Kibana: Additional action types for alerting

Created on 6 Sep 2019  路  16Comments  路  Source: elastic/kibana

Would be good to add the following action types to alerting (in no particular order):

  • [x] [7.9] ServiceNow ITSM (shipped in 7.7 as part of SIEM case workflow management https://github.com/elastic/kibana/issues/53891)
  • [ ] [~7.10]JIRA (targeted for 7.8 - also integrated with SIEM case workflow management, https://github.com/elastic/kibana/issues/56426)
  • [ ] [~7.10] IBM Resilient (targeted for 7.9 - also integrated with SIEM case workflow management)
  • [ ] ServiceNow Security Ops (SOAR, distinct from ITSM action above)
  • [ ] Microsoft teams (https://github.com/elastic/kibana/issues/56395)
  • [ ] OpsGenie (https://github.com/elastic/kibana/issues/56403)
  • [ ] VictorOps (https://github.com/elastic/kibana/issues/56404)
  • [ ] Actions for ESS/ECE/ECK (https://github.com/elastic/kibana/issues/56433)
  • [ ] Amazon simple notification service
  • [ ] Google hangouts chat
  • [ ] xMatters (https://github.com/elastic/kibana/issues/74585)
  • [ ] Create report
  • [ ] SOAR tools - demisto? (maybe SIEM team)
  • [ ] Twilio (https://github.com/elastic/kibana/issues/74584)
  • [ ] [TheHive](https://thehive-project.org/)
  • [ ] Github (https://github.com/elastic/kibana/issues/74586)
  • [ ] Trello
  • [ ] Mattermost
  • [ ] SMS
  • [ ] Palo Also Cortex XSOAR (SOAR, builds off existing Demisto/Elastic integration done by PANW)
  • [ ] Swimlane (SOAR)
  • [ ] BMC Remedy
Alerting Meta Alerting Services

Most helpful comment

@arisonl - for Kibana App (Discover, Visualize, Lens, Dashboard, Canvas, Graph, et al)l, and also for general consideration;

  • [ ] IFTTT (Generally, a good idea to force multiple)
  • [ ] PDF generation automation (Adobe, Foxit, etc. For watermarking and PDF security)
  • [ ] Gitlab
  • [ ] Bitbucket
  • [ ] Onpage
  • [ ] chatwork
  • [ ] flowdock
  • [ ] Moxtra
  • [ ] DingTalk
  • [ ] Microsoft Azure DevOps
  • [ ] Amazon Simple Email Service (SES)
  • [ ] Zendesk
  • [ ] Hubspot

All 16 comments

Pinging @elastic/kibana-stack-services

We've talked about creating GH issues as an example, I think action types should probably be that specific, vs just a "github" action. Were you thinking it could be more general, like a "github" action that had a property indicating what you wanted to do at GH - create an issue vs comment on an issue vs ...?

@pmuellr exactly that- creating a GitHub issue. Same thing for jira

++ I've been meaning to open an issue like this as well. Seems like we could have a meta issue tracking all actions and detail out the requirements for each action in a separate GitHub issue.

We might as well use THIS issue as the meta issue.

It would be nice to get some prioritization, if there's known demand for some over others.

And we might want to start grouping these - the top of the list is ticketing systems (currently our only "ticketing" action is pagerduty) - the bottom of the list is notification systems (similar to our slack, email, etc actions).

Another thing to keep in mind is that as we start adding more of these, folks will want a way to get a url to a generated ticket to use in a subsequent action. Eg, generate a GH issue, then post a slack message with the url to that GH issue. We don't currently support that kind of flow. I fear having notification actions WITHOUT that capability is going to be painful to customers.

@pmuellr I recall the mentions of subsequent actions but somehow we didn't have an issue created for it yet. I went ahead and created one and referenced your comments. https://github.com/elastic/kibana/issues/51282.

Related https://github.com/elastic/kibana/issues/50103 - Case Management for SIEM

Added trello, which came up as action used in the Security space but also broadly applicable.

I've been hearing multiple requests for Mattermost lately, an OSS Slack alternative. Added to the list to track. https://mattermost.com/

++ On TheHive :)

Webhooks can be leveraged to create Alerts or Cases in TheHive 3.4 but a native integration would save those who use TheHive some time from rolling there own integrations.

@arisonl From the SIEM/Security App perspective, our prioritized list of action "connectors" :

  • [x] Service Now ITSM (shipped in 7.7 as part of SIEM case workflow management) [Platinum]
  • [x] Jira (targeted for 7.8 - also integrated with SIEM case workflow management) [Gold]
  • [x] IBM Resilient (targeted for 7.9 - also integrated with SIEM case workflow management) [Platinum]
  • [ ] ServiceNow Security Ops (SOAR, distinct from ITSM action above) [Platinum]
  • [ ] TheHive [Basic]
  • [ ] Palo Also Cortex XSOAR (SOAR, builds off existing Demisto/Elastic integration done by PANW) [Platinum]

The Hive integration would rock!

@arisonl - for Kibana App (Discover, Visualize, Lens, Dashboard, Canvas, Graph, et al)l, and also for general consideration;

  • [ ] IFTTT (Generally, a good idea to force multiple)
  • [ ] PDF generation automation (Adobe, Foxit, etc. For watermarking and PDF security)
  • [ ] Gitlab
  • [ ] Bitbucket
  • [ ] Onpage
  • [ ] chatwork
  • [ ] flowdock
  • [ ] Moxtra
  • [ ] DingTalk
  • [ ] Microsoft Azure DevOps
  • [ ] Amazon Simple Email Service (SES)
  • [ ] Zendesk
  • [ ] Hubspot

Thank you Mike, Shaun. @shaunmcgough is your list prioritised?

@arisonl negatory.

Here is an initial attempt to gather, breakdown and prio (superset of what's listed in this issue) - WIP: https://docs.google.com/document/d/1n7LnK_cx1WNoMTPTHFkRxJUgy6Ki0jmEKHQ8Cl0bzcg/edit#heading=h.lfymnl3t4b0r

Was this page helpful?
0 / 5 - 0 ratings