[Security Solution][Case] ServiceNow SIR Connector

[cnasikas]

Summary

Release Notes: Adds ServiceNow SIR case connector

This PR implements the case's fields for the ServiveNow SIR connector.

Create case:

Create.case.SIR.mp4

Push case to SIR:

SIR.push.mp4

Technical details:

• Merge routes api/cases/configure/connectors/<connector_id>/push and api/cases/<case_id>/_push into one route. The new route endpoint is case/<case_id>/connector/<connector_id>/_push.
• Moved all push to external incident logic from the front-end to the back-end.
• Create ServiceNow SIR case fields.
• Move Case settings registry to the x-pack/plugins/security_solution/public/cases/components/connectors folder.
• Rename Case settings registry to Case connectors registry.
• Get fields of ServiceNow ITSM connector dynamically. It uses the new sub action getChoices introduced in [Alerts] ServiceNow SIR Connector #88190.
• Add mapping for ServiceNow SIR.
• Enhanced code to support external service formatters for each connector. Each service formatter have access to all alerts attach to the case.
• Rename ServiceNow SIR to ServiceNow SecOps.
• Create get case client method. It returns a case.
• Create getUserActions case client method. It returns the case's user action.
• Create getAlerts case client method. It returns the requested alerts.
• Push comments of ServiceNow SIR to work_notes.
• Create push case client method. It push a case to an external service.
• Alert fields destination.ip, source.ip, file.hash.sha256, and url.full are pushed to ServiceNow SIR in dest_ip, source_ip, malware_hash, and malware_url accordingly. The values of the fields are constructed from all alerts attach to a case. Example dest_ip: 192.168.1.1,192.168.1.2,...

Depends on #88190

Meta issue: #82676

Release note

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• If a plugin configuration key changed, check if it needs to be whitelisted in the cloud and added to the docker list
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[YulNaumenko]

Alerting related changes LGTM.

[XavierM]

Really exciting feature for our user, as always your code is clean and readable. Thanks a lot for getting this new connector.

[kibanamachine]

💔 Build Failed

• continuous-integration/kibana-ci/pull-request
• Commit: 47ef8e5
• Pipeline Steps (look for red circles / failed steps)
• Interpreting CI Failures

Failed CI Steps

• Setup Build Environment and Dependencies
• Setup Build Environment and Dependencies
• Setup Build Environment and Dependencies
• Setup Build Environment and Dependencies
• Setup Build Environment and Dependencies
• Setup Build Environment and Dependencies

Metrics [docs]

‼️ ERROR: metrics for 47ef8e5 were not reported

History

• 💚 Build #105029 succeeded 47ef8e5
• 💔 Build #104895 failed ca083b4
• 💚 Build #104602 succeeded 3e3bb25
• 💔 Build #104507 failed 67ff678148de083d60d55500e455b63cefb99255

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream