Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Case] Case action type #80870

Merged
merged 23 commits into from
Nov 4, 2020

Conversation

cnasikas
Copy link
Member

@cnasikas cnasikas commented Oct 16, 2020

Summary

This PR creates the case connector.

Depends on: #81018

API

Create case action

URI: /api/actions/action
Method: POST

Body:

{
    "name": "Case connector",
    "actionTypeId": ".case"
}

Response:

{
    "id": "c7a092de-f2aa-4cbb-9fc4-aebfaadc8bef",
    "actionTypeId": ".case",
    "name": "Case connector",
    "config": {},
    "isPreconfigured": false
}

Create case

URI: /api/actions/action/<id>/_execute
Method: POST

Body:

{
    "params": {
        "subAction": "create",
        "subActionParams": {
            "title": "My case",
            "tags": [
                "case",
                "connector"
            ],
            "connector": {
                "id": "5b376853-e1d7-4edc-9750-2659bcf81699",
                "name": "Jira",
                "type": ".jira",
                "fields": {
                    "issueType": "10006",
                    "priority": "Low",
                    "parent": null
                }
            },
            "description": "case description!"
        }
    }
}

Response:

{
    "status": "ok",
    "data": {
        "id": "f577cbd0-1cfb-11eb-9d04-b39bf0ec0bef",
        "version": "WzIyOSwxXQ==",
        "comments": [],
        "totalComment": 0,
        "title": "My case",
        "tags": [
            "case",
            "connector"
        ],
        "connector": {
            "id": "5b376853-e1d7-4edc-9750-2659bcf81699",
            "name": "Jira",
            "type": ".jira",
            "fields": {
                "issueType": "10006",
                "priority": "Low",
                "parent": null
            }
        },
        "description": "case description!",
        "closed_at": null,
        "closed_by": null,
        "created_at": "2020-11-02T11:10:03.971Z",
        "created_by": {
            "email": null,
            "full_name": null,
            "username": null
        },
        "external_service": null,
        "status": "open",
        "updated_at": null,
        "updated_by": null
    },
    "actionId": "b530c59c-822c-460a-9109-ac2cff54cc9b"
}

Update case

URI: /api/actions/action/<id>/_execute
Method: POST

Body:

{
    "params": {
        "subAction": "update",
        "subActionParams": {
            "id": "1ab03bc0-1cf3-11eb-9d04-b39bf0ec0bef",
            "version": "WzE0MiwxXQ==",
            "title": "Update case from connector",
            "tags": [
                "updated"
            ],
            "description": "update description"
        }
    }
}

Response:

{
    "status": "ok",
    "data": [
        {
            "id": "1ab03bc0-1cf3-11eb-9d04-b39bf0ec0bef",
            "version": "WzE0NiwxXQ==",
            "comments": [],
            "totalComment": 0,
            "title": "Update case from connector",
            "tags": [
                "updated"
            ],
            "description": "update description",
            "connector": {
                "id": "5b376853-e1d7-4edc-9750-2659bcf81699",
                "name": "Jira",
                "type": ".jira",
                "fields": {
                    "issueType": "10006",
                    "parent": null,
                    "priority": "High"
                }
            },
            "closed_at": null,
            "closed_by": null,
            "created_at": "2020-11-02T10:06:40.953Z",
            "created_by": {
                "email": "[email protected]",
                "full_name": "Elastic",
                "username": "elastic"
            },
            "external_service": null,
            "status": "open",
            "updated_at": "2020-11-02T10:08:22.791Z",
            "updated_by": {
                "email": null,
                "full_name": null,
                "username": null
            }
        }
    ],
    "actionId": "b530c59c-822c-460a-9109-ac2cff54cc9b"
}

Add comment to case

URI: /api/actions/action/<id>/_execute
Method: POST

Body:

{
    "params": {
        "subAction": "addComment",
        "subActionParams": {
            "caseId": "1ab03bc0-1cf3-11eb-9d04-b39bf0ec0bef",
            "comment": {
                "comment": "A comment from a case connector!",
                "type": "user"
            }
        }
    }
}

Response:

{
    "status": "ok",
    "data": {
        "id": "1ab03bc0-1cf3-11eb-9d04-b39bf0ec0bef",
        "version": "WzE1OCwxXQ==",
        "comments": [
            {
                "id": "fc4c0da0-1cf5-11eb-9d04-b39bf0ec0bef",
                "version": "WzE1OSwxXQ==",
                "comment": "A comment from a case connector!",
                "type": "user",
                "created_at": "2020-11-02T10:27:18.617Z",
                "created_by": {
                    "email": null,
                    "full_name": null,
                    "username": null
                },
                "pushed_at": null,
                "pushed_by": null,
                "updated_at": null,
                "updated_by": null
            }
        ],
        "totalComment": 1,
        "title": "Update case from connector",
        "tags": [
            "updated"
        ],
        "description": "update description",
        "connector": {
            "id": "5b376853-e1d7-4edc-9750-2659bcf81699",
            "name": "Jira",
            "type": ".jira",
            "fields": {
                "issueType": "10006",
                "parent": null,
                "priority": "High"
            }
        },
        "closed_at": null,
        "closed_by": null,
        "created_at": "2020-11-02T10:06:40.953Z",
        "created_by": {
			"email": "[email protected]",
			"full_name": "Elastic",
			"username": "elastic"
        },
        "external_service": null,
        "status": "open",
        "updated_at": "2020-11-02T10:27:18.617Z",
        "updated_by": {
            "username": null,
            "full_name": null,
            "email": null
        }
    },
    "actionId": "b530c59c-822c-460a-9109-ac2cff54cc9b"
}

Breaking changes:

A new field was introduced to cases' comments. It must be provided when adding a comment to a case. Specifically:

Name Type Description Required
type user The case’s new comment type Yes

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@cnasikas cnasikas added Team:SIEM v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v7.11.0 Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Oct 16, 2020
@cnasikas cnasikas self-assigned this Oct 16, 2020
@cnasikas cnasikas changed the title [Security Solution][Case][skip-ci] Case action type [Security Solution][Case] Case action type Oct 27, 2020
@cnasikas cnasikas marked this pull request as ready for review October 27, 2020 11:41
@cnasikas cnasikas requested review from a team as code owners October 27, 2020 11:41
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@cnasikas cnasikas force-pushed the case_connector branch 4 times, most recently from 8b7c649 to 7ca66e5 Compare October 31, 2020 13:40
@cnasikas cnasikas added the release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. label Nov 2, 2020
@YulNaumenko YulNaumenko self-requested a review November 2, 2020 15:59
const { savedObjectsClient } = services;
const caseClient = createCaseClient({
savedObjectsClient,
request: {} as KibanaRequest,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused about why we're passing an empty object and typing it. Instead can this value be undefined? Can we change the type?

interface UserActionUsernameProps {
username: string;
fullName?: string;
username?: string | null;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it true that username will only be undefined when type: alert?? can we check for this and say something like Automated Alert (maybe ask product) instead of Unknown?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A non authenticated user can create cases. In this case, the username will be null. I agree about asking product about a suitable name.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe user is Kibana?

@cnasikas cnasikas force-pushed the case_connector branch 3 times, most recently from 8cae74e to fee00ae Compare November 3, 2020 14:58
@YulNaumenko
Copy link
Contributor

YulNaumenko commented Nov 4, 2020

Overall the PR looks great! It is a very promising first iteration for introducing a Case as a connector across Kibana.
A couple of findings that I think should be addressed:

  1. Test tab for a Case connector looks confusing:
    img
    Maybe it make sense to disable/hide the test tab for the Case connector? cc @mikecote
  2. My nit personal observation from the point of 'a lot of files to review', that Case Comment Type related work could be easier to have in the separate PR :-)

@cnasikas
Copy link
Member Author

cnasikas commented Nov 4, 2020

Overall the PR looks great! It is a very promising first iteration for introducing a Case as a connector across Kibana.
A couple of findings that I think should be addressed:

  1. Test tab for a Case connector looks confusing:
    img
    Maybe it make sense to disable/hide the test tab for the Case connector? cc @mikecote
  2. My nit personal observation from the point of 'a lot of files to review', that Case Comment Type related work could be easier to have in the separate PR :-)

Thanks a lot for your review! About 1) this PR is gonna add the parameters for the action. You are right about moving Case Comment Type related work to another PR. Sorry about that!

@cnasikas cnasikas merged commit 7abb1e3 into elastic:master Nov 4, 2020
@cnasikas cnasikas deleted the case_connector branch November 4, 2020 10:07
cnasikas added a commit to cnasikas/kibana that referenced this pull request Nov 4, 2020
* Init connector

* Add test

* Improve comment type

* Add integration tests

* Fix i18n

* Improve tests

* Show unknown when username is null

* Improve comment type

* Pass connector to case client

* Improve type after PR elastic#82125

* Add comment migration test

* Fix integration tests

* Fix reporter on table

* Create case connector ui

* Add connector to README

* Improve casting on executor

* Translate name

* Improve test

* Create comment type enum

* Fix type

* Fix i18n

* Move README to cases

* Filter out case connector from alerting

Co-authored-by: Mike Côté <[email protected]>

Co-authored-by: Mike Côté <[email protected]>
cnasikas added a commit that referenced this pull request Nov 4, 2020
* Init connector

* Add test

* Improve comment type

* Add integration tests

* Fix i18n

* Improve tests

* Show unknown when username is null

* Improve comment type

* Pass connector to case client

* Improve type after PR #82125

* Add comment migration test

* Fix integration tests

* Fix reporter on table

* Create case connector ui

* Add connector to README

* Improve casting on executor

* Translate name

* Improve test

* Create comment type enum

* Fix type

* Fix i18n

* Move README to cases

* Filter out case connector from alerting

Co-authored-by: Mike Côté <[email protected]>
@elastic elastic deleted a comment from kibanamachine Jan 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. release_note:skip Skip the PR/issue when compiling release notes Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM Team:Threat Hunting Security Solution Threat Hunting Team v7.11.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants