[SIEM] Case workflow integration with third-party system(s)

[MikePaquette]

Describe the feature:

Add a basic case workflow integration with third party systems in SIEM app.

• [x] A “case” document structure/schema/index using ECS fields - Closed: https://github.com/elastic/kibana/issues/50174 PR: https://github.com/elastic/kibana/pull/51535
• [x] A way to “connect to 3rd party case management” function in SIEM settings - In Progress: #53891 PR: #53890, #58894
• [ ] An “automatically create case” action (optional) in SIEM detection rule creation workflow, so when case is created in SIEM, a corresponding case is created in the “connected” third party case management system
• [x] A way to “create case /add timeline to case” in SIEM app timeline
• [x] A way to display “cases” as nav item in SIEM app PR: https://github.com/elastic/kibana/pull/57283
• [x] A “case view” PR: https://github.com/elastic/kibana/pull/57283
• [x] A “case details” view (editor) in SIEM app - when case is closed here, any “connected” third party case is closed.
• [x] Team settings in spaces
• [x] Per user settings

Describe a specific use case for the feature: SOC analysts and investigators using SIEM app need a way to coordinate their work inside SIEM with work being done by them or others in an external case/ticket management system, security incident response system, or security orchestration/automated response system.

Specifically they want to be able to:

• Open, edit, and close cases within SIEM
• Cause a corresponding case to be created in an external system
• Receive notification in the SIEM if the case has been closed in the external system
• View stats about cases

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[peterschretlen]

@MikePaquette there's a lot of interesting overlap between case workflow and some of the emerging concepts in Kibana like actions & connectors, "kibana alerting", user-events, and "kibana notifications" - and I think much of the use case is portable to other domains.

I'd like to see Kibana stack services being able to support aspects of this that are not security & SIEM specific, if there are any gaps we should fill them.

cc @alexfrancoeur @bmcconaghy

[pmuellr]

Receive notification in the SIEM if the case has been closed in the external system

Ideally you'd like the external system to make an http request into Kibana to indicate a case has been closed, but ... we're not there yet. Kinda falls into the "chat-ops" or related areas.

In the meantime however, creating an an alert or even just task manager task to somehow look for "newly closed cases" or such could work.!

[stephmilovic]

Related Issues: [SIEM] [Case] ServiceNow Actions #57866 [SIEM] [Case] Configure Cases Page #57864 [SIEM] [Case] All Cases Page #57865 [SIEM] [Case] To dos #57861 [SIEM] [Case] Editable Case View #57863

[cnasikas]

Related PRs:

[SIEM][CASES] Configure cases: Final #59358 [SIEM][CASE] ServiceNow executor #58894