Xsoar connector backup

docs/management/action-types.asciidoc

@@ -0,0 +1,136 @@
+[role="xpack"]
+[[action-types]]
+== Connectors
+
+Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems.
+Actions are instantiations of a connector that are linked to rules and run as background tasks on the {kib} server when rule conditions are met. {kib} provides the following types of connectors:
+
+* <<bedrock-action-type,{bedrock}>>: Send a request to {bedrock}.
+* <<cases-action-type,Cases>>: Add alerts to cases.
+* <<crowdstrike-action-type,CrowdStrike>>: Send a request to CrowdStrike.
+* <<d3security-action-type,D3 Security>>: Send a request to D3 Security.
+* <<gemini-action-type,{gemini}>>: Send a request to {gemini}.
+* <<email-action-type,Email>>: Send email from your server.
+* <<resilient-action-type,{ibm-r}>>: Create an incident in {ibm-r}.
+* <<index-action-type,Index>>: Index data into Elasticsearch.
+* <<jira-action-type,Jira>>: Create an incident in Jira.
+* <<teams-action-type,Microsoft Teams>>: Send a message to a Microsoft Teams channel.
+* <<obs-ai-assistant-action-type,Observability AI Assistant>>: Add AI-driven insights and custom actions to your workflow.
+* <<openai-action-type,OpenAI>>: Send a request to OpenAI.
+* <<opsgenie-action-type,{opsgenie}>>: Create or close an alert in {opsgenie}.
+* <<pagerduty-action-type,PagerDuty>>: Send an event in PagerDuty.
+* <<sentinelone-action-type,SentinelOne>>: Send a request to SentinelOne.
+* <<server-log-action-type,ServerLog>>: Add a message to a Kibana log.
+* <<servicenow-action-type,{sn-itsm}>>: Create an incident in {sn}.
+* <<servicenow-sir-action-type,{sn-sir}>>: Create a security incident in {sn}.
+* <<servicenow-itom-action-type,{sn-itom}>>: Create an event in {sn}.
+* <<slack-action-type,Slack>>: Send a message to a Slack channel or user.
+* <<swimlane-action-type,{swimlane}>>: Create an incident in {swimlane}.
+* <<thehive-action-type,{hive}>>: Create cases and alerts in {hive}.
+* <<tines-action-type,Tines>>: Send events to a Tines Story.
+* <<torq-action-type,Torq>>: Trigger a Torq workflow.
+* <<webhook-action-type, {webhook}>>: Send a request to a web service.
+* <<cases-webhook-action-type,{webhook-cm}>>: Send a request to a Case Management web service.
+* <<xmatters-action-type,xMatters>>: Send actionable alerts to on-call xMatters resources.
+* <<xsoar-action-type,XSOAR>>: Create an incident in XSOAR.
+
+[NOTE]
+==============================================
+Some connector types are paid commercial features, while others are free.
+For a comparison of the Elastic subscription levels, go to
+{subscriptions}[the subscription page].
+==============================================
+
+[float]
+[[connector-management]]
+=== Managing connectors
+
+Rules use connectors to route actions to different destinations like log files, ticketing systems, and messaging tools. While each {kib} app can offer their own types of rules, they typically share connectors. *{stack-manage-app} > {connectors-ui}* offers a central place to view and manage all the connectors in the current space.
+
+[role="screenshot"]
+image::images/connector-listing.png[Example connector listing in the {rules-ui} UI]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+[float]
+=== Required permissions
+
+Access to connectors is granted based on your privileges to alerting-enabled
+features. For more information, go to <<alerting-security>>.
+
+[float]
+=== Connector networking configuration
+
+Use the <<action-settings,action configuration settings>> to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use `xpack.actions.customHostSettings` to set per-host configurations.
+
+[float]
+[[connectors-list]]
+=== Connector list
+
+In *{stack-manage-app} > {connectors-ui}*, you can find a list of the connectors
+in the current space. You can use the search bar to find specific connectors by
+name and type. The *Type* dropdown also enables you to filter to a subset of
+connector types.
+
+[role="screenshot"]
+image::images/connector-filter-by-type.png[Filtering the connector list by types of connectors]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+You can delete individual connectors using the trash icon. Alternatively, select
+multiple connectors and delete them in bulk using the *Delete* button.
+
+[role="screenshot"]
+image::images/connector-delete.png[Deleting connectors individually or in bulk]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+[NOTE]
+============================================================================
+You can delete a connector even if there are still actions referencing it.
+When this happens the action will fail to run and errors appear in the {kib} logs.
+============================================================================
+
+[float]
+[[creating-new-connector]]
+=== Creating a new connector
+
+New connectors can be created with the *Create connector* button, which guides
+you to select the type of connector and configure its properties.
+
+[role="screenshot"]
+image::images/connector-select-type.png[Connector select type]
+
+After you create a connector, it is available for use any time you set up an
+action in the current space.
+
+For out-of-the-box and standardized connectors, refer to
+<<pre-configured-connectors,preconfigured connectors>>.
+
+TIP: You can also manage connectors as resources with the https://registry.terraform.io/providers/elastic/elasticstack/latest[Elasticstack provider] for Terraform.
+For more details, refer to the https://registry.terraform.io/providers/elastic/elasticstack/latest/docs/resources/kibana_action_connector[elasticstack_kibana_action_connector] resource.
+
+[float]
+[[importing-and-exporting-connectors]]
+=== Importing and exporting connectors
+
+To import and export connectors, use the
+<<managing-saved-objects,Saved Objects Management UI>>.
+
+[role="screenshot"]
+image::images/connectors-import-banner.png[Connectors import banner, width=50%]
+
+If a connector is missing sensitive information after the import, a **Fix**
+button appears in *{connectors-ui}*.
+
+[role="screenshot"]
+image::images/connectors-with-missing-secrets.png[Connectors with missing secrets]
+
+[float]
+[[monitoring-connectors]]
+=== Monitoring connectors
+
+The <<task-manager-health-monitoring,Task Manager health API>> helps you understand the performance of all tasks in your environment.
+However, if connectors fail to run, they will report as successful to Task Manager. The failure stats will not
+accurately depict the performance of connectors.
+
+For more information on connector successes and failures, refer to the <<event-log-index,Event log index>>.
+
+include::connectors/index.asciidoc[]

docs/management/connectors/action-types/xsoar.asciidoc

@@ -0,0 +1,80 @@
+[[xsoar-action-type]]
+== XSOAR connector and action
+++++
+<titleabbrev>XSOAR</titleabbrev>
+++++
+:frontmatter-description: Add a connector that can create an incident in XSOAR.
+:frontmatter-tags-products: [kibana]
+:frontmatter-tags-content-type: [how-to]
+:frontmatter-tags-user-goals: [configure]
+
+XSOAR connector uses the https://cortex-panw.stoplight.io/docs/cortex-xsoar-8/m0qlgh9inh4vk-create-or-update-an-incident[XSOAR REST API] to create Cortex XSOAR incidents.
+
+[float]
+[[define-XSOAR-ui]]
+=== Create connectors in {kib}
+
+You can create connectors in *{stack-manage-app} > {connectors-ui}*
+or as needed when you're creating a rule. For example:
+
+[role="screenshot"]
+image::management/connectors/images/xsoar-connector.png[XSOAR connector]
+
+[float]
+[[xsoar-connector-configuration]]
+==== Connector configuration
+
+XSOAR connectors have the following configuration properties:
+
+Name::         The name of the connector.
+URL::          The instance URL of XSOAR.
+API key::      The API key for authentication in XSOAR.
+API key id::   The API key id for authentication in XSOAR. It is mandatory for cloud instance users.
+
+[float]
+[[xsoar-action-configuration]]
+=== Test connectors
+
+You can test connectors as you're creating or editing the connector in {kib}. For example:
+
+[role="screenshot"]
+image::management/connectors/images/xsoar-params-test.png[XSOAR params test]
+
+XSOAR actions have the following configuration properties.
+
+Name:: The name of the incident.
+Playbook:: The playbook to associate with the incident.
+Start investigation:: Indicates whether to start the investigation process automatically upon creating the new incident.
+Severity:: The severity of the incident: Unknown, Informational, Low, Medium, High or Critical.
++
+--
+NOTE: Use the `Keep severity from rule` toggle to create an incident with the rule's severity.
+--
+
+Body:: A JSON payload that includes additional parameters to to be included in the API request.
++
+[source,json]
+--
+{
+  "details": "This is an example incident",
+  "type": "Unclassified"
+}
+--
+
+[float]
+[[xsoar-connector-networking-configuration]]
+=== Connector networking configuration
+
+Use the <<action-settings, Action configuration settings>> to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use `xpack.actions.customHostSettings` to set per-host configurations.
+
+[float]
+[[configure-xsoar]]
+=== Configure XSOAR
+
+To generate an API key in XSOAR:
+
+1. Log in to your XSOAR instance.
+2. Navigate to *Settings & Info > Settings > Integrations > API Keys*.
+3. Generate the *API Key* and copy its value to configure the connector in {kib}.
+
+NOTE: For more information, refer to the https://cortex-panw.stoplight.io/docs/cortex-xsoar-8/t09y7hrb5d14m-create-a-new-api-key[documentation].

docs/management/connectors/index.asciidoc

@@ -0,0 +1,32 @@
+include::action-types/bedrock.asciidoc[leveloffset=+1]
+include::action-types/cases-action-type.asciidoc[leveloffset=+1]
+include::action-types/crowdstrike.asciidoc[leveloffset=+1]
+include::action-types/d3security.asciidoc[leveloffset=+1]
+include::action-types/email.asciidoc[leveloffset=+1]
+include::action-types/gemini.asciidoc[leveloffset=+1]
+// ifeval::["featureAIConnector"=="true"]
+// include::action-types/inference.asciidoc[leveloffset=+1]
+// endif::[]
+include::action-types/resilient.asciidoc[leveloffset=+1]
+include::action-types/index.asciidoc[leveloffset=+1]
+include::action-types/jira.asciidoc[leveloffset=+1]
+include::action-types/teams.asciidoc[leveloffset=+1]
+include::action-types/obs-ai-assistant.asciidoc[leveloffset=+1]
+include::action-types/openai.asciidoc[leveloffset=+1]
+include::action-types/opsgenie.asciidoc[leveloffset=+1]
+include::action-types/pagerduty.asciidoc[leveloffset=+1]
+include::action-types/sentinelone.asciidoc[leveloffset=+1]
+include::action-types/server-log.asciidoc[leveloffset=+1]
+include::action-types/servicenow.asciidoc[leveloffset=+1]
+include::action-types/servicenow-sir.asciidoc[leveloffset=+1]
+include::action-types/servicenow-itom.asciidoc[leveloffset=+1]
+include::action-types/swimlane.asciidoc[leveloffset=+1]
+include::action-types/slack.asciidoc[leveloffset=+1]
+include::action-types/thehive.asciidoc[leveloffset=+1]
+include::action-types/tines.asciidoc[leveloffset=+1]
+include::action-types/torq.asciidoc[leveloffset=+1]
+include::action-types/webhook.asciidoc[leveloffset=+1]
+include::action-types/cases-webhook.asciidoc[leveloffset=+1]
+include::action-types/xmatters.asciidoc[leveloffset=+1]
+include::action-types/xsoar.asciidoc[leveloffset=+1]
+include::pre-configured-connectors.asciidoc[leveloffset=+1]

docs/reference/connectors-kibana/xsoar-action-type.md

@@ -0,0 +1,90 @@
+---
+navigation_title: "XSOAR"
+mapped_pages:
+  - https://www.elastic.co/guide/en/kibana/current/xsoar-action-type.html
+---
+
+# XSOAR connector and action [xsoar-action-type]
+
+
+XSOAR connector uses the [XSOAR REST API](https://cortex-panw.stoplight.io/docs/cortex-xsoar-8/m0qlgh9inh4vk-create-or-update-an-incident) to create Cortex XSOAR incidents.
+
+
+## Create connectors in {{kib}} [define-xsoar-ui]
+
+You can create connectors in **{{stack-manage-app}} > {{connectors-ui}}** or as needed when you’re creating a rule. For example:
+
+% TO DO: Use `:class: screenshot`
+![XSOAR connector](../images/xsoar-connector.png)
+
+
+### Connector configuration [xsoar-connector-configuration]
+
+XSOAR connectors have the following configuration properties:
+
+Name
+:   The name of the connector.
+
+URL
+:   The XSOAR instance URL.
+
+API key
+:   The XSOAR API key for authentication.
+
+    ::::{note}
+    If you do not have an API key, refer to [Create a new API key](https://cortex-panw.stoplight.io/docs/cortex-xsoar-8/t09y7hrb5d14m-create-a-new-api-key) to make one for your XSOAR instance.
+    ::::
+
+API key id
+:   The XSOAR API key ID for authentication. (Mandatory for cloud instance users.)
+
+
+## Test connectors [xsoar-action-configuration]
+
+You can test connectors as you’re creating or editing the connector in {{kib}}. For example:
+
+% TO DO: Use `:class: screenshot`
+![XSOAR params test](../images/xsoar-params-test.png)
+
+XSOAR actions have the following configuration properties.
+
+Name
+:   The incident name.
+
+Playbook
+:   The playbook to associate with the incident.
+
+Start investigation
+:   If turned on, will automatically start the investigation process after the incident is created.
+
+Severity
+:   The severity of the incident. Can be `Unknown`, `Informational`, `Low`, `Medium`, `High` or `Critical`.
+
+    ::::{note}
+    Turn on `Keep severity from rule` to create an incident that inherits the rule's severity.
+    ::::
+
+Body
+:   A JSON payload that includes additional parameters to be included in the API request.
+
+    ```json
+    {
+      "details": "This is an example incident",
+      "type": "Unclassified"
+    }
+    ```
+
+
+## Connector networking configuration [xsoar-connector-networking-configuration]
+
+Use the [Action configuration settings](/reference/configuration-reference/alerting-settings.md#action-settings) to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use `xpack.actions.customHostSettings` to set per-host configurations.
+
+
+## Configure XSOAR [configure-xsoar]
+
+To generate an API key in XSOAR:
+
+1. Log in to your XSOAR instance.
+2. Navigate to **Settings & Info > Settings > Integrations > API Keys**.
+3. Generate the **API Key** and copy its value to configure the connector in {{kib}}.
+

docs/reference/toc.yml

@@ -58,11 +58,12 @@ toc:
       - file: connectors-kibana/webhook-action-type.md
       - file: connectors-kibana/cases-webhook-action-type.md
       - file: connectors-kibana/xmatters-action-type.md
+      - file: connectors-kibana/xsoar-action-type.md
       - file: connectors-kibana/pre-configured-connectors.md
   - file: kibana-plugins.md
   - file: commands.md
     children:
       - file: commands/kibana-encryption-keys.md
       - file: commands/kibana-verification-code.md
   - file: osquery-exported-fields.md
-  - file: osquery-manager-prebuilt-packs.md
+  - file: osquery-manager-prebuilt-packs.md