translate name * Improve test * Create comment type enum * Fix type * Fix i18n * Move README to cases * Filter out case connector from alerting Co-authored-by: Mike Côté <[email protected]>

cnasikas self-assigned this Oct 16, 2020

cnasikas force-pushed the case_connector branch from b389c52 to 1b43497 Compare October 26, 2020 20:56

cnasikas changed the title ~~[Security Solution][Case][skip-ci] Case action type~~ [Security Solution][Case] Case action type Oct 27, 2020

cnasikas force-pushed the case_connector branch from 5f2634d to 1b43497 Compare October 27, 2020 09:41

cnasikas marked this pull request as ready for review October 27, 2020 11:41

cnasikas requested review from a team as code owners October 27, 2020 11:41

cnasikas force-pushed the case_connector branch 4 times, most recently from 8b7c649 to 7ca66e5 Compare October 31, 2020 13:40

cnasikas added the release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. label Nov 2, 2020

YulNaumenko self-requested a review November 2, 2020 15:59