Merge branch 'main' into issue-5341-unified-timeline-integration

elastic · Jul 22, 2024 · 76cf915 · 76cf915
2 parents 594b681 + ef0470f
commit 76cf915
Show file tree

Hide file tree

Showing 20 changed files with 120 additions and 101 deletions.
diff --git a/docs/cases/cases-index.asciidoc b/docs/cases/cases-index.asciidoc
@@ -2,6 +2,6 @@ include::cases-overview.asciidoc[leveloffset=+1]
 
 include::cases-manage.asciidoc[leveloffset=+2]
 
-include::cases-ui-integrations.asciidoc[leveloffset=+1]
+include::cases-manage-settings.asciidoc[leveloffset=+1]
 
 include::indicators-of-compromise.asciidoc[leveloffset=+1]
diff --git a/docs/cases/cases-ui-integrations.asciidoc → docs/cases/cases-manage-settings.asciidoc b/docs/cases/cases-ui-integrations.asciidoc → docs/cases/cases-manage-settings.asciidoc
@@ -1,10 +1,34 @@
-[[cases-ui-integrations]]
-== Configure external connections
-:frontmatter-description: Create and add external connectors to send cases to third-party systems.
+[[cases-manage-settings]]
+== Configure case settings
+:frontmatter-description: Change the default behavior of cases by adding connectors, custom fields, templates, and closure options.
 :frontmatter-tags-products: [security] 
 :frontmatter-tags-content-type: [how-to] 
 :frontmatter-tags-user-goals: [analyze]
 
+To change case closure options and add custom fields, templates, and connectors for external incident management systems, go to *Cases* -> *Settings*.
+
+[role="screenshot"]
+image::images/cases-settings.png[Shows the case settings page]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+* <<close-sent-cases,Set case closure options>>.
+* <<cases-ui-integrations,Add connectors for external incident management systems>>.
+* <<cases-ui-custom-fields,Add custom fields>>.
+* <<cases-templates,Add templates>>.
+
+[[close-connector]]
+[float]
+[[close-sent-cases]]
+=== Case closures
+
+If you close cases in your external incident management system, the cases will remain open in {elastic-sec} until you close them manually.
+
+To close cases when they are sent to an external system, select *Automatically close cases when pushing new incident to external system*.
+
+[float]
+[[cases-ui-integrations]]
+=== External incident management systems
+
 You can push {elastic-sec} cases to these third-party systems:
 
 * {sn-itsm}
@@ -19,17 +43,8 @@ To push cases, you need to create a connector, which stores the information requ
 IMPORTANT: To create connectors and send cases to external systems, you need the
 https://www.elastic.co/subscriptions[appropriate license], and your role needs *All* privileges for the *Action and Connectors* feature. For more information, refer to <<case-permissions>>.
 
-[float]
-[[create-new-connector]]
-=== Create a new connector
+To create a new connector:
 
-. Go to *Cases* -> *Settings*.
-+
---
-[role="screenshot"]
-image::images/cases-settings.png[Shows the case settings page]
-// NOTE: This is an autogenerated screenshot. Do not edit it directly.
---
 . From the *Incident management system* list, select *Add new connector*.
 . Select the system to send cases to: *{sn}*, *{jira}*, *{ibm-r}*, *{swimlane}*, or *{webhook-cm}*.
 . Enter your required settings. For connector configuration details, refer to:
@@ -40,9 +55,21 @@ image::images/cases-settings.png[Shows the case settings page]
 - {kibana-ref}/swimlane-action-type.html[{swimlane} connector]
 - {kibana-ref}/cases-webhook-action-type.html[{webhook-cm} connector]
 
+[[modify-connector]]
+[[modify-connector-settings]]
+To change the settings of an existing connector:
+
+. Select the required connector from the incident management system list.
+. Click *Update <connector name>*.
+. In the *Edit connector* flyout, modify the connector fields as required, then click *Save & close* to save your changes.
+
+[[default-connector]]
+[[change-default-connector]]
+To change the default connector used to send cases to external systems, select the required connector from the incident management system list.
+
 [float]
 [[mapped-case-fields]]
-=== Mapped case fields
+==== Mapped case fields
 
 When you export an {elastic-sec} case to an external system, case fields are mapped to existing fields in {sn}, {jira}, {ibm-r}, and {swimlane}. For the {webhook-cm} connector, case fields can be mapped to custom or pre-existing fields in the external system you're connecting to.
 
@@ -77,48 +104,28 @@ New and edited comments are added to incident records when pushed to {sn}, {jira
 
 |===
 
-[[close-connector]]
-[float]
-[[close-sent-cases]]
-=== Close sent cases automatically
-
-To close cases when they are sent to an external system, select
-*Automatically close Security cases when pushing new incident to external system*.
-
-[[default-connector]]
 [float]
-[[change-default-connector]]
-=== Change the default connector
-
-To change the default connector used to send cases to external systems, go to *Cases* -> *Settings* and select the required connector from the Incident management system list.
+[[cases-templates]]
+=== Templates
 
-////
-TO-DO: Remove, refresh, or automate screenshot
-[role="screenshot"]
-image::images/cases-change-default-connector.png[Shows list of available connectors]
-////
+preview::[]
 
-[[add-connector]]
-[float]
-=== Add connectors
+You can make the case creation process faster and more consistent by adding templates.
+A template defines values for one or all of the case fields (such as severity, tags, description, and title) as well as any custom fields.
 
-After you <<cases-ui-open, create a case>>, you can add connectors to it. From the case details page, go to *Settings*, then select a connector. A case can have multiple connectors, but only one connector can be selected at a time.
+To create a template:
 
+. In the *Templates* section, click *Add template*.
++
+--
 [role="screenshot"]
-image::images/add-connectors.png[width=60%][height=60%][Shows how to add connectors]
-
-
-[[modify-connector]]
-[float]
-[[modify-connector-settings]]
-=== Modify connector settings
+image::images/cases-add-template.png[Add a template in case settings]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+--
 
-To change the settings of an existing connector:
+. You must provide a template name and case severity.
+  You can optionally add template tags and a description, values for each case field, and a case connector.
 
-. Go to *Cases* -> *Settings*.
-. Select the required connector from the Incident management system list.
-. Click *Update <connector name>*.
-. In the *Edit connector* flyout, modify the connector fields as required, then click *Save & close* to save your changes.
+When users create cases, they can optionally select a template and use its values or override them.
 
-[role="screenshot"]
-image::images/cases-modify-connector.png[]
+NOTE: If you update or delete templates, existing cases are unaffected.
diff --git a/docs/cases/cases-manage.asciidoc b/docs/cases/cases-manage.asciidoc
@@ -15,6 +15,9 @@ Open a new case to keep track of security issues and share their details with
 colleagues.
 
 . Go to *Cases*, then click *Create case*. If no cases exist, the Cases table will be empty and you'll be prompted to create one by clicking the *Create case* button inside the table.
+
+. If you defined <<cases-templates,templates>>, you can optionally select one to use its default field values. preview:[]
+
 . Give the case a name, assign a severity level, and provide a description. You can use
 https://www.markdownguide.org/cheat-sheet[Markdown] syntax in the case description.
 +
@@ -26,7 +29,10 @@ TIP: You can insert a Timeline link in the case description by clicking the Time
 . Optionally, add a category, assignees and relevant tags. You can add users only if they
 meet the necessary <<case-permissions,prerequisites>>.
 
+. If you defined <<cases-ui-custom-fields,custom fields>>, they appear in the *Additional fields* section. preview:[]
+
 . Choose if you want alert statuses to sync with the case's status after they are added to the case. This option is enabled by default, but you can turn it off after creating the case.
+
 . From *External incident management*, select a <<cases-ui-integrations,connector>>. If you've previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`.
 . Click *Create case*.
 +

diff --git a/docs/cases/images/add-connectors.png b/docs/cases/images/add-connectors.png
diff --git a/docs/cases/images/cases-add-template.png b/docs/cases/images/cases-add-template.png
diff --git a/docs/cases/images/cases-change-default-connector.png b/docs/cases/images/cases-change-default-connector.png
diff --git a/docs/cases/images/cases-modify-connector.png b/docs/cases/images/cases-modify-connector.png
diff --git a/docs/cases/images/cases-settings.png b/docs/cases/images/cases-settings.png
diff --git a/docs/serverless/images/cases-settings/security-cases-connectors.png b/docs/serverless/images/cases-settings/security-cases-connectors.png
diff --git a/docs/serverless/images/cases-settings/security-cases-settings.png b/docs/serverless/images/cases-settings/security-cases-settings.png
diff --git a/docs/serverless/images/cases-settings/security-cases-templates.png b/docs/serverless/images/cases-settings/security-cases-templates.png
diff --git a/docs/serverless/images/cases-ui-integrations/-cases-add-connectors.png b/docs/serverless/images/cases-ui-integrations/-cases-add-connectors.png
diff --git a/...rverless/images/cases-ui-integrations/-cases-cases-change-default-connector.png b/...rverless/images/cases-ui-integrations/-cases-cases-change-default-connector.png
diff --git a/docs/serverless/images/cases-ui-integrations/-cases-cases-modify-connector.png b/docs/serverless/images/cases-ui-integrations/-cases-cases-modify-connector.png
diff --git a/docs/serverless/images/cases-ui-integrations/-cases-settings.png b/docs/serverless/images/cases-ui-integrations/-cases-settings.png
diff --git a/docs/serverless/investigate/cases-open-manage.mdx b/docs/serverless/investigate/cases-open-manage.mdx
@@ -20,6 +20,7 @@ Open a new case to keep track of security issues and share their details with
 colleagues.
 
 1. Go to **Cases**, then click **Create case**. If no cases exist, the Cases table will be empty and you'll be prompted to create one by clicking the **Create case** button inside the table.
+1. (Optional) If you defined <DocLink slug="/serverless/security/cases-settings">templates</DocLink>, select one to use its default field values. <DocBadge template="technical preview" />
 1. Give the case a name, assign a severity level, and provide a description. You can use
     [Markdown](https://www.markdownguide.org/cheat-sheet) syntax in the case description.
 
@@ -34,7 +35,7 @@ colleagues.
 1. Optionally, add a category, assignees and relevant tags. You can add users only if they meet the necessary <DocLink slug="/serverless/security/cases-requirements">prerequisites</DocLink>.
 
 1. Choose if you want alert statuses to sync with the case's status after they are added to the case. This option is enabled by default, but you can turn it off after creating the case.
-1. From **External incident management**, select a <DocLink slug="/serverless/security/cases-ui-integrations">connector</DocLink>. If you've previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`.
+1. From **External incident management**, select a <DocLink slug="/serverless/security/cases-settings">connector</DocLink>. If you've previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`.
 1. Click **Create case**.
 
     <DocCallOut title="Note">
@@ -102,7 +103,7 @@ To explore a case, click on its name. You can then:
 * <DocLink slug="/serverless/security/cases-open-manage" section="add-files">Add files</DocLink>
 * <DocLink slug="/serverless/security/cases-open-manage" section="add-a-lens-visualization">Add a Lens visualization</DocLink>
 * Modify the case's description, assignees, category, severity, status, and tags. 
-* <DocLink slug="/serverless/security/cases-ui-integrations">Manage connectors</DocLink> and send updates to external systems (if you've added a connector to the case)
+* Manage connectors and send updates to external systems (if you've added a connector to the case)
 * <DocLink slug="/serverless/security/cases-open-manage" section="copy-the-case-uuid">Copy the case UUID</DocLink>
 * Refresh the case to retrieve the latest updates
 

diff --git a/docs/serverless/investigate/cases-overview.mdx b/docs/serverless/investigate/cases-overview.mdx
@@ -12,7 +12,7 @@ status: in review
 Collect and share information about security issues by opening a case in ((elastic-sec)). Cases allow you to track key investigation details, collect alerts in a central location, and more. The ((elastic-sec)) UI provides several ways to create and manage cases. Alternatively, you can use the [Cases API](((security-guide))/cases-api-overview.html) to perform the same tasks.
 {/* Link to classic docs until serverless API docs are available. */}
 
-You can also send cases to these external systems by <DocLink slug="/serverless/security/cases-ui-integrations">configuring external connectors</DocLink>:
+You can also send cases to these external systems by <DocLink slug="/serverless/security/cases-settings">configuring external connectors</DocLink>:
 
 * ((sn-itsm))
 * ((sn-sir))

diff --git a/...ess/investigate/cases-ui-integrations.mdx → ...serverless/investigate/cases-settings.mdx b/...ess/investigate/cases-ui-integrations.mdx → ...serverless/investigate/cases-settings.mdx
@@ -1,14 +1,31 @@
 ---
-slug: /serverless/security/cases-ui-integrations
-title: Configure external connections
-description: Create and add external connectors to send cases to third-party systems.
+slug: /serverless/security/cases-settings
+title: Configure case settings
+description: Change the default behavior of ((security)) cases by adding connectors, custom fields, templates, and closure options.
 tags: [ 'serverless', 'security', 'how-to', 'configure' ]
 status: in review
 ---
 
 <DocBadge template="technical preview" />
+
+To access case settings in a ((security)) project, go to **Cases** → **Settings**.
+
+![Shows the case settings page](../images/cases-settings/security-cases-settings.png)
+{/* NOTE: This is an autogenerated screenshot. Do not edit it directly. */}
+
+<div id="close-connector"></div>
+<div id="close-sent-cases"></div>
+
+## Case closures
+
+If you close cases in your external incident management system, the cases will remain open in ((elastic-sec)) until you close them manually.
+
+To close cases when they are sent to an external system, select **Automatically close Security cases when pushing new incident to external system**.
+
 <div id="cases-ui-integrations"></div>
 
+## External incident management systems
+
 You can push ((elastic-sec)) cases to these third-party systems:
 
 * ((sn-itsm))
@@ -25,16 +42,14 @@ To create connectors and send cases to external systems, you need the Security A
 </DocCallOut>
 
 <div id="create-new-connector"></div>
-
-## Create a new connector
-
-1. Go to **Cases** → **Settings**.
-
-    ![Shows the page for creating connectors](../images/cases-ui-integrations/-cases-settings.png)
-    {/* NOTE: This is an autogenerated screenshot. Do not edit it directly. */}
+To create a new connector
 
 1. From the **Incident management system** list, select **Add new connector**.
+
 1. Select the system to send cases to: **((sn))**, **((jira))**, **((ibm-r))**, **((swimlane))**, or **((webhook-cm))**.
+   ![Shows the page for creating connectors](../images/cases-settings/security-cases-connectors.png)
+   {/* NOTE: This is an autogenerated screenshot. Do not edit it directly. */}
+
 1. Enter your required settings. For connector configuration details, refer to:
     - [((sn-itsm)) connector](((kibana-ref))/servicenow-action-type.html)
     - [((sn-sir)) connector](((kibana-ref))/servicenow-sir-action-type.html)
@@ -43,9 +58,20 @@ To create connectors and send cases to external systems, you need the Security A
     - [((swimlane)) connector](((kibana-ref))/swimlane-action-type.html)
     - [((webhook-cm)) connector](((kibana-ref))/cases-webhook-action-type.html)
 
+<div id="modify-connector"></div>
+<div id="modify-connector-settings"></div>
+
+To change the settings of an existing connector:
+
+1. Select the required connector from the incident management system list.
+1. Click **Update \<connector name>**.
+1. In the **Edit connector** flyout, modify the connector fields as required, then click **Save & close** to save your changes.
+
+To change the default connector used to send cases to external systems, select the required connector from the incident management system list.
+
 <div id="mapped-case-fields"></div>
 
-## Mapped case fields
+### Mapped case fields
 
 When you export an ((elastic-sec)) case to an external system, case fields are mapped to existing fields in ((sn)), ((jira)), ((ibm-r)), and ((swimlane)). For the ((webhook-cm)) connector, case fields can be mapped to custom or pre-existing fields in the external system you're connecting to.
 
@@ -112,44 +138,24 @@ Once fields are mapped, you can push updates to external systems, and mapped fie
   </DocRow>
 </DocTable>
 
-<div id="close-connector"></div>
-
-<div id="close-sent-cases"></div>
-
-## Close sent cases automatically
-
-To close cases when they are sent to an external system, select
-**Automatically close Security cases when pushing new incident to external system**.
-
-<div id="default-connector"></div>
-
-<div id="change-default-connector"></div>
-
-## Change the default connector
+## Templates
 
-To change the default connector used to send cases to external systems, go to **Cases** → **Settings** and select the required connector from the Incident management system list.
+<DocCallOut template="technical_preview" />
 
-![Shows list of available connectors](../images/cases-ui-integrations/-cases-cases-change-default-connector.png)
+You can make the case creation process faster and more consistent by adding templates.
+A template defines values for one or all of the case fields (such as severity, tags, description, and title) as well as any custom fields.
 
-<div id="add-connector"></div>
+To create a template:
 
-## Add connectors
+1. In the **Templates** section, click **Add template**.
 
-After you <DocLink slug="/serverless/security/cases-open-manage" section="open-a-new-case">create a case</DocLink>, you can add connectors to it. From the case details page, go to **External incident management system**, then select a connector. A case can have multiple connectors, but only one connector can be selected at a time.
-
-<DocImage size="l" url="../images/cases-ui-integrations/-cases-add-connectors.png" alt="Shows how to add connectors" />
-
-<div id="modify-connector"></div>
-
-<div id="modify-connector-settings"></div>
-
-## Modify connector settings
+    ![Add a case template](../images/cases-settings/security-cases-templates.png)
+    {/* NOTE: This is an autogenerated screenshot. Do not edit it directly. */}
 
-To change the settings of an existing connector:
+1. You must provide a template name and case severity. You can optionally add template tags and a description, values for each case field, and a case connector.
 
-1. Go to **Cases** → **Settings**.
-1. Select the required connector from the Incident management system list.
-1. Click **Update \<connector name>**.
-1. In the **Edit connector** flyout, modify the connector fields as required, then click **Save & close** to save your changes.
+When users create cases, they can optionally select a template and use its field values or override them.
 
-![](../images/cases-ui-integrations/-cases-cases-modify-connector.png)
+<DocCallOut>
+If you update or delete templates, existing cases are unaffected.
+</DocCallOut>
diff --git a/docs/serverless/serverless-security.docnav.json b/docs/serverless/serverless-security.docnav.json
@@ -534,8 +534,7 @@
               "classic-sources": [ "enSecurityCasesOpenManage" ]
             },
             {
-              "slug": "/serverless/security/cases-ui-integrations",
-              "classic-sources": [ "enSecurityCasesUiIntegrations" ]
+              "slug": "/serverless/security/cases-settings"
             }
           ]
         },

diff --git a/docs/serverless/settings/sec-requirements.mdx b/docs/serverless/settings/sec-requirements.mdx
@@ -30,7 +30,7 @@ All features are available as part of the free Basic plan **except**:
 
 * <DocLink slug="/serverless/security/rules-create" section="set-up-alert-notifications-optional">Alert notifications via external systems</DocLink>
 * <DocLink slug="/serverless/security/machine-learning">((ml-cap)) jobs and rules</DocLink>
-* <DocLink slug="/serverless/security/cases-ui-integrations">Cases integration with third-party ticketing
+* <DocLink slug="/serverless/security/cases-settings">Cases integration with third-party ticketing
     systems</DocLink>
 
 ## Advanced configuration and UI options