Open MikePaquette opened 4 years ago
Pinging @elastic/siem (Team:SIEM)
@MikePaquette there's a lot of interesting overlap between case workflow and some of the emerging concepts in Kibana like actions & connectors, "kibana alerting", user-events, and "kibana notifications" - and I think much of the use case is portable to other domains.
I'd like to see Kibana stack services being able to support aspects of this that are not security & SIEM specific, if there are any gaps we should fill them.
cc @alexfrancoeur @bmcconaghy
Receive notification in the SIEM if the case has been closed in the external system
Ideally you'd like the external system to make an http request into Kibana to indicate a case has been closed, but ... we're not there yet. Kinda falls into the "chat-ops" or related areas.
In the meantime however, creating an an alert or even just task manager task to somehow look for "newly closed cases" or such could work.!
Related Issues: [SIEM] [Case] ServiceNow Actions #57866 [SIEM] [Case] Configure Cases Page #57864 [SIEM] [Case] All Cases Page #57865 [SIEM] [Case] To dos #57861 [SIEM] [Case] Editable Case View #57863
Related PRs:
[SIEM][CASES] Configure cases: Final #59358 [SIEM][CASE] ServiceNow executor #58894
Describe the feature:
Add a basic case workflow integration with third party systems in SIEM app.
Describe a specific use case for the feature: SOC analysts and investigators using SIEM app need a way to coordinate their work inside SIEM with work being done by them or others in an external case/ticket management system, security incident response system, or security orchestration/automated response system.
Specifically they want to be able to: