[Security Solution] [Threat Hunting] [Cases] Allow User to Specify IBM Resilient fields from Cases UI

[shimonmodi]

Describe the feature: This feature will allow users to specify IBM Resilient incident fields when cases are being sent to Resilient.

Describe a specific use case for the feature: Elastic's case feature supports analyst workflow to create a case based on an investigation of alerts and events in the Elastic Security solution. Using the case connector feature users can send a case from Elastic to IBM Resilient as an Incident. IBM Resilient offers users a number of different fields that can be set during the Incident creation process. We need to provide a way for users to be able to fill out these IBM Resilient Incident fields from our cases interface. When an analyst is ready to send a case from Elastic to IBM Resilient, they will be provided incident fields that are populated from IBM Resilient data model.

IBM Resilient fields that should be supported (as seen on front end - may be differently defined in REST API):

• Incident Type
• Date Discovered
• Severity

Nice to have:

• Team Formation Members
• NIST Attack Vector
• Incident Disposition

More information here

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[cnasikas]

https://github.com/elastic/kibana/pull/74357: Connector & Alerts.

[cnasikas]

Incident types and severity were implemented in https://github.com/elastic/kibana/pull/77327. The date discovered field is set as the date of the first push from Kibana to IBM Resilient.

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)