[Security Solution][Cases] - Feature request for connectors for case observables

[aarju]

Describe the feature:
Within the Security Application Cases app there is currently ongoing work to add observable objects. After that work is complete it would be nice to have a way to configure an external connector for each observable type. For example, the external connector could be a Webhook, ITSM, or Tines connector and when called it would send the observable object to the third party connector.

Ideally connectors could be configured with an option to run automatically as an observable is added, and also with the ability to be run ad-hoc when a user clicks a button in the UI requesting the observable be sent to the connector.

Describe a specific use case for the feature:

A customer has configured an observable type of file.hash.sha256 in their cases app. They then configure a connector called Enrich Case for that observable type to send the observable value to a webhook, along with information about the case or alert that the observable comes from. The webhook passes the value to automation that queries threat intel, virus total, and previous cases for information about that observable. It then takes this information and uses the Cases API to add the information back to the case to provide context for the analysts.

In another use case the customer has configured an observable type of user.email in their cases app. They have a webhook connector called Reset Sessions that is configured to only run when requested by the analysts. This connector will log-out all existing login sessions for that user.

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/response-ops-cases (Feature:Cases)