[Security Solution][Case] ServiceNow ITSM: Add category & subcategory…

… fields (#90547)

x-pack/plugins/actions/README.md

@@ -595,6 +595,8 @@ The following table describes the properties of the `incident` object.
 | severity          | The name of the severity in ServiceNow.                                                                                   | string _(optional)_ |
 | urgency           | The name of the urgency in ServiceNow.                                                                                    | string _(optional)_ |
 | impact            | The name of the impact in ServiceNow.                                                                                     | string _(optional)_ |
+| category          | The name of the category in ServiceNow.                                                                                   | string _(optional)_ |
+| subcategory       | The name of the subcategory in ServiceNow.                                                                                | string _(optional)_ |
 
 #### `subActionParams (getFields)`
 

x-pack/plugins/actions/server/builtin_action_types/servicenow/api.test.ts

@@ -88,6 +88,8 @@ describe('api', () => {
           severity: '1',
           urgency: '2',
           impact: '3',
+          category: 'software',
+          subcategory: 'os',
           caller_id: 'elastic',
           description: 'Incident description',
           short_description: 'Incident title',
@@ -111,6 +113,8 @@ describe('api', () => {
           severity: '1',
           urgency: '2',
           impact: '3',
+          category: 'software',
+          subcategory: 'os',
           comments: 'A comment',
           description: 'Incident description',
           short_description: 'Incident title',
@@ -123,6 +127,8 @@ describe('api', () => {
           severity: '1',
           urgency: '2',
           impact: '3',
+          category: 'software',
+          subcategory: 'os',
           comments: 'Another comment',
           description: 'Incident description',
           short_description: 'Incident title',
@@ -146,6 +152,8 @@ describe('api', () => {
           severity: '1',
           urgency: '2',
           impact: '3',
+          category: 'software',
+          subcategory: 'os',
           work_notes: 'A comment',
           description: 'Incident description',
           short_description: 'Incident title',
@@ -158,6 +166,8 @@ describe('api', () => {
           severity: '1',
           urgency: '2',
           impact: '3',
+          category: 'software',
+          subcategory: 'os',
           work_notes: 'Another comment',
           description: 'Incident description',
           short_description: 'Incident title',
@@ -229,6 +239,8 @@ describe('api', () => {
           severity: '1',
           urgency: '2',
           impact: '3',
+          category: 'software',
+          subcategory: 'os',
           description: 'Incident description',
           short_description: 'Incident title',
         },
@@ -251,6 +263,8 @@ describe('api', () => {
           severity: '1',
           urgency: '2',
           impact: '3',
+          category: 'software',
+          subcategory: 'os',
           description: 'Incident description',
           short_description: 'Incident title',
         },
@@ -262,6 +276,8 @@ describe('api', () => {
           severity: '1',
           urgency: '2',
           impact: '3',
+          category: 'software',
+          subcategory: 'os',
           comments: 'A comment',
           description: 'Incident description',
           short_description: 'Incident title',
@@ -285,6 +301,8 @@ describe('api', () => {
           severity: '1',
           urgency: '2',
           impact: '3',
+          category: 'software',
+          subcategory: 'os',
           description: 'Incident description',
           short_description: 'Incident title',
         },
@@ -296,6 +314,8 @@ describe('api', () => {
           severity: '1',
           urgency: '2',
           impact: '3',
+          category: 'software',
+          subcategory: 'os',
           work_notes: 'A comment',
           description: 'Incident description',
           short_description: 'Incident title',

x-pack/plugins/actions/server/builtin_action_types/servicenow/mocks.ts

@@ -112,6 +112,8 @@ const executorParams: ExecutorSubActionPushParams = {
     severity: '1',
     urgency: '2',
     impact: '3',
+    category: 'software',
+    subcategory: 'os',
   },
   comments: [
     {

x-pack/plugins/actions/server/builtin_action_types/servicenow/schema.ts

@@ -45,6 +45,8 @@ const CommonAttributes = {
   short_description: schema.string(),
   description: schema.nullable(schema.string()),
   externalId: schema.nullable(schema.string()),
+  category: schema.nullable(schema.string()),
+  subcategory: schema.nullable(schema.string()),
 };
 
 // Schema for ServiceNow Incident Management (ITSM)
@@ -62,13 +64,11 @@ export const ExecutorSubActionPushParamsSchemaITSM = schema.object({
 export const ExecutorSubActionPushParamsSchemaSIR = schema.object({
   incident: schema.object({
     ...CommonAttributes,
-    category: schema.nullable(schema.string()),
     dest_ip: schema.nullable(schema.string()),
     malware_hash: schema.nullable(schema.string()),
     malware_url: schema.nullable(schema.string()),
-    priority: schema.nullable(schema.string()),
     source_ip: schema.nullable(schema.string()),
-    subcategory: schema.nullable(schema.string()),
+    priority: schema.nullable(schema.string()),
   }),
   comments: CommentsSchema,
 });

x-pack/plugins/case/common/api/connectors/jira.ts

@@ -7,6 +7,7 @@
 
 import * as rt from 'io-ts';
 
+// New fields should also be added at: x-pack/plugins/case/server/connectors/case/schema.ts
 export const JiraFieldsRT = rt.type({
   issueType: rt.union([rt.string, rt.null]),
   priority: rt.union([rt.string, rt.null]),

x-pack/plugins/case/common/api/connectors/resilient.ts

@@ -7,6 +7,7 @@
 
 import * as rt from 'io-ts';
 
+// New fields should also be added at: x-pack/plugins/case/server/connectors/case/schema.ts
 export const ResilientFieldsRT = rt.type({
   incidentTypes: rt.union([rt.array(rt.string), rt.null]),
   severityCode: rt.union([rt.string, rt.null]),

x-pack/plugins/case/common/api/connectors/servicenow_itsm.ts

@@ -7,10 +7,13 @@
 
 import * as rt from 'io-ts';
 
+// New fields should also be added at: x-pack/plugins/case/server/connectors/case/schema.ts
 export const ServiceNowITSMFieldsRT = rt.type({
   impact: rt.union([rt.string, rt.null]),
   severity: rt.union([rt.string, rt.null]),
   urgency: rt.union([rt.string, rt.null]),
+  category: rt.union([rt.string, rt.null]),
+  subcategory: rt.union([rt.string, rt.null]),
 });
 
 export type ServiceNowITSMFieldsType = rt.TypeOf<typeof ServiceNowITSMFieldsRT>;

x-pack/plugins/case/common/api/connectors/servicenow_sir.ts

@@ -7,6 +7,7 @@
 
 import * as rt from 'io-ts';
 
+// New fields should also be added at: x-pack/plugins/case/server/connectors/case/schema.ts
 export const ServiceNowSIRFieldsRT = rt.type({
   category: rt.union([rt.string, rt.null]),
   destIp: rt.union([rt.boolean, rt.null]),

x-pack/plugins/case/server/connectors/case/index.test.ts

@@ -153,6 +153,8 @@ describe('case connector', () => {
                     impact: 'Medium',
                     severity: 'Medium',
                     urgency: 'Medium',
+                    category: 'software',
+                    subcategory: 'os',
                   },
                 },
                 settings: {
@@ -218,7 +220,13 @@ describe('case connector', () => {
                 id: 'servicenow',
                 name: 'Servicenow',
                 type: '.servicenow',
-                fields: { impact: null, severity: null, urgency: null },
+                fields: {
+                  impact: null,
+                  severity: null,
+                  urgency: null,
+                  category: null,
+                  subcategory: null,
+                },
               },
               settings: {
                 syncAlerts: true,
@@ -293,6 +301,8 @@ describe('case connector', () => {
                   impact: 'Medium',
                   severity: 'Medium',
                   urgency: 'Medium',
+                  category: 'software',
+                  subcategory: 'os',
                   excess: null,
                 },
               },
@@ -470,6 +480,8 @@ describe('case connector', () => {
                   impact: 'Medium',
                   severity: 'Medium',
                   urgency: 'Medium',
+                  category: 'software',
+                  subcategory: 'os',
                 },
               },
             },
@@ -517,7 +529,13 @@ describe('case connector', () => {
                 id: 'servicenow',
                 name: 'Servicenow',
                 type: '.servicenow',
-                fields: { impact: null, severity: null, urgency: null },
+                fields: {
+                  impact: null,
+                  severity: null,
+                  urgency: null,
+                  category: null,
+                  subcategory: null,
+                },
               },
             },
           });
@@ -590,6 +608,8 @@ describe('case connector', () => {
                   impact: 'Medium',
                   severity: 'Medium',
                   urgency: 'Medium',
+                  category: 'software',
+                  subcategory: 'os',
                   excess: null,
                 },
               },

x-pack/plugins/case/server/connectors/case/schema.ts

@@ -53,6 +53,8 @@ const ServiceNowFieldsSchema = schema.object({
   impact: schema.nullable(schema.string()),
   severity: schema.nullable(schema.string()),
   urgency: schema.nullable(schema.string()),
+  category: schema.nullable(schema.string()),
+  subcategory: schema.nullable(schema.string()),
 });
 
 const NoneFieldsSchema = schema.nullable(schema.object({}));

x-pack/plugins/case/server/connectors/servicenow/itsm_formatter.ts

@@ -9,9 +9,9 @@ import { ServiceNowITSMFieldsType, ConnectorServiceNowITSMTypeFields } from '../
 import { ExternalServiceFormatter } from '../types';
 
 const format: ExternalServiceFormatter<ServiceNowITSMFieldsType>['format'] = (theCase) => {
-  const { severity = null, urgency = null, impact = null } =
+  const { severity = null, urgency = null, impact = null, category = null, subcategory = null } =
     (theCase.connector.fields as ConnectorServiceNowITSMTypeFields['fields']) ?? {};
-  return { severity, urgency, impact };
+  return { severity, urgency, impact, category, subcategory };
 };
 
 export const serviceNowITSMExternalServiceFormatter: ExternalServiceFormatter<ServiceNowITSMFieldsType> = {

x-pack/plugins/case/server/connectors/servicenow/itsm_formmater.test.ts

@@ -10,7 +10,9 @@ import { serviceNowITSMExternalServiceFormatter } from './itsm_formatter';
 
 describe('ITSM formatter', () => {
   const theCase = {
-    connector: { fields: { severity: '2', urgency: '2', impact: '2' } },
+    connector: {
+      fields: { severity: '2', urgency: '2', impact: '2', category: 'software', subcategory: 'os' },
+    },
   } as CaseResponse;
 
   it('it formats correctly', async () => {
@@ -21,6 +23,12 @@ describe('ITSM formatter', () => {
   it('it formats correctly when fields do not exist ', async () => {
     const invalidFields = { connector: { fields: null } } as CaseResponse;
     const res = await serviceNowITSMExternalServiceFormatter.format(invalidFields, []);
-    expect(res).toEqual({ severity: null, urgency: null, impact: null });
+    expect(res).toEqual({
+      severity: null,
+      urgency: null,
+      impact: null,
+      category: null,
+      subcategory: null,
+    });
   });
 });

x-pack/plugins/security_solution/cypress/objects/case.ts

@@ -153,6 +153,18 @@ export const executeResponses = {
           value: 'inbound_ddos',
           element: 'subcategory',
         },
+        {
+          dependent_value: '',
+          label: 'Software',
+          value: 'software',
+          element: 'category',
+        },
+        {
+          dependent_value: 'software',
+          label: 'Operation System',
+          value: 'os',
+          element: 'subcategory',
+        },
         ...['severity', 'urgency', 'impact', 'priority']
           .map((element) => [
             {

x-pack/plugins/security_solution/cypress/tasks/create_new_case.ts

@@ -92,6 +92,6 @@ export const fillIbmResilientConnectorOptions = (
   ibmResilientConnector.incidentTypes.forEach((incidentType) => {
     cy.get(SELECT_INCIDENT_TYPE).type(`${incidentType}{enter}`, { force: true });
   });
-  cy.get(CONNECTOR_RESILIENT).click();
+  cy.get(CONNECTOR_RESILIENT).click({ force: true });
   cy.get(SELECT_SEVERITY).select(ibmResilientConnector.severity);
 };

x-pack/plugins/security_solution/public/cases/components/connectors/mock.ts

@@ -58,6 +58,18 @@ export const choices = [
     value: 'inbound_ddos',
     element: 'subcategory',
   },
+  {
+    dependent_value: '',
+    label: 'Software',
+    value: 'software',
+    element: 'category',
+  },
+  {
+    dependent_value: 'software',
+    label: 'Operation System',
+    value: 'os',
+    element: 'subcategory',
+  },
   ...['severity', 'urgency', 'impact', 'priority']
     .map((element) => [
       {

x-pack/plugins/security_solution/public/cases/components/connectors/servicenow/helpers.ts

@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { EuiSelectOption } from '@elastic/eui';
+import { Choice } from './types';
+
+export const choicesToEuiOptions = (choices: Choice[]): EuiSelectOption[] =>
+  choices.map((choice) => ({ value: choice.value, text: choice.label }));