[Security Solution] [Threat Hunting] [Cases] Allow User to Specify ServiceNow Incident Category/Sub Category #75622
Description
Describe the feature:
Our current case capability allows users to send a case to external systems like ServiceNow ITSM, Atlassian Jira and IBM Resilient. This feature will allow users to categorize the case based on types supported by the external system.
Describe a specific use case for the feature:
Elastic's case feature supports analyst workflow for collecting various pieces of evidence that are relevant to an investigation, and as a collaboration feature that lets other analysts view the existing details and comment on it. There are several Incident fields that a user will want to fill out for each case. For example, the type of case (phishing, malware, C2 communication, identity privilege escalation) is critical to capture, persist and send to the external systems using their taxonomy. When an analyst is ready to push a case to an external systems configured as a connector, they will be provided Incident fields that are populated from ServiceNow ITSM Incident data model.
Currently we allow users to fill out the following ServiceNow ITSM Incident fields directly from Alerts UI:
- Urgency
- Severity
- Impact
- Description
- Short Description
- Additional Comments
Along with the above mentioned, we should add the following field selections when we recreate this capability in Cases:
- Category
- Sub Category
- Assigned to
List of categories and sub-categories supported by ServiceNow ITSM available here: (https://docs.servicenow.com/bundle/orlando-it-service-management/page/product/incident-management/reference/r_CategorizingIncidents.html)