[Security Solution] Need generic (webhook) connector for Cases

[MikePaquette]

Scope: This epic covers the creation of a new generic (webhook?) case connector to allow users to send cases and case updates to a custom third-party case/ticket management system.

Security Solution Initiatives

• Enable SecOps Workflows via Case Workflow Integration / Case Management
• Integrate Security-Relevant Data Sources as modules/packages

Security Solution Themes

• Case / Ticket Management / SOAR Connectors

Problem to solve/Customer Benefit: The vision of Elastic Security for SIEM is to be able to integrate with the various security-related tools that our users have in place within their security operations teams to create workflows that enable them to successfully complete their missions. Typical SOC workflows can be represented by the following sequence: detect/alert->triage->investigate->escalate->respond

This issue affects escalate and respond worfklows.

The Elastic Security and Observability solutions currently provide a set of action connectors that can be used to push/send/update. Cases, which have been created in the Stack or solution, to a third-party system

As of this writing the set of case-capable connectors includes:

• Jira
• Service Now ITSM (formerly Service Now)
• Service Now SecOps/Incident Response
• IBM Resilient
• Swimlane

One common challenge faced by operations teams is that they may use custom or home-grown tools for managing or communicating cases, and they'd like to have an easy way to integrate Elastic Cases into these systems. Many of these systems expose API's for creating/updating cases, and users are willing to "customize" a generic connector to meet the specific requirements of their case/ticket management system.

Brief Description/Workflow: Allow the analyst to push and update cases in an external case/ticket management system for which Elastic has not provided a dedicated case connector.

Dependencies: None

Licensing Level: Gold+ - since this is an external connector, it falls into the category of features that require a paid subscription.

Planned Supportability-level at Introduction: {Experimental, Beta, GA}

Capability Discussion Provide a generic (webhook?) connector for cases such that, after configuration by the users, users can push/send and update cases in their custom REST API-based external case/ticket management systems.

User Success Criteria When such a capability is deployed, users will be able to push/send and update cases in their custom external case/ticket management systems

Value/Impact: This capability will help users integrate Elastic Security into theirr organization’s ecosystems.

This capability may also be useful in non-security use cases such as Observability.

Meta-Issue-Level Tasks/Release checklist

• [ ] Decide if webhook connector is the right approach
• [ ] If so, enhance webhook connector to support case push/send operation
• [ ] If so, enhance webhook connector to support case update operation
• [ ] Connector works properly with cases from security and observability

[elasticmachine]

Pinging @elastic/response-ops-cases (Feature:Cases)

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)