maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[Docs][Actions] Add docs for Jira and IBM Resilient (#78316)

Browse source
This commit is contained in:
Christos Nasikas 2020-09-25 16:45:19 +03:00 committed by GitHub
parent 82ceb87475
commit f2fc48dec8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 174 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
docs/user/alerting/action-types.asciidoc
View file

@ -11,10 +11,19 @@ a| <<email-action-type, Email>>
| Send email from your server.
a| <<resilient-action-type, IBM Resilient>>
| Create an incident in IBM Resilient.
a| <<index-action-type, Index>>
| Index data into Elasticsearch.
a| <<jira-action-type, Jira>>
| Create an incident in Jira.
a| <<pagerduty-action-type, PagerDuty>>
| Send an event in PagerDuty.
@ -53,10 +62,12 @@ before {kib} starts.
If you preconfigure a connector, you can also <<preconfigured-action-type-example, preconfigure its action type>>.
include::action-types/email.asciidoc[]
include::action-types/resilient.asciidoc[]
include::action-types/index.asciidoc[]
include::action-types/jira.asciidoc[]
include::action-types/pagerduty.asciidoc[]
include::action-types/server-log.asciidoc[]
include::action-types/servicenow.asciidoc[]
include::action-types/slack.asciidoc[]
include::action-types/webhook.asciidoc[]
include::action-types/pre-configured-connectors.asciidoc[]
include::action-types/servicenow.asciidoc[]

77
docs/user/alerting/action-types/jira.asciidoc Normal file
View file

@ -0,0 +1,77 @@
[role="xpack"]
[[jira-action-type]]
=== Jira action
The Jira action type uses the https://developer.atlassian.com/cloud/jira/platform/rest/v2/[REST API v2] to create Jira issues.
[float]
[[jira-connector-configuration]]
==== Connector configuration
Jira connectors have the following configuration properties:
Name:: The name of the connector. The name is used to identify a connector in the **Stack Management** UI connector listing, and in the connector list when configuring an action.
URL:: Jira instance URL.
Project key:: Jira project key.
Email (or username):: The account email (or username) for HTTP Basic authentication.
API token (or password):: Jira API authentication token (or password) for HTTP Basic authentication.
[float]
[[Preconfigured-jira-configuration]]
==== Preconfigured action type
[source,text]
--
my-jira:
name: preconfigured-jira-action-type
actionTypeId: .jira
config:
apiUrl: https://elastic.atlassian.net
projectKey: ES
secrets:
email: testuser
apiToken: tokenkeystorevalue
--
`config` defines the action type specific to the configuration and contains the following properties:
[cols="2*<"]
|===
| `apiUrl`
| An address that corresponds to *URL*.
| `projectKey`
| A key that corresponds to *Project Key*.
|===
`secrets` defines sensitive information for the action type:
[cols="2*<"]
|===
| `email`
| A string that corresponds to *Email*.
| `apiToken`
| A string that corresponds to *API Token*. Should be stored in the <<creating-keystore, {kib} keystore>>.
|===
[[jira-action-configuration]]
==== Action configuration
Jira actions have the following configuration properties:
Issue type:: The type of the issue.
Priority:: The priority of the incident.
Labels:: The labels of the incident.
Title:: A title for the issue, used for searching the contents of the knowledge base.
Description:: The details about the incident.
Additional comments:: Additional information for the client, such as how to troubleshoot the issue.
[[configuring-jira]]
==== Configuring and testing Jira
Jira offers free https://www.atlassian.com/software/jira/free[Instances], which you can use to test incidents.

2
docs/user/alerting/action-types/pagerduty.asciidoc
View file

@ -36,7 +36,7 @@ This is required to encrypt parameters that must be secured, for example PagerDu
If you have security enabled:
* You must have
application privileges to access Metrics, APM, Uptime, or SIEM.
application privileges to access Metrics, APM, Uptime, or Security.
* If you are using a self-managed deployment with security, you must have
Transport Security Layer (TLS) enabled for communication <<configuring-tls-kib-es, between Elasticsearch and Kibana>>.
Alerts uses API keys to secure background alert checks and actions,

76
docs/user/alerting/action-types/resilient.asciidoc Normal file
View file

@ -0,0 +1,76 @@
[role="xpack"]
[[resilient-action-type]]
=== IBM Resilient action
The IBM Resilient action type uses the https://developer.ibm.com/security/resilient/rest/[RESILIENT REST v2] to create IBM Resilient incidents.
[float]
[[resilient-connector-configuration]]
==== Connector configuration
IBM Resilient connectors have the following configuration properties:
Name:: The name of the connector. The name is used to identify a connector in the **Stack Management** UI connector listing, and in the connector list when configuring an action.
URL:: IBM Resilient instance URL.
Organization ID:: IBM Resilient organization ID.
API key ID:: The authentication key ID for HTTP Basic authentication.
API key secret:: The authentication key secret for HTTP Basic authentication.
[float]
[[Preconfigured-resilient-configuration]]
==== Preconfigured action type
[source,text]
--
my-resilient:
name: preconfigured-resilient-action-type
actionTypeId: .resilient
config:
apiUrl: https://elastic.resilient.net
orgId: ES
secrets:
apiKeyId: testuser
apiKeySecret: tokenkeystorevalue
--
`config` defines the action type specific to the configuration and contains the following properties:
[cols="2*<"]
|===
| `apiUrl`
| An address that corresponds to *URL*.
| `orgId`
| An ID that corresponds to *Organization ID*.
|===
`secrets` defines sensitive information for the action type:
[cols="2*<"]
|===
| `apiKeyId`
| A string that corresponds to *API key ID*.
| `apiKeySecret`
| A string that corresponds to *API Key secret*. Should be stored in the <<creating-keystore, {kib} keystore>>.
|===
[[resilient-action-configuration]]
==== Action configuration
IBM Resilient actions have the following configuration properties:
Incident types:: The incident types of the incident.
Severity code:: The severity of the incident.
Name:: A name for the issue, used for searching the contents of the knowledge base.
Description:: The details about the incident.
Additional comments:: Additional information for the client, such as how to troubleshoot the issue.
[[configuring-resilient]]
==== Configuring and testing IBM Resilient
IBM Resilient offers https://www.ibm.com/security/intelligent-orchestration/resilient[Instances], which you can use to test incidents.

8
docs/user/alerting/action-types/servicenow.asciidoc
View file

@ -10,7 +10,7 @@ The ServiceNow action type uses the https://developer.servicenow.com/app.do#!/re
ServiceNow connectors have the following configuration properties:
Name:: The name of the connector. The name is used to identify a connector in the management UI connector listing, or in the connector list when configuring an action.
Name:: The name of the connector. The name is used to identify a connector in the **Stack Management** UI connector listing, and in the connector list when configuring an action.
URL:: ServiceNow instance URL.
Username:: Username for HTTP Basic authentication.
Password:: Password for HTTP Basic authentication.
@ -37,7 +37,7 @@ Password:: Password for HTTP Basic authentication.
|===
| `apiUrl`
| An address that corresponds to *Sender*.
| An address that corresponds to *URL*.
|===
@ -47,7 +47,7 @@ Password:: Password for HTTP Basic authentication.
|===
| `username`
| A string that corresponds to *User*.
| A string that corresponds to *Username*.
| `password`
| A string that corresponds to *Password*. Should be stored in the <<creating-keystore, {kib} keystore>>.
@ -62,7 +62,7 @@ ServiceNow actions have the following configuration properties:
Urgency:: The extent to which the incident resolution can delay.
Severity:: The severity of the incident.
Impact:: The effect an incident has on business. Can be measured by the number of affected users or by how critical it is to the business in question.
Short description:: A short description of the incident, used for searching the contents of the knowledge base.
Short description:: A short description for the incident, used for searching the contents of the knowledge base.
Description:: The details about the incident.
Additional comments:: Additional information for the client, such as how to troubleshoot the issue.

6
docs/user/alerting/alerting-getting-started.asciidoc
View file

@ -6,7 +6,7 @@ beta[]
--
Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with <<xpack-apm,*APM*>>, <<xpack-infra,*Metrics*>>, <<xpack-siem,*SIEM*>>, <<xpack-uptime,*Uptime*>>, can be centrally managed from the <<management,*Management*>> UI, and provides a set of built-in <<action-types, actions>> and <<alert-types, alerts>> for you to use.
Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with <<xpack-apm,*APM*>>, <<xpack-infra,*Metrics*>>, <<xpack-siem,*Security*>>, <<xpack-uptime,*Uptime*>>, can be centrally managed from the <<management,*Management*>> UI, and provides a set of built-in <<action-types, actions>> and <<alert-types, alerts>> for you to use.
image::images/alerting-overview.png[Alerts and actions UI]
@ -148,7 +148,7 @@ Functionally, {kib} alerting differs in that:
* {kib} alerts tracks and persists the state of each detected condition through *alert instances*. This makes it possible to mute and throttle individual instances, and detect changes in state such as resolution.
* Actions are linked to *alert instances* in {kib} alerting. Actions are fired for each occurrence of a detected condition, rather than for the entire alert.
At a higher level, {kib} alerts allow rich integrations across use cases like <<xpack-apm,*APM*>>, <<xpack-infra,*Metrics*>>, <<xpack-siem,*SIEM*>>, and <<xpack-uptime,*Uptime*>>.
At a higher level, {kib} alerts allow rich integrations across use cases like <<xpack-apm,*APM*>>, <<xpack-infra,*Metrics*>>, <<xpack-siem,*Security*>>, and <<xpack-uptime,*Uptime*>>.
Pre-packaged *alert types* simplify setup, hide the details complex domain-specific detections, while providing a consistent interface across {kib}.
[float]
@ -171,7 +171,7 @@ To access alerting in a space, a user must have access to one of the following f
* <<xpack-apm,*APM*>>
* <<xpack-infra,*Metrics*>>
* <<xpack-siem,*SIEM*>>
* <<xpack-siem,*Security*>>
* <<xpack-uptime,*Uptime*>>
See <<kibana-feature-privileges, feature privileges>> for more information on configuring roles that provide access to these features.

2
docs/user/alerting/defining-alerts.asciidoc
View file

@ -2,7 +2,7 @@
[[defining-alerts]]
== Defining alerts
{kib} alerts can be created in a variety of apps including <<xpack-apm,*APM*>>, <<xpack-infra,*Metrics*>>, <<xpack-siem,*SIEM*>>, <<xpack-uptime,*Uptime*>> and from <<management,*Management*>> UI. While alerting details may differ from app to app, they share a common interface for defining and configuring alerts that this section describes in more detail.
{kib} alerts can be created in a variety of apps including <<xpack-apm,*APM*>>, <<xpack-infra,*Metrics*>>, <<xpack-siem,*Security*>>, <<xpack-uptime,*Uptime*>> and from <<management,*Management*>> UI. While alerting details may differ from app to app, they share a common interface for defining and configuring alerts that this section describes in more detail.
[float]
=== Alert flyout