Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM] [Case] Establish API and schema #50174

Closed
stephmilovic opened this issue Nov 11, 2019 · 4 comments · Fixed by #51535
Closed

[SIEM] [Case] Establish API and schema #50174

stephmilovic opened this issue Nov 11, 2019 · 4 comments · Fixed by #51535
Assignees
@stephmilovic
Labels
Team:SIEM

Comments

@stephmilovic
Copy link
Contributor

stephmilovic commented Nov 11, 2019
edited
Loading

  • write a “case” document structure/schema/index using ECS fields
  • write an API to create and manage these documents

Meta for case: #50103
@stephmilovic
Copy link
Contributor Author

stephmilovic commented Nov 11, 2019
edited
Loading

Rough planning...

API endpoints
GET /cases
List, search, filter issues

GET /cases/<number>
Get a single issue document

POST /cases
Post a new case

PATCH /cases/<number>
Update a case with labels, title, description, etc.

POST /cases/<number>/comments
Post a new comment

PATCH /cases/<number>/comments/<comment-id>
Update a comment

@stephmilovic stephmilovic self-assigned this Nov 11, 2019
@stephmilovic stephmilovic added loe:medium Medium Level of Effort Team:SIEM labels Nov 11, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@stephmilovic stephmilovic removed the loe:medium Medium Level of Effort label Nov 11, 2019
@MikePaquette MikePaquette mentioned this issue Nov 11, 2019
Open
9 tasks
@stephmilovic
Copy link
Contributor Author

stephmilovic commented Nov 11, 2019
edited
Loading

WIP mappings.json:

{
  "mappings" : {
    "dynamic": false,
    "properties" : {
      "assignees" : {
        "properties" : {
          "name" : {
            "type" : "keyword",
            "ignore_above" : 1024
          }
        }
      },
      "comments" : {
        "properties" : {
          "comment" : {
            "type" : "keyword",
            "ignore_above" : 1024
          },
          "creation_date" : {
            "type" : "date"
          },
          "id" : {
            "type" : "keyword",
            "ignore_above" : 1024
          },
          "last_edit_date" : {
            "type" : "date"
          },
          "user" : {
            "properties" : {
              "id" : {
                "type" : "keyword",
                "ignore_above" : 1024
              },
              "name" : {
                "type" : "keyword",
                "ignore_above" : 1024
              }
            }
          }
        }
      },
      "creation_date" : {
        "type" : "date"
      },
      "description" : {
        "type" : "keyword",
        "ignore_above" : 1024
      },
      "id" : {
        "type" : "keyword",
        "ignore_above" : 1024
      },
      "last_edit_date" : {
        "type" : "date"
      },
      "name" : {
        "type" : "keyword",
        "ignore_above" : 1024
      },
      "reporter" : {
        "properties" : {
          "id" : {
            "type" : "keyword",
            "ignore_above" : 1024
          },
          "name" : {
            "type" : "keyword",
            "ignore_above" : 1024
          }
        }
      },
      "state" : {
        "type" : "keyword",
        "ignore_above" : 1024
      },
      "tags" : {
        "type" : "keyword",
        "ignore_above" : 1024
      },
      "type" : {
        "type" : "keyword",
        "ignore_above" : 1024
      }
    }
  }
}

@stephmilovic
Copy link
Contributor Author

example post:

{
  "creation_date": "2019-08-05T20:52:51.583Z",
  "description": "This is a brand new case of a bad meanie defacing data",
  "id": "case-jyyvppav1tj69d00628097g1",
  "last_edit_date": "2019-08-06T20:52:51.583Z",
  "name": "Super Bad Security Issue",
  "reporter": {
    "id": "user-1234",
    "name": "Astronaut Mike Dexter"
  },
  "state": "open",
  "type": "security",
  "assignees": [
    {
      "id": "user-5678",
      "name": "Hazel Wassername"
    }
  ],
  "comments": [
    {
      "id": "comment-1234",
      "comment": "This looks really bad, good luck with that",
      "creation_date": "2019-08-06T20:52:51.583Z",
      "last_edit_date": "2019-08-06T20:52:51.583Z",
      "user": {
        "id": "user-9101",
        "name": "Dr Spaceman"
      }
    }
  ],
  "tags": [
    "defacement"
  ]
}

@stephmilovic stephmilovic mentioned this issue Nov 22, 2019
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stephmilovic stephmilovic

Labels
Team:SIEM
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[SIEM] [Case] Case workflow api schema stephmilovic/kibana
2 participants
@stephmilovic @elasticmachine