[Security Solution] [Threat Hunting] [Cases] Allow User to Specify ServiceNow Incident Category/Sub Category #75622
Assignees
Labels
Feature:Actions/ConnectorTypes
Issues related to specific Connector Types on the Actions Framework
Feature:Cases
Cases feature
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Comments
|
Pinging @elastic/siem (Team:SIEM) |
|
Looking forward to this! |
7 tasks
|
Urgency, severity, and impact were implemented in #77327. Description, short description, and comments were already implemented. |
MindyRS
added
Team: SecuritySolution
|
Possible note for the category and subcategory fields. These can be customized in ServiceNow with extra values, supoprting custom values would add to the value. |
|
@SHolzhauer Category and subcategory implemented in #90547. We fetch the values directly from ServiceNow. |
cnasikas
added
Team:ResponseOps
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
The "Assigned To" field will be addressed by this issue #140920 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature:
Our current case capability allows users to send a case to external systems like ServiceNow ITSM, Atlassian Jira and IBM Resilient. This feature will allow users to categorize the case based on types supported by the external system.
Describe a specific use case for the feature:
Elastic's case feature supports analyst workflow for collecting various pieces of evidence that are relevant to an investigation, and as a collaboration feature that lets other analysts view the existing details and comment on it. There are several Incident fields that a user will want to fill out for each case. For example, the type of case (phishing, malware, C2 communication, identity privilege escalation) is critical to capture, persist and send to the external systems using their taxonomy. When an analyst is ready to push a case to an external systems configured as a connector, they will be provided Incident fields that are populated from ServiceNow ITSM Incident data model.
Currently we allow users to fill out the following ServiceNow ITSM Incident fields directly from Alerts UI:
Along with the above mentioned, we should add the following field selections when we recreate this capability in Cases:
List of categories and sub-categories supported by ServiceNow ITSM available here: (https://docs.servicenow.com/bundle/orlando-it-service-management/page/product/incident-management/reference/r_CategorizingIncidents.html)
The text was updated successfully, but these errors were encountered: