You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This code comes from a PR that was originally opened by the team at D3 Security. In an effort to get this merged, I have branched off of that PR and we will go forward with this one. This PR takes D3's connector code, refactors to use sub actions, and adds the appropriate tests and documentation.
Run kibana with this es server configured in kibana.dev.yml. This is the server I have set up with the D3 instance already. There is some configuration you need to do in D3 to establish the connection, so using this server will allow you to skip that step.
Create D3 Security connectors with above credentials
Test the connector by using the "Test" tab in connectors, or by running a rule that triggers a D3 Security action.
Confirm results in D3 interface. Should look like:
Introduces a new built-in action type and sends the ElasticSearch alerts to D3 Security SOAR for incident response, workflow automation and deep investigation. This integrated alert action allows you to create Events or trigger Playbook workflow actions automatically in the D3 Security SOAR platform.
The new action type and the action connector with D3 Security SOAR are as follows:
and action params form available in Create Alert form:
The reason will be displayed to describe this comment to others. Learn more.
Tested locally, the connector works as expected. When testing the connector on the management page it works well, events are received correctly on the D3 side. And when attached to a rule the execution alerts are also received properly with all the expected values.
It is a bit weird that the "Event Type" and "Severity" params can be empty, they are set to undefined on the D3 side, but as per the Schema they defined, it seems this is what they want.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
stephmilovic
added
release_note:skip
Summary
This code comes from a PR that was originally opened by the team at D3 Security. In an effort to get this merged, I have branched off of that PR and we will go forward with this one. This PR takes D3's connector code, refactors to use sub actions, and adds the appropriate tests and documentation.
Testing
Credentials
kibana.dev.yml. This is the server I have set up with the D3 instance already. There is some configuration you need to do in D3 to establish the connection, so using this server will allow you to skip that step.More info
Below is the original PR description: