New Connector Type - D3 security SOAR

[d3-naiji]

Summary

Introduces a new built-in action type and sends the ElasticSearch alerts to D3 Security SOAR for incident response, workflow automation and deep investigation. This integrated alert action allows you to create Events or trigger Playbook workflow actions automatically in the D3 Security SOAR platform.

The new action type and the action connector with D3 Security SOAR are as follows:

and action params form available in Create Alert form:

OBS.: merge conflict has been resolved and new fields have been added for params form.

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

For maintainers

(https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

[kibanamachine]

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

[TinaHeiligers]

initial build failures:
console.log not allowed, please remove or use suitable log mocking

[TinaHeiligers]

@elastic/response-ops could you please take a look at the proposal?

[d3-naiji]

initial build failures: console.log not allowed, please remove or use suitable log mocking

Hi @TinaHeiligers, we have already removed 'console.log' in the latest commits. Please, review it again. Thank you!

[d3-naiji]

@elasticmachine merge upstream

[TinaHeiligers]

@elastic/response-ops could you please take a look at the proposal?

[d3-naiji]

@TinaHeiligers Hi Tina, any update from the code review? Is there anything we can help with?

[TinaHeiligers]

@d3-naiji I am removing myself as a reviewer to allow the relevant team to take this further.

[TinaHeiligers]

CC @elastic/response-ops

[cnasikas]

Hey @d3-bensong! Could you please address the CLA issue? Thanks!

[d3-naiji]

cla-checker-service

Hi @cnasikas , I helped him sign the CLA, but it's after his commits. Could you help check if it can re-run the CLA checker and do I need to sign CLA for the developer again?

[cnasikas]

@elasticmachine merge upstream

[cnasikas]

buildkite test this

[cnasikas]

@elasticmachine, run elasticsearch-ci/docs

[cnasikas]

@d3-naiji It seems that the CLA is fixed now. For some weird reason, I cannot merge with upstream. Could you please do it manually?

[cnasikas]

@d3-naiji @d3-bensong Is there any plan to integrate the connector with Cases?

[d3-naiji]

@d3-naiji @d3-bensong Is there any plan to integrate the connector with Cases?

Hi @cnasikas ,
We would like to enhance it in the future to support "Case".
The incident concept in D3 SOAR will align with the cases in Kinaba. In the future, we plan to integrate the connector with Case that will link to the "Incident Intake" function in D3 SOAR.

[stephmilovic]

Is this intended?

[semd]

buildkite test this

[semd]

@elasticmachine, run elasticsearch-ci/docs

[d3-bensong]

Hi @cnasikas ,
We fixed problem, can you try again please?

[cnasikas]

buildkite test this

[cnasikas]

@elasticmachine, run elasticsearch-ci/docs

[kibana-ci]

💔 Build Failed

• Buildkite Build
• Commit: 05ff285
• Interpreting CI Failures

Failed CI Steps

• Linting

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
stackConnectors	195	201	+6

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
stackConnectors	440.0KB	449.5KB	+9.5KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
stackConnectors	33.4KB	34.2KB	+782.0B

Unknown metric groups

async chunk count

id	before	after	diff
stackConnectors	67	71	+4

ESLint disabled line counts

id	before	after	diff
enterpriseSearch	19	21	+2
securitySolution	401	405	+4
stackConnectors	87	93	+6
total			+12

Total ESLint disabled count

id	before	after	diff
enterpriseSearch	20	22	+2
securitySolution	481	485	+4
stackConnectors	91	97	+6
total			+12

History

• 💔 Build #130765 failed 6967536
• 💔 Build #130383 failed d4b5ef0
• 💔 Build #127682 failed ca0a818
• 💔 Build #87307 failed 96cd567785e9c701675f94bce20cbbb3d8af93f1

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[d3-bensong]

Hi @cnasikas,
I missed an issue last time, now fixed, could you try it again please, thanks.

[stephmilovic]

Hello @d3-bensong and @d3-naiji. After review, because of the planned cases enhancements it was determined that the D3 Security connector needed to be transitioned to our sub actions framework. In order to move this PR forward in time for our upcoming 8.9 Feature Freeze date, we determined it would be most efficient if we move forward with an Elastic owned branch and have our team carry out the rest of the work. There is a new PR open with the sub actions refactor complete, along with additional required tests and documentation. We are moving forward with a review on that PR today. Your work is included in that PR. Therefore, you can go ahead and close this one. I will follow up over email to confirm once I have the new PR merged. Let me know if you have any questions.

Thank you!

[d3-naiji]

@stephmilovic Thanks! I will close this PR