From 32d7316e4b9f147dc7ce3ca1c762517f8531d1b2 Mon Sep 17 00:00:00 2001 From: Brijesh Khunt <123942796+brijesh-elastic@users.noreply.github.com> Date: Tue, 10 Sep 2024 15:07:14 +0530 Subject: [PATCH] TheHive Connector for Cases (#180931) ## Summary This PR implements the case support for TheHive connector. Depends on : https://github.com/elastic/kibana/pull/180138 ## Screenshots **List of connectors** ![image](https://github.com/elastic/kibana/assets/123942796/7236eaed-d1d5-4506-80b1-c4e43c6ce36a) **Configure thehive connector from cases** ![image](https://github.com/elastic/kibana/assets/123942796/bb4843d5-9f29-47c2-baa3-77db81a35319) ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [x] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [x] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [x] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Christos Nasikas --- docs/management/action-types.asciidoc | 4 +- .../connectors/action-types/thehive.asciidoc | 19 +++++- .../cases/common/types/domain/connector/v1.ts | 19 ++++++ .../public/components/connectors/index.ts | 3 + .../public/components/connectors/mock.ts | 10 ++++ .../connectors/thehive/case_fields.test.tsx | 50 ++++++++++++++++ .../connectors/thehive/case_fields.tsx | 60 +++++++++++++++++++ .../thehive/case_fields_preview.test.tsx | 34 +++++++++++ .../thehive/case_fields_preview.tsx | 54 +++++++++++++++++ .../components/connectors/thehive/index.ts | 20 +++++++ .../connectors/thehive/translations.ts | 16 +++++ .../components/connectors/thehive/types.ts | 14 +++++ .../server/client/user_actions/connectors.ts | 26 ++++---- .../cases/server/connectors/factory.ts | 2 + .../server/connectors/thehive/format.test.ts | 28 +++++++++ .../cases/server/connectors/thehive/format.ts | 33 ++++++++++ .../cases/server/connectors/thehive/index.ts | 15 +++++ .../server/connectors/thehive/mapping.ts | 33 ++++++++++ .../cases/server/connectors/thehive/types.ts | 18 ++++++ .../server/connector_types/thehive/index.ts | 2 + 20 files changed, 445 insertions(+), 15 deletions(-) create mode 100644 x-pack/plugins/cases/public/components/connectors/thehive/case_fields.test.tsx create mode 100644 x-pack/plugins/cases/public/components/connectors/thehive/case_fields.tsx create mode 100644 x-pack/plugins/cases/public/components/connectors/thehive/case_fields_preview.test.tsx create mode 100644 x-pack/plugins/cases/public/components/connectors/thehive/case_fields_preview.tsx create mode 100644 x-pack/plugins/cases/public/components/connectors/thehive/index.ts create mode 100644 x-pack/plugins/cases/public/components/connectors/thehive/translations.ts create mode 100644 x-pack/plugins/cases/public/components/connectors/thehive/types.ts create mode 100644 x-pack/plugins/cases/server/connectors/thehive/format.test.ts create mode 100644 x-pack/plugins/cases/server/connectors/thehive/format.ts create mode 100644 x-pack/plugins/cases/server/connectors/thehive/index.ts create mode 100644 x-pack/plugins/cases/server/connectors/thehive/mapping.ts create mode 100644 x-pack/plugins/cases/server/connectors/thehive/types.ts diff --git a/docs/management/action-types.asciidoc b/docs/management/action-types.asciidoc index da58ff6f295b0..a39b5a996dca3 100644 --- a/docs/management/action-types.asciidoc +++ b/docs/management/action-types.asciidoc @@ -92,9 +92,9 @@ a| <> | Create an incident in {swimlane}. -a| <> +a| <> -| Create cases and alerts in {thehive}. +| Create cases and alerts in TheHive. a| <> diff --git a/docs/management/connectors/action-types/thehive.asciidoc b/docs/management/connectors/action-types/thehive.asciidoc index 302bd142031ee..3252a1a5830d8 100644 --- a/docs/management/connectors/action-types/thehive.asciidoc +++ b/docs/management/connectors/action-types/thehive.asciidoc @@ -33,10 +33,11 @@ URL:: TheHive instance URL. API Key:: TheHive API key for authentication. [float] -[[TheHive-action-configuration]] +[[thehive-action-configuration]] === Test connectors -You can test connectors as you're creating or editing the connector in {kib}. For example: +You can test connectors for creating a case or an alert with the <> or +as you're creating or editing the connector in {kib}. For example: [role="screenshot"] image::management/connectors/images/thehive-params-case-test.png[TheHive case params test] @@ -54,11 +55,23 @@ Description:: The details about the incident. Severity:: Severity of the incident. This can be one of `LOW`, `MEDIUM`(default), `HIGH` or `CRITICAL`. TLP:: Traffic Light Protocol designation for the incident. This can be one of `CLEAR`, `GREEN`, `AMBER`(default), `AMBER+STRICT` or `RED`. Tags:: The keywords or tags about the incident. -Additional comments:: Additional information about the Case. +Additional comments:: Additional information about the Case. Type:: Type of the Alert. Source:: Source of the Alert. Source Reference:: Source reference of the Alert. +[float] +[[thehive-features]] +=== Features + +1. Rule base creation of alerts and cases. +2. Create case, Update case. + +[NOTE] +==== +* For update case, status of the case is not sync with the kibana case. +==== + [float] [[thehive-connector-networking-configuration]] === Connector networking configuration diff --git a/x-pack/plugins/cases/common/types/domain/connector/v1.ts b/x-pack/plugins/cases/common/types/domain/connector/v1.ts index a690abcab9784..9d21f034d6397 100644 --- a/x-pack/plugins/cases/common/types/domain/connector/v1.ts +++ b/x-pack/plugins/cases/common/types/domain/connector/v1.ts @@ -21,6 +21,7 @@ export enum ConnectorTypes { serviceNowITSM = '.servicenow', serviceNowSIR = '.servicenow-sir', swimlane = '.swimlane', + theHive = '.thehive', } const ConnectorCasesWebhookTypeFieldsRt = rt.strict({ @@ -118,6 +119,21 @@ const ConnectorSwimlaneTypeFieldsRt = rt.strict({ fields: rt.union([SwimlaneFieldsRt, rt.null]), }); +/** + * Thehive + */ + +export const TheHiveFieldsRt = rt.strict({ + tlp: rt.union([rt.number, rt.null]), +}); + +export type TheHiveFieldsType = rt.TypeOf; + +const ConnectorTheHiveTypeFieldsRt = rt.strict({ + type: rt.literal(ConnectorTypes.theHive), + fields: rt.union([TheHiveFieldsRt, rt.null]), +}); + /** * None connector */ @@ -135,6 +151,7 @@ export const ConnectorTypeFieldsRt = rt.union([ ConnectorServiceNowITSMTypeFieldsRt, ConnectorServiceNowSIRTypeFieldsRt, ConnectorSwimlaneTypeFieldsRt, + ConnectorTheHiveTypeFieldsRt, ]); /** @@ -148,6 +165,7 @@ export const CaseUserActionConnectorRt = rt.union([ rt.intersection([ConnectorServiceNowITSMTypeFieldsRt, rt.strict({ name: rt.string })]), rt.intersection([ConnectorServiceNowSIRTypeFieldsRt, rt.strict({ name: rt.string })]), rt.intersection([ConnectorSwimlaneTypeFieldsRt, rt.strict({ name: rt.string })]), + rt.intersection([ConnectorTheHiveTypeFieldsRt, rt.strict({ name: rt.string })]), ]); export const CaseConnectorRt = rt.intersection([ @@ -205,3 +223,4 @@ export type ConnectorServiceNowITSMTypeFields = rt.TypeOf< typeof ConnectorServiceNowITSMTypeFieldsRt >; export type ConnectorServiceNowSIRTypeFields = rt.TypeOf; +export type ConnectorTheHiveTypeFields = rt.TypeOf; diff --git a/x-pack/plugins/cases/public/components/connectors/index.ts b/x-pack/plugins/cases/public/components/connectors/index.ts index b3ba36f75d65c..66681b8dd547a 100644 --- a/x-pack/plugins/cases/public/components/connectors/index.ts +++ b/x-pack/plugins/cases/public/components/connectors/index.ts @@ -12,12 +12,14 @@ import { getCaseConnector as getSwimlaneCaseConnector } from './swimlane'; import { getCaseConnector as getResilientCaseConnector } from './resilient'; import { getCaseConnector as getCasesWebhookCaseConnector } from './cases_webhook'; import { getServiceNowITSMCaseConnector, getServiceNowSIRCaseConnector } from './servicenow'; +import { getCaseConnector as getTheHiveCaseConnector } from './thehive'; import type { JiraFieldsType, ServiceNowITSMFieldsType, ServiceNowSIRFieldsType, ResilientFieldsType, SwimlaneFieldsType, + TheHiveFieldsType, } from '../../../common/types/domain'; export * from './types'; @@ -43,6 +45,7 @@ class CaseConnectors { this.caseConnectorsRegistry.register(getServiceNowSIRCaseConnector()); this.caseConnectorsRegistry.register(getSwimlaneCaseConnector()); this.caseConnectorsRegistry.register(getCasesWebhookCaseConnector()); + this.caseConnectorsRegistry.register(getTheHiveCaseConnector()); } registry(): CaseConnectorsRegistry { diff --git a/x-pack/plugins/cases/public/components/connectors/mock.ts b/x-pack/plugins/cases/public/components/connectors/mock.ts index b7271d40043d3..b5f2ccd5c680a 100644 --- a/x-pack/plugins/cases/public/components/connectors/mock.ts +++ b/x-pack/plugins/cases/public/components/connectors/mock.ts @@ -35,6 +35,16 @@ export const swimlaneConnector = { isSystemAction: false, }; +export const theHiveConnector = { + id: '123', + name: 'My connector', + actionTypeId: '.thehive', + config: {}, + isPreconfigured: false, + isDeprecated: false, + isSystemAction: false, +}; + export const issues = [ { id: 'personId', title: 'Person Task', key: 'personKey' }, { id: 'womanId', title: 'Woman Task', key: 'womanKey' }, diff --git a/x-pack/plugins/cases/public/components/connectors/thehive/case_fields.test.tsx b/x-pack/plugins/cases/public/components/connectors/thehive/case_fields.test.tsx new file mode 100644 index 0000000000000..054e61ba84380 --- /dev/null +++ b/x-pack/plugins/cases/public/components/connectors/thehive/case_fields.test.tsx @@ -0,0 +1,50 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import userEvent from '@testing-library/user-event'; +import { screen } from '@testing-library/react'; +import Fields from './case_fields'; +import { theHiveConnector as connector } from '../mock'; +import { MockFormWrapperComponent } from '../test_utils'; +import type { AppMockRenderer } from '../../../common/mock'; +import { createAppMockRenderer } from '../../../common/mock'; +import { TheHiveTLP } from './types'; + +describe('TheHive Cases Fields', () => { + const fields = { + TLP: 1, + }; + + let appMockRenderer: AppMockRenderer; + + beforeEach(() => { + appMockRenderer = createAppMockRenderer(); + jest.clearAllMocks(); + }); + + it('all params fields are rendered', () => { + appMockRenderer.render( + + + + ); + + expect(screen.getByText('TLP')).toBeInTheDocument(); + }); + + it('sets TLP correctly', async () => { + appMockRenderer.render( + + + + ); + + userEvent.selectOptions(screen.getByTestId('tlp-field'), '4'); + expect(await screen.findByTestId('tlp-field')).toHaveValue(TheHiveTLP.RED.toString()); + }); +}); diff --git a/x-pack/plugins/cases/public/components/connectors/thehive/case_fields.tsx b/x-pack/plugins/cases/public/components/connectors/thehive/case_fields.tsx new file mode 100644 index 0000000000000..554acbc5eb00b --- /dev/null +++ b/x-pack/plugins/cases/public/components/connectors/thehive/case_fields.tsx @@ -0,0 +1,60 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { SelectField } from '@kbn/es-ui-shared-plugin/static/forms/components'; +import { UseField, useFormContext } from '@kbn/es-ui-shared-plugin/static/forms/hook_form_lib'; +import { fieldValidators } from '@kbn/es-ui-shared-plugin/static/forms/helpers'; +import type { ConnectorFieldsProps } from '../types'; +import * as i18n from './translations'; +import { TheHiveTLP } from './types'; + +const { emptyField } = fieldValidators; + +const tlpOptions = Object.entries(TheHiveTLP).reduce>( + (acc, [key, value]) => (typeof value === 'number' ? [...acc, { text: key, value }] : acc), + [] +); + +const TheHiveFieldsComponent: React.FunctionComponent = () => { + const form = useFormContext(); + + const onTLPChange: (value: string) => void = (value: string) => { + form.setFieldValue('fields.tlp', parseInt(value, 10)); + }; + + return ( +
+ +
+ ); +}; + +TheHiveFieldsComponent.displayName = 'ThehiveFields'; + +// eslint-disable-next-line import/no-default-export +export { TheHiveFieldsComponent as default }; diff --git a/x-pack/plugins/cases/public/components/connectors/thehive/case_fields_preview.test.tsx b/x-pack/plugins/cases/public/components/connectors/thehive/case_fields_preview.test.tsx new file mode 100644 index 0000000000000..37397195231ee --- /dev/null +++ b/x-pack/plugins/cases/public/components/connectors/thehive/case_fields_preview.test.tsx @@ -0,0 +1,34 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { screen } from '@testing-library/react'; +import FieldsPreview from './case_fields_preview'; +import type { AppMockRenderer } from '../../../common/mock'; +import { theHiveConnector } from '../mock'; +import { createAppMockRenderer } from '../../../common/mock'; +import { createQueryWithMarkup } from '../../../common/test_utils'; + +describe('TheHive Fields: Preview', () => { + const fields = { + tlp: 1, + }; + + let appMockRenderer: AppMockRenderer; + + beforeEach(() => { + appMockRenderer = createAppMockRenderer(); + jest.clearAllMocks(); + }); + + it('renders all fields correctly', () => { + appMockRenderer.render(); + + const getByText = createQueryWithMarkup(screen.getByText); + expect(getByText('TLP: GREEN')).toBeInTheDocument(); + }); +}); diff --git a/x-pack/plugins/cases/public/components/connectors/thehive/case_fields_preview.tsx b/x-pack/plugins/cases/public/components/connectors/thehive/case_fields_preview.tsx new file mode 100644 index 0000000000000..cda520607807d --- /dev/null +++ b/x-pack/plugins/cases/public/components/connectors/thehive/case_fields_preview.tsx @@ -0,0 +1,54 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useMemo } from 'react'; + +import type { TheHiveFieldsType } from '../../../../common/types/domain'; +import { ConnectorTypes } from '../../../../common/types/domain'; +import type { ConnectorFieldsPreviewProps } from '../types'; +import { ConnectorCard } from '../card'; +import * as i18n from './translations'; +import { TheHiveTLP } from './types'; + +const mapTLP = (tlpValue: number): string => { + const entry = Object.entries(TheHiveTLP).find(([_, value]) => value === tlpValue); + return entry?.[0] ?? 'AMBER'; +}; + +const TheHiveFieldsPreviewComponent: React.FunctionComponent< + ConnectorFieldsPreviewProps +> = ({ fields, connector }) => { + const { tlp } = fields ?? {}; + + const listItems = useMemo( + () => [ + ...(tlp !== null + ? [ + { + title: i18n.TLP_LABEL, + description: mapTLP(tlp), + }, + ] + : []), + ], + [tlp] + ); + + return ( + + ); +}; + +TheHiveFieldsPreviewComponent.displayName = 'TheHiveFieldsPreview'; + +// eslint-disable-next-line import/no-default-export +export { TheHiveFieldsPreviewComponent as default }; diff --git a/x-pack/plugins/cases/public/components/connectors/thehive/index.ts b/x-pack/plugins/cases/public/components/connectors/thehive/index.ts new file mode 100644 index 0000000000000..ad80df5f0eb49 --- /dev/null +++ b/x-pack/plugins/cases/public/components/connectors/thehive/index.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { lazy } from 'react'; + +import type { CaseConnector } from '../types'; +import type { TheHiveFieldsType } from '../../../../common/types/domain'; +import { ConnectorTypes } from '../../../../common/types/domain'; + +export * from './types'; + +export const getCaseConnector = (): CaseConnector => ({ + id: ConnectorTypes.theHive, + fieldsComponent: lazy(() => import('./case_fields')), + previewComponent: lazy(() => import('./case_fields_preview')), +}); diff --git a/x-pack/plugins/cases/public/components/connectors/thehive/translations.ts b/x-pack/plugins/cases/public/components/connectors/thehive/translations.ts new file mode 100644 index 0000000000000..30977b1b73a6f --- /dev/null +++ b/x-pack/plugins/cases/public/components/connectors/thehive/translations.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; + +export const TLP_LABEL = i18n.translate('xpack.cases.connectors.thehive.tlpLable', { + defaultMessage: 'TLP', +}); + +export const TLP_REQUIRED = i18n.translate('xpack.cases.connectors.thehive.tlpLableRequired', { + defaultMessage: 'TLP is required', +}); diff --git a/x-pack/plugins/cases/public/components/connectors/thehive/types.ts b/x-pack/plugins/cases/public/components/connectors/thehive/types.ts new file mode 100644 index 0000000000000..576eee60af891 --- /dev/null +++ b/x-pack/plugins/cases/public/components/connectors/thehive/types.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export enum TheHiveTLP { + CLEAR = 0, + GREEN = 1, + AMBER = 2, + 'AMBER+STRICT' = 3, + RED = 4, +} diff --git a/x-pack/plugins/cases/server/client/user_actions/connectors.ts b/x-pack/plugins/cases/server/client/user_actions/connectors.ts index c9ebfe8724a91..74fbd404c3cc3 100644 --- a/x-pack/plugins/cases/server/client/user_actions/connectors.ts +++ b/x-pack/plugins/cases/server/client/user_actions/connectors.ts @@ -148,14 +148,19 @@ const getConnectorsInfo = async ({ * the severity user actions or if there is a mechanism to * define supported user actions per connector type */ - const hasCasesWebhookConnector = actionConnectors.some( - (actionConnector) => actionConnector.actionTypeId === ConnectorTypes.casesWebhook + const hasAdditionalUserActionsConnector = actionConnectors.some( + (actionConnector) => + actionConnector.actionTypeId === ConnectorTypes.casesWebhook || + actionConnector.actionTypeId === ConnectorTypes.theHive ); - let latestUserActionCasesWebhook: SavedObject | undefined; - if (hasCasesWebhookConnector) { + let latestAdditionalUserActionConnector: SavedObject | undefined; + if (hasAdditionalUserActionsConnector) { // if cases webhook connector, we need to fetch latestUserAction again because // the cases webhook connector includes extra fields other case connectors do not track - latestUserActionCasesWebhook = await userActionService.getMostRecentUserAction(caseId, true); + latestAdditionalUserActionConnector = await userActionService.getMostRecentUserAction( + caseId, + true + ); } return createConnectorInfoResult({ @@ -163,7 +168,7 @@ const getConnectorsInfo = async ({ connectors, pushInfo, latestUserAction, - latestUserActionCasesWebhook, + latestAdditionalUserActionConnector, }); }; @@ -289,13 +294,13 @@ const createConnectorInfoResult = ({ connectors, pushInfo, latestUserAction, - latestUserActionCasesWebhook, + latestAdditionalUserActionConnector, }: { actionConnectors: ActionResult[]; connectors: CaseConnectorActivity[]; pushInfo: Map; latestUserAction?: SavedObject; - latestUserActionCasesWebhook?: SavedObject; + latestAdditionalUserActionConnector?: SavedObject; }) => { const results: GetCaseConnectorsResponse = {}; const actionConnectorsMap = new Map( @@ -312,8 +317,9 @@ const createConnectorInfoResult = ({ * the severity user actions or if there is a mechanism to * define supported user actions per connector type */ - connectorDetails?.actionTypeId === ConnectorTypes.casesWebhook - ? latestUserActionCasesWebhook?.attributes.created_at + connectorDetails?.actionTypeId === ConnectorTypes.casesWebhook || + connectorDetails?.actionTypeId === ConnectorTypes.theHive + ? latestAdditionalUserActionConnector?.attributes.created_at : latestUserAction?.attributes.created_at ); diff --git a/x-pack/plugins/cases/server/connectors/factory.ts b/x-pack/plugins/cases/server/connectors/factory.ts index 8cded028be264..8a5fb3d2fcfa7 100644 --- a/x-pack/plugins/cases/server/connectors/factory.ts +++ b/x-pack/plugins/cases/server/connectors/factory.ts @@ -12,6 +12,7 @@ import { getCaseConnector as getResilientCaseConnector } from './resilient'; import { getCaseConnector as getCasesWebhookCaseConnector } from './cases_webook'; import { getServiceNowITSMCaseConnector, getServiceNowSIRCaseConnector } from './servicenow'; import { getCaseConnector as getSwimlaneCaseConnector } from './swimlane'; +import { getCaseConnector as getTheHiveCaseConnector } from './thehive'; const mapping: Record = { [ConnectorTypes.casesWebhook]: getCasesWebhookCaseConnector(), @@ -20,6 +21,7 @@ const mapping: Record = { [ConnectorTypes.serviceNowSIR]: getServiceNowSIRCaseConnector(), [ConnectorTypes.resilient]: getResilientCaseConnector(), [ConnectorTypes.swimlane]: getSwimlaneCaseConnector(), + [ConnectorTypes.theHive]: getTheHiveCaseConnector(), [ConnectorTypes.none]: null, }; diff --git a/x-pack/plugins/cases/server/connectors/thehive/format.test.ts b/x-pack/plugins/cases/server/connectors/thehive/format.test.ts new file mode 100644 index 0000000000000..46f24aea7f4ba --- /dev/null +++ b/x-pack/plugins/cases/server/connectors/thehive/format.test.ts @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Case } from '../../../common/types/domain'; +import { format } from './format'; + +describe('TheHive formatter', () => { + const theCase = { + tags: ['tag1'], + severity: 'high', + connector: { fields: { tlp: 1 } }, + } as Case; + + it('it formats correctly', async () => { + const res = await format(theCase, []); + expect(res).toEqual({ tlp: 1, tags: ['tag1'], severity: 3 }); + }); + + it('it formats correctly when fields do not exist ', async () => { + const invalidFields = { tags: ['tag1'], severity: 'low', connector: { fields: null } } as Case; + const res = await format(invalidFields, []); + expect(res).toEqual({ tlp: null, severity: 1, tags: ['tag1'] }); + }); +}); diff --git a/x-pack/plugins/cases/server/connectors/thehive/format.ts b/x-pack/plugins/cases/server/connectors/thehive/format.ts new file mode 100644 index 0000000000000..00bc4f197e7a9 --- /dev/null +++ b/x-pack/plugins/cases/server/connectors/thehive/format.ts @@ -0,0 +1,33 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Format } from './types'; +import type { ConnectorTheHiveTypeFields } from '../../../common/types/domain'; + +function mapSeverity(severity: string): number { + switch (severity) { + case 'low': + return 1; + case 'medium': + return 2; + case 'high': + return 3; + case 'critical': + return 4; + default: + return 2; + } +} + +export const format: Format = (theCase) => { + const { tlp = null } = (theCase.connector.fields as ConnectorTheHiveTypeFields['fields']) ?? {}; + return { + tags: theCase.tags, + tlp, + severity: mapSeverity(theCase.severity), + }; +}; diff --git a/x-pack/plugins/cases/server/connectors/thehive/index.ts b/x-pack/plugins/cases/server/connectors/thehive/index.ts new file mode 100644 index 0000000000000..2578c06d39952 --- /dev/null +++ b/x-pack/plugins/cases/server/connectors/thehive/index.ts @@ -0,0 +1,15 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getMapping } from './mapping'; +import { format } from './format'; +import type { TheHiveCaseConnector } from './types'; + +export const getCaseConnector = (): TheHiveCaseConnector => ({ + getMapping, + format, +}); diff --git a/x-pack/plugins/cases/server/connectors/thehive/mapping.ts b/x-pack/plugins/cases/server/connectors/thehive/mapping.ts new file mode 100644 index 0000000000000..d0ccd7ce7c197 --- /dev/null +++ b/x-pack/plugins/cases/server/connectors/thehive/mapping.ts @@ -0,0 +1,33 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { GetMapping } from './types'; + +export const getMapping: GetMapping = () => { + return [ + { + source: 'title', + target: 'title', + action_type: 'overwrite', + }, + { + source: 'description', + target: 'description', + action_type: 'overwrite', + }, + { + source: 'tags', + target: 'tags', + action_type: 'overwrite', + }, + { + source: 'comments', + target: 'comments', + action_type: 'append', + }, + ]; +}; diff --git a/x-pack/plugins/cases/server/connectors/thehive/types.ts b/x-pack/plugins/cases/server/connectors/thehive/types.ts new file mode 100644 index 0000000000000..4e36bea761f6b --- /dev/null +++ b/x-pack/plugins/cases/server/connectors/thehive/types.ts @@ -0,0 +1,18 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { TheHiveFieldsType } from '../../../common/types/domain'; +import type { ICasesConnector } from '../types'; + +interface ExternalServiceFormatterParams extends TheHiveFieldsType { + tags: string[]; + severity: number; +} + +export type TheHiveCaseConnector = ICasesConnector; +export type Format = ICasesConnector['format']; +export type GetMapping = ICasesConnector['getMapping']; diff --git a/x-pack/plugins/stack_connectors/server/connector_types/thehive/index.ts b/x-pack/plugins/stack_connectors/server/connector_types/thehive/index.ts index d39849adb4490..50860dd8a9fab 100644 --- a/x-pack/plugins/stack_connectors/server/connector_types/thehive/index.ts +++ b/x-pack/plugins/stack_connectors/server/connector_types/thehive/index.ts @@ -13,6 +13,7 @@ import { AlertingConnectorFeatureId, SecurityConnectorFeatureId, UptimeConnectorFeatureId, + CasesConnectorFeatureId, } from '@kbn/actions-plugin/common/types'; import { urlAllowListValidator } from '@kbn/actions-plugin/server'; import { TheHiveConnector } from './thehive'; @@ -36,6 +37,7 @@ export function getConnectorType(): TheHiveConnectorType { AlertingConnectorFeatureId, SecurityConnectorFeatureId, UptimeConnectorFeatureId, + CasesConnectorFeatureId, ], schema: { config: TheHiveConfigSchema,