[SIEM] Case workflow integration with third-party system(s)

[MikePaquette]

Describe the feature:

Add a basic case workflow integration with third party systems in SIEM app.

• A “case” document structure/schema/index using ECS fields - Closed: [SIEM] [Case] Establish API and schema #50174 PR: [SIEM] [Case] Case workflow api schema #51535
• A way to “connect to 3rd party case management” function in SIEM settings - In Progress: [SIEM] [Case] Kibana action for ServiceNow #53891 PR: [SIEM] [Case] Service Now Kibana Action #53890, [SIEM][CASE] ServiceNow executor #58894
• An “automatically create case” action (optional) in SIEM detection rule creation workflow, so when case is created in SIEM, a corresponding case is created in the “connected” third party case management system
• A way to “create case /add timeline to case” in SIEM app timeline
• A way to display “cases” as nav item in SIEM app PR: [SIEM] [Case] Initial UI #57283
• A “case view” PR: [SIEM] [Case] Initial UI #57283
• A “case details” view (editor) in SIEM app - when case is closed here, any “connected” third party case is closed.
• Team settings in spaces
• Per user settings

Describe a specific use case for the feature:
SOC analysts and investigators using SIEM app need a way to coordinate their work inside SIEM with work being done by them or others in an external case/ticket management system, security incident response system, or security orchestration/automated response system.

Specifically they want to be able to:

• Open, edit, and close cases within SIEM
• Cause a corresponding case to be created in an external system
• Receive notification in the SIEM if the case has been closed in the external system
• View stats about cases

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[peterschretlen]

@MikePaquette there's a lot of interesting overlap between case workflow and some of the emerging concepts in Kibana like actions & connectors, "kibana alerting", user-events, and "kibana notifications" - and I think much of the use case is portable to other domains.

I'd like to see Kibana stack services being able to support aspects of this that are not security & SIEM specific, if there are any gaps we should fill them.

cc @alexfrancoeur @bmcconaghy

[pmuellr]

Receive notification in the SIEM if the case has been closed in the external system

Ideally you'd like the external system to make an http request into Kibana to indicate a case has been closed, but ... we're not there yet. Kinda falls into the "chat-ops" or related areas.

In the meantime however, creating an an alert or even just task manager task to somehow look for "newly closed cases" or such could work.!

[stephmilovic]

Related Issues:
[SIEM] [Case] ServiceNow Actions #57866
[SIEM] [Case] Configure Cases Page #57864
[SIEM] [Case] All Cases Page #57865
[SIEM] [Case] To dos #57861
[SIEM] [Case] Editable Case View #57863

[cnasikas]

Related PRs:

[SIEM][CASES] Configure cases: Final #59358
[SIEM][CASE] ServiceNow executor #58894