Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] ServiceNow SIR Connector #82676

Closed
10 of 11 tasks
shimonmodi opened this issue Nov 4, 2020 · 1 comment
Closed
10 of 11 tasks

[Security Solution] ServiceNow SIR Connector #82676

shimonmodi opened this issue Nov 4, 2020 · 1 comment
Assignees
@XavierM @arisonl @MikePaquette
Labels
Feature:Cases Cases feature Meta Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@shimonmodi
Copy link

shimonmodi commented Nov 4, 2020
edited by cnasikas
Loading

Describe the feature:
This feature is a connector integration with ServiceNow Security Incident Response (SIR) application. Enterprise cybersecurity operation teams often use ServiceNow's SIR application to track, prioritize and respond to security incidents. This feature will allow users to:

  • create a ServiceNow SIR connector
  • create ServiceNow SIR connector UI form

Populate following Incident fields for SIR

  • Category - retrieve possible values from ServiceNow instance & allow user to select before sending
  • Priority - retrieve possible values from ServiceNow instance & allow user to select before sending
  • Short Description - map directly from Description case field
  • Description - add Timeline URLs or Detection Alert URLs attached to the case (if available)
  • Affected resource - allow user to fill before sending (fill automatically from signals index if available)
  • Source IP - allow user to fill before sending (fill automatically from signals index if available)
  • Destination IP - allow user to fill before sending (fill automatically from signals index if available)
  • Malware URL - allow user to fill before sending (fill automatically from signals index if available)
  • Malware Hash - allow user to fill before sending (fill automatically from signals index if available)

More information about Security Incident here

More information Creating Security Incidents from events

Describe a specific use case for the feature:
SOC analysts and investigators using Elastic Security need a way to coordinate their investigative work with work being done by Incident Responders & IT personnel. This connector will let cybersecurity analysts easily send the results of their triage and investigation work to team members who will take mitigation actions, and also enable automated response playbook capability available in ServiceNow SIR.

Specifically they want to be able to:

  • Create a new SIR incident directly from Elastic Security based on a case they are investigating.
  • Close case in Elastic Security when SIR incident is closed in ServiceNow.
  • View stats about MTTR
@shimonmodi shimonmodi added Meta Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Cases Cases feature labels Nov 4, 2020
@cnasikas cnasikas mentioned this issue Jan 13, 2021
Merged
8 tasks
@cnasikas cnasikas mentioned this issue Jan 25, 2021
Merged
9 tasks
@cnasikas
Copy link
Member

Implemented by #88190

@cnasikas cnasikas closed this as completed Jul 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@XavierM XavierM

@arisonl arisonl

@MikePaquette MikePaquette

Labels
Feature:Cases Cases feature Meta Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@XavierM @arisonl @cnasikas @shimonmodi @MikePaquette