3fcdc062fa
## Summary XSOAR action connector, enabling users to send alerts generated by the rule detection engine to Palo Alto XSOAR for automation and remediation. ### **create connector**  ### **test connector** 1. **test page**  2. **select playbook**  ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [x] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Sergi Massaneda <sergi.massaneda@elastic.co> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
7.8 KiB
| mapped_pages | navigation_title | applies_to | |||||
|---|---|---|---|---|---|---|---|
|
Connectors |
|
Kibana connectors [action-types]
Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Actions are instantiations of a connector that are linked to rules and run as background tasks on the {{kib}} server when rule conditions are met. {{kib}} provides the following types of connectors:
- {{bedrock}}: Send a request to {{bedrock}}.
- Cases: Add alerts to cases.
- CrowdStrike: Send a request to CrowdStrike.
- D3 Security: Send a request to D3 Security.
- {{gemini}}: Send a request to {{gemini}}.
- Elastic Managed LLM: Send a request to Elastic Managed LLM.
- Email: Send email from your server.
- {{ibm-r}}: Create an incident in {{ibm-r}}.
- Index: Index data into Elasticsearch.
- Jira: Create an incident in Jira.
- Microsoft Defender for Endpoint: Send requests to Microsoft Defender-enrolled hosts.
- Microsoft Teams: Send a message to a Microsoft Teams channel.
- Observability AI Assistant: Add AI-driven insights and custom actions to your workflow.
- OpenAI: Send a request to OpenAI.
- {{opsgenie}}: Create or close an alert in {{opsgenie}}.
- PagerDuty: Send an event in PagerDuty.
- SentinelOne: Send a request to SentinelOne.
- ServerLog: Add a message to a Kibana log.
- {{sn-itsm}}: Create an incident in {{sn}}.
- {{sn-sir}}: Create a security incident in {{sn}}.
- {{sn-itom}}: Create an event in {{sn}}.
- Slack: Send a message to a Slack channel or user.
- {{swimlane}}: Create an incident in {{swimlane}}.
- {{hive}}: Create cases and alerts in {{hive}}.
- Tines: Send events to a Tines Story.
- Torq: Trigger a Torq workflow.
- {{webhook}}: Send a request to a web service.
- {{webhook-cm}}: Send a request to a Case Management web service.
- xMatters: Send actionable alerts to on-call xMatters resources.
- {{xsoar}}: Create an incident in Cortex {{xsoar}}.
::::{note} Some connector types are paid commercial features, while others are free. For a comparison of the Elastic subscription levels, go to the subscription page.
::::
Managing connectors [connector-management]
Rules use connectors to route actions to different destinations like log files, ticketing systems, and messaging tools. While each {{kib}} app can offer their own types of rules, they typically share connectors. {{stack-manage-app}} > {{connectors-ui}} offers a central place to view and manage all the connectors in the current space.
% TO DO: Use :class: screenshot
Required permissions [_required_permissions_2]
Access to connectors is granted based on your privileges to alerting-enabled features. For more information, go to Security.
Connector networking configuration [_connector_networking_configuration]
Use the action configuration settings to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use xpack.actions.customHostSettings to set per-host configurations.
Connector list [connectors-list]
In {{stack-manage-app}} > {{connectors-ui}}, you can find a list of the connectors in the current space. You can use the search bar to find specific connectors by name and type. The Type dropdown also enables you to filter to a subset of connector types.
% TO DO: Use :class: screenshot
You can delete individual connectors using the trash icon. Alternatively, select multiple connectors and delete them in bulk using the Delete button.
% TO DO: Use :class: screenshot
::::{note} You can delete a connector even if there are still actions referencing it. When this happens the action will fail to run and errors appear in the {{kib}} logs.
::::
Creating a new connector [creating-new-connector]
New connectors can be created with the Create connector button, which guides you to select the type of connector and configure its properties.
% TO DO: Use :class: screenshot
After you create a connector, it is available for use any time you set up an action in the current space.
For out-of-the-box and standardized connectors, refer to preconfigured connectors.
::::{tip} You can also manage connectors as resources with the Elasticstack provider for Terraform. For more details, refer to the elasticstack_kibana_action_connector resource. ::::
Importing and exporting connectors [importing-and-exporting-connectors]
To import and export connectors, use the Saved Objects Management UI.
% TO DO: Use :class: screenshot
If a connector is missing sensitive information after the import, a Fix button appears in {{connectors-ui}}.
% TO DO: Use :class: screenshot
Monitoring connectors [monitoring-connectors]
The Task Manager health API helps you understand the performance of all tasks in your environment. However, if connectors fail to run, they will report as successful to Task Manager. The failure stats will not accurately depict the performance of connectors.
For more information on connector successes and failures, refer to the Event log index.