mirror of
https://github.com/elastic/kibana.git
synced 2025-04-25 10:23:14 -04:00
6bba30f94c
## Summary Issue: https://github.com/elastic/kibana/issues/140066 Doc: https://docs.google.com/document/d/14BY-6CIin1CUH5bwJJgfrGl37hWO-CeNMdl_35agpvk/edit?usp=sharing Create a new connector type that offers low friction/low effort approach to augmenting Elastic capabilities with SOAR capabilities of Tines. ## Implementation Tines connector implements subActionConnector. With 4 subActions configured: - **stories**: Retrieves the User available Story objects from Tines, to render the Story selector options in the params form. It uses the `email` and `token` authentication headers from the configuration. It is requested only when the form opens and when the connector instance changes. - **webhooks**: Retrieves the Story available Webhooks objects from Tines, to render the Webhook selector in the params form. It uses the `email` and `token` authentication headers from the configuration and the `story_id` parameter. There is no filter for `type` in the actions (a.k.a. agents) endpoint, so we have to request all actions and filter them by `type === 'Agents::WebhookAgent'` on our side. It is requested every time the selected story changes. - **run**: The main action execution. It sends the alerts to the Tines configured webhook, using webhook' `path` and `secret` values. There's no template to render, the data coming from the execution is just pruned (the `kibana` entry is removed from all `context.alerts`) and sent directly using the same format to Tines. - **test**: The test form execution. It ends up calling **run** but using a parametrized body. ### Pagination Both **stories** and **webhooks** subActions need pagination, since Tines do not expose any search endpoint for them. The current hard limit is 100 pages. The `paginatedRequest` function in the connector implementation encapsulates this logic. ## Testing 1- Create a [Tines](https://www.tines.com/) free account. 2- Create a [new Story](https://www.tines.com/docs/quickstart/simple-story) and attach a [Webhook Action](https://www.tines.com/docs/quickstart/creating-an-action) to start receiving events. 3- Create an [API token](https://www.tines.com/api/authentication) 4- Configure the Tines Connector in Kibana using the Tines tenant URL that has been generated in the Tines app, the email used to sign in, and the API token generated. [docs](https://github.com/semd/kibana/blob/140066_tines_connector/docs/management/connectors/action-types/tines.asciidoc#connector-configuration) 5- Attach the Tines Connector to a Detection Rule, selecting the Story and Webhooks created. [docs](https://github.com/semd/kibana/blob/140066_tines_connector/docs/management/connectors/action-types/tines.asciidoc#actions) 6- After each rule execution, events should appear in the Tines webhook action. ## Screenshots Configure a Tines connector   Use the Tines connector   Tines events  ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios(https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Jonathan Buttner <56361221+jonathan-buttner@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| images | ||
| alert-action-settings.asciidoc | ||
| apm-settings.asciidoc | ||
| banners-settings.asciidoc | ||
| enterprise-search-settings.asciidoc | ||
| fleet-settings.asciidoc | ||
| general-infra-logs-ui-settings.asciidoc | ||
| i18n-settings.asciidoc | ||
| infrastructure-ui-settings.asciidoc | ||
| logging-settings.asciidoc | ||
| logs-ui-settings.asciidoc | ||
| monitoring-settings.asciidoc | ||
| reporting-settings.asciidoc | ||
| search-sessions-settings.asciidoc | ||
| security-settings.asciidoc | ||
| settings-xkb.asciidoc | ||
| spaces-settings.asciidoc | ||
| task-manager-settings.asciidoc | ||
| telemetry-settings.asciidoc | ||
| url-drilldown-settings.asciidoc | ||
