TheHive Case Connector (#180138)

## Summary TheHive is a new case connector, enabling users to seamlessly transfer elastic cases to TheHive Security Incident Response Platform. This connector facilitates sub-actions such as creating cases, updating cases, and adding comments and creating alerts. **create connector** ![thehive-connector](https://github.com/elastic/kibana/assets/123942796/1e9a3fc5-c17a-40b5-8a49-87cd0fd74863) **test connector** 1. **create case** ![thehive-params-case-test](https://github.com/elastic/kibana/assets/123942796/2652ea5e-8b47-42d9-9b11-c055efe291b3) 2. **create alert** ![thehive-params-alert-test](https://github.com/elastic/kibana/assets/123942796/8c8759c0-609c-4e34-bc21-35d648e684ab) ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [x] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [x] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [x] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Janki Salvi <[email protected]> Co-authored-by: Janki Salvi <[email protected]> Co-authored-by: Elastic Machine <[email protected]>
elastic · Jul 30, 2024 · 696190d · 696190d
1 parent 65069a5
commit 696190d
Show file tree

Hide file tree

Showing 41 changed files with 3,440 additions and 4 deletions.
diff --git a/docs/management/action-types.asciidoc b/docs/management/action-types.asciidoc
@@ -92,6 +92,10 @@ a| <<swimlane-action-type,{swimlane}>>
 
 | Create an incident in {swimlane}.
 
+a| <<thehive-action-type,{thehive}>>
+
+| Create cases and alerts in {thehive}.
+
 a| <<tines-action-type,Tines>>
 
 | Send events to a Tines Story.

diff --git a/docs/management/connectors/action-types/thehive.asciidoc b/docs/management/connectors/action-types/thehive.asciidoc
@@ -0,0 +1,79 @@
+[[thehive-action-type]]
+== TheHive connector and action
+++++
+<titleabbrev>TheHive</titleabbrev>
+++++
+:frontmatter-description: Add a connector that can create cases and alerts in TheHive.
+:frontmatter-tags-products: [kibana]
+:frontmatter-tags-content-type: [how-to]
+:frontmatter-tags-user-goals: [configure]
+
+TheHive connector uses the https://docs.strangebee.com/thehive/api-docs/[TheHive (v1) REST API] to create cases and alerts.
+
+[float]
+[[define-thehive-ui]]
+=== Create connectors in {kib}
+
+You can create connectors in *{stack-manage-app} > {connectors-ui}*
+or as needed when you're creating a rule. For example:
+
+[role="screenshot"]
+image::management/connectors/images/thehive-connector.png[TheHive connector]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+[float]
+[[thehive-connector-configuration]]
+==== Connector configuration
+
+TheHive connectors have the following configuration properties:
+
+Name::         The name of the connector.
+Organisation:: Organisation name in which user intends to create cases or alerts.
+URL::          TheHive instance URL.
+API Key::      TheHive API key for authentication.
+
+[float]
+[[TheHive-action-configuration]]
+=== Test connectors
+
+You can test connectors for creating a case or an alert with the <<execute-connector-api,run connector API>> or
+as you're creating or editing the connector in {kib}. For example:
+
+[role="screenshot"]
+image::management/connectors/images/thehive-params-case-test.png[TheHive case params test]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+[role="screenshot"]
+image::management/connectors/images/thehive-params-alert-test.png[TheHive alert params test]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+TheHive actions have the following configuration properties.
+
+Event Action:: Action that will be performed in thehive. Supported actions are Create Case (default) and Create Alert.
+Title:: Title of the incident.
+Description:: The details about the incident.
+Severity:: Severity of the incident. This can be one of `LOW`, `MEDIUM`(default), `HIGH` or `CRITICAL`.
+TLP:: Traffic Light Protocol designation for the incident. This can be one of `CLEAR`, `GREEN`, `AMBER`(default), `AMBER+STRICT` or `RED`.
+Tags:: The keywords or tags about the incident.
+Additional comments:: Additional information about the Case. 
+Type:: Type of the Alert.
+Source:: Source of the Alert.
+Source Reference:: Source reference of the Alert.
+
+[float]
+[[thehive-connector-networking-configuration]]
+=== Connector networking configuration
+
+Use the <<action-settings, Action configuration settings>> to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use `xpack.actions.customHostSettings` to set per-host configurations.
+
+[float]
+[[configure-thehive]]
+=== Configure TheHive
+
+To generate an API Key in TheHive:
+
+1. Log in to your TheHive instance.
+2. Open profile tab and select the settings.
+3. Go to *API Key*.
+4. Click *Create* if no API key has been created previously; otherwise, you can view the API key by clicking on *Reveal*.
+5. Copy the *API key* value to configure the connector in {kib}.
diff --git a/docs/management/connectors/images/thehive-connector.png b/docs/management/connectors/images/thehive-connector.png
diff --git a/docs/management/connectors/images/thehive-params-alert-test.png b/docs/management/connectors/images/thehive-params-alert-test.png
diff --git a/docs/management/connectors/images/thehive-params-case-test.png b/docs/management/connectors/images/thehive-params-case-test.png
diff --git a/docs/management/connectors/index.asciidoc b/docs/management/connectors/index.asciidoc
@@ -19,6 +19,7 @@ include::action-types/servicenow-sir.asciidoc[leveloffset=+1]
 include::action-types/servicenow-itom.asciidoc[leveloffset=+1]
 include::action-types/swimlane.asciidoc[leveloffset=+1]
 include::action-types/slack.asciidoc[leveloffset=+1]
+include::action-types/thehive.asciidoc[leveloffset=+1]
 include::action-types/tines.asciidoc[leveloffset=+1]
 include::action-types/torq.asciidoc[leveloffset=+1]
 include::action-types/webhook.asciidoc[leveloffset=+1]

diff --git a/docs/settings/alert-action-settings.asciidoc b/docs/settings/alert-action-settings.asciidoc
@@ -138,7 +138,7 @@ WARNING: This feature is available in {kib} 7.17.4 and 8.3.0 onwards but is not
 A boolean value indicating that a footer with a relevant link should be added to emails sent as alerting actions. Default: true.
 
 `xpack.actions.enabledActionTypes` {ess-icon}::
-A list of action types that are enabled. It defaults to `["*"]`, enabling all types. The names for built-in {kib} action types are prefixed with a `.` and include: `.email`, `.index`, `.jira`, `.opsgenie`, `.pagerduty`, `.resilient`, `.server-log`, `.servicenow`, .`servicenow-itom`, `.servicenow-sir`, `.slack`, `.swimlane`, `.teams`, `.tines`, `.torq`, `.xmatters`,  `.gen-ai`,  `.bedrock`, `.gemini`,  `.d3security`, and `.webhook`. An empty list `[]` will disable all action types.
+A list of action types that are enabled. It defaults to `["*"]`, enabling all types. The names for built-in {kib} action types are prefixed with a `.` and include: `.email`, `.index`, `.jira`, `.opsgenie`, `.pagerduty`, `.resilient`, `.server-log`, `.servicenow`, .`servicenow-itom`, `.servicenow-sir`, `.slack`, `.swimlane`, `.teams`, `.thehive`, `.tines`, `.torq`, `.xmatters`,  `.gen-ai`,  `.bedrock`, `.gemini`,  `.d3security`, and `.webhook`. An empty list `[]` will disable all action types.
 +
 Disabled action types will not appear as an option when creating new connectors, but existing connectors and actions of that type will remain in {kib} and will not function.