[SIEM][CASE] IBM Resilient Connector

[cnasikas]

Feature:

• Create IBM Resilient Connector (Action)
• Create IBM Resilient Connector UI form

Notes:

Fields (IBM to SIEM):

• name -> title
• description -> description
• notes -> comments
• discovered_date -> created_at

IBM Resilient REST API:

• Base path: https://server/rest/orgs/<org_id>. Default https://app.resilientsystems.com/rest/orgs/<org_id>
• Link to incident: https://<host>/#incidents/<incident_id>
• Common query params: text_content_output_format=always_text&handle_format=names
• Incident:
  • GET: /incidents - Get all incidents
  • GET: /incidents/<incident_id> - Get incident by id
  • POST: /incidents - Create incident
  • PATCH: /incidents/<incident_id> - Patch incident by id
• Authentication:
  • Two types of authentication: a) email, password b) api_key, api_secret
  • By API key: You need to get the API handle key (principle ID for an api key) by GET https://server/rest/session (Basic auth is sufficient). Basic auth: api_key, api_secret
  • By email, password: You need to POST https://server/rest/session. Body: email, password. The response contains: csrf_token that has to be sent as X-sess-id header and a cookie (JSESSIONID).
  • A user can have access to multiple organizations
  • You can either use API key-based authentication or cookie-based authentication. You cannot send the API key and the session id.
  • API key should be preferred.
• Updates:
  • Server might return 409 Conflict (DB-level conflict)
  • First GET, after PUT and if there is a conflict loop again (Ref)
  • Overwrite conflicts?

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[cnasikas]

Implemented in #66385

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)