[Security Solution] Need generic (webhook) connector for Cases #124687
Labels
8.2 candidate
considered, but not committed, for 8.2 release
8.3 candidate
8.4 candidate
epic
Feature:Actions/ConnectorTypes
Issues related to specific Connector Types on the Actions Framework
Feature:Cases
Cases feature
NeededFor:Security Solution
SIEM, Endpoint, Timeline, Analyzer, Cases
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Team:Threat Hunting:Explore
Team:Threat Hunting
Security Solution Threat Hunting Team
Theme: case_soar_connectors
Relating to connectors to case, ticket, incident management systems or SOAR solutions
v8.2.0
v8.4.0
Comments
MikePaquette
added
Team:ResponseOps
|
Pinging @elastic/response-ops-cases (Feature:Cases) |
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
MikePaquette
added
the
Theme: case_soar_connectors
This was referenced Aug 11, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Scope: This epic covers the creation of a new generic (webhook?) case connector to allow users to send cases and case updates to a custom third-party case/ticket management system.
Security Solution Initiatives
Security Solution Themes
Problem to solve/Customer Benefit: The vision of Elastic Security for SIEM is to be able to integrate with the various security-related tools that our users have in place within their security operations teams to create workflows that enable them to successfully complete their missions. Typical SOC workflows can be represented by the following sequence:
detect/alert->triage->investigate->escalate->respond
This issue affects escalate and respond worfklows.
The Elastic Security and Observability solutions currently provide a set of action connectors that can be used to push/send/update. Cases, which have been created in the Stack or solution, to a third-party system
As of this writing the set of case-capable connectors includes:
One common challenge faced by operations teams is that they may use custom or home-grown tools for managing or communicating cases, and they'd like to have an easy way to integrate Elastic Cases into these systems. Many of these systems expose API's for creating/updating cases, and users are willing to "customize" a generic connector to meet the specific requirements of their case/ticket management system.
Brief Description/Workflow: Allow the analyst to push and update cases in an external case/ticket management system for which Elastic has not provided a dedicated case connector.
Dependencies: None
Licensing Level: Gold+ - since this is an external connector, it falls into the category of features that require a paid subscription.
Planned Supportability-level at Introduction: {
Experimental, Beta,GA}Capability Discussion
Provide a generic (webhook?) connector for cases such that, after configuration by the users, users can push/send and update cases in their custom REST API-based external case/ticket management systems.
User Success Criteria
When such a capability is deployed, users will be able to push/send and update cases in their custom external case/ticket management systems
Value/Impact:
This capability will help users integrate Elastic Security into theirr organization’s ecosystems.
This capability may also be useful in non-security use cases such as Observability.
Meta-Issue-Level Tasks/Release checklist
The text was updated successfully, but these errors were encountered: