Add case templates for serverless

elastic · Jul 16, 2024 · ff55d5c · ff55d5c
1 parent bce4151
commit ff55d5c
Show file tree

Hide file tree

Showing 11 changed files with 53 additions and 48 deletions.
diff --git a/docs/serverless/images/cases-settings/security-cases-connectors.png b/docs/serverless/images/cases-settings/security-cases-connectors.png
diff --git a/docs/serverless/images/cases-settings/security-cases-settings.png b/docs/serverless/images/cases-settings/security-cases-settings.png
diff --git a/docs/serverless/images/cases-settings/security-cases-templates.png b/docs/serverless/images/cases-settings/security-cases-templates.png
diff --git a/docs/serverless/images/cases-ui-integrations/-cases-add-connectors.png b/docs/serverless/images/cases-ui-integrations/-cases-add-connectors.png
diff --git a/...rverless/images/cases-ui-integrations/-cases-cases-change-default-connector.png b/...rverless/images/cases-ui-integrations/-cases-cases-change-default-connector.png
diff --git a/docs/serverless/images/cases-ui-integrations/-cases-cases-modify-connector.png b/docs/serverless/images/cases-ui-integrations/-cases-cases-modify-connector.png
diff --git a/docs/serverless/images/cases-ui-integrations/-cases-settings.png b/docs/serverless/images/cases-ui-integrations/-cases-settings.png
diff --git a/docs/serverless/investigate/cases-overview.mdx b/docs/serverless/investigate/cases-overview.mdx
@@ -12,7 +12,7 @@ status: in review
 Collect and share information about security issues by opening a case in ((elastic-sec)). Cases allow you to track key investigation details, collect alerts in a central location, and more. The ((elastic-sec)) UI provides several ways to create and manage cases. Alternatively, you can use the [Cases API](((security-guide))/cases-api-overview.html) to perform the same tasks.
 {/* Link to classic docs until serverless API docs are available. */}
 
-You can also send cases to these external systems by <DocLink slug="/serverless/security/cases-ui-integrations">configuring external connectors</DocLink>:
+You can also send cases to these external systems by <DocLink slug="/serverless/security/cases-settings">configuring external connectors</DocLink>:
 
 * ((sn-itsm))
 * ((sn-sir))

diff --git a/...ess/investigate/cases-ui-integrations.mdx → ...serverless/investigate/cases-settings.mdx b/...ess/investigate/cases-ui-integrations.mdx → ...serverless/investigate/cases-settings.mdx
@@ -1,14 +1,31 @@
 ---
-slug: /serverless/security/cases-ui-integrations
-title: Configure external connections
-description: Create and add external connectors to send cases to third-party systems.
+slug: /serverless/security/cases-settings
+title: Configure case settings
+description: Change the default behavior of ((security)) cases by adding connectors, custom fields, templates, and closure options.
 tags: [ 'serverless', 'security', 'how-to', 'configure' ]
 status: in review
 ---
 
 <DocBadge template="technical preview" />
+
+To access case settings in a ((security)) project, go to **Cases** → **Settings**.
+
+![Shows the case settings page](../images/cases-settings/security-cases-settings.png)
+{/* NOTE: This is an autogenerated screenshot. Do not edit it directly. */}
+
+<div id="close-connector"></div>
+<div id="close-sent-cases"></div>
+
+## Case closures
+
+If you close cases in your external incident management system, the cases will remain open in ((elastic-sec)) until you close them manually.
+
+To close cases when they are sent to an external system, select **Automatically close Security cases when pushing new incident to external system**.
+
 <div id="cases-ui-integrations"></div>
 
+## External incident management systems
+
 You can push ((elastic-sec)) cases to these third-party systems:
 
 * ((sn-itsm))
@@ -25,16 +42,14 @@ To create connectors and send cases to external systems, you need the Security A
 </DocCallOut>
 
 <div id="create-new-connector"></div>
-
-## Create a new connector
-
-1. Go to **Cases** → **Settings**.
-
-    ![Shows the page for creating connectors](../images/cases-ui-integrations/-cases-settings.png)
-    {/* NOTE: This is an autogenerated screenshot. Do not edit it directly. */}
+To create a new connector
 
 1. From the **Incident management system** list, select **Add new connector**.
+
 1. Select the system to send cases to: **((sn))**, **((jira))**, **((ibm-r))**, **((swimlane))**, or **((webhook-cm))**.
+   ![Shows the page for creating connectors](../images/cases-settings/security-cases-connectors.png)
+   {/* NOTE: This is an autogenerated screenshot. Do not edit it directly. */}
+
 1. Enter your required settings. For connector configuration details, refer to:
     - [((sn-itsm)) connector](((kibana-ref))/servicenow-action-type.html)
     - [((sn-sir)) connector](((kibana-ref))/servicenow-sir-action-type.html)
@@ -43,9 +58,20 @@ To create connectors and send cases to external systems, you need the Security A
     - [((swimlane)) connector](((kibana-ref))/swimlane-action-type.html)
     - [((webhook-cm)) connector](((kibana-ref))/cases-webhook-action-type.html)
 
+<div id="modify-connector"></div>
+<div id="modify-connector-settings"></div>
+
+To change the settings of an existing connector:
+
+1. Select the required connector from the incident management system list.
+1. Click **Update \<connector name>**.
+1. In the **Edit connector** flyout, modify the connector fields as required, then click **Save & close** to save your changes.
+
+To change the default connector used to send cases to external systems, select the required connector from the incident management system list.
+
 <div id="mapped-case-fields"></div>
 
-## Mapped case fields
+### Mapped case fields
 
 When you export an ((elastic-sec)) case to an external system, case fields are mapped to existing fields in ((sn)), ((jira)), ((ibm-r)), and ((swimlane)). For the ((webhook-cm)) connector, case fields can be mapped to custom or pre-existing fields in the external system you're connecting to.
 
@@ -112,44 +138,24 @@ Once fields are mapped, you can push updates to external systems, and mapped fie
   </DocRow>
 </DocTable>
 
-<div id="close-connector"></div>
-
-<div id="close-sent-cases"></div>
-
-## Close sent cases automatically
-
-To close cases when they are sent to an external system, select
-**Automatically close Security cases when pushing new incident to external system**.
-
-<div id="default-connector"></div>
-
-<div id="change-default-connector"></div>
-
-## Change the default connector
+## Templates
 
-To change the default connector used to send cases to external systems, go to **Cases** → **Settings** and select the required connector from the Incident management system list.
+<DocCallOut template="technical_preview" />
 
-![Shows list of available connectors](../images/cases-ui-integrations/-cases-cases-change-default-connector.png)
+You can make the case creation process faster and more consistent by adding templates.
+A template defines values for one or all of the case fields (such as severity, tags, description, and title) as well as any custom fields.
 
-<div id="add-connector"></div>
+To create a template:
 
-## Add connectors
+1. In the **Templates** section, click **Add template**.
 
-After you <DocLink slug="/serverless/security/cases-open-manage" section="open-a-new-case">create a case</DocLink>, you can add connectors to it. From the case details page, go to **External incident management system**, then select a connector. A case can have multiple connectors, but only one connector can be selected at a time.
-
-<DocImage size="l" url="../images/cases-ui-integrations/-cases-add-connectors.png" alt="Shows how to add connectors" />
-
-<div id="modify-connector"></div>
-
-<div id="modify-connector-settings"></div>
-
-## Modify connector settings
+    ![Add a case template](../images/cases-settings/security-cases-templates.png)
+    {/* NOTE: This is an autogenerated screenshot. Do not edit it directly. */}
 
-To change the settings of an existing connector:
+1. You must provide a template name and case severity. You can optionally add template tags and a description, values for each case field, and a case connector.
 
-1. Go to **Cases** → **Settings**.
-1. Select the required connector from the Incident management system list.
-1. Click **Update \<connector name>**.
-1. In the **Edit connector** flyout, modify the connector fields as required, then click **Save & close** to save your changes.
+When users create cases, they can optionally select a template and use its field values or override them.
 
-![](../images/cases-ui-integrations/-cases-cases-modify-connector.png)
+<DocCallOut>
+If you update or delete templates, existing cases are unaffected.
+</DocCallOut>
diff --git a/docs/serverless/serverless-security.docnav.json b/docs/serverless/serverless-security.docnav.json
@@ -534,8 +534,7 @@
               "classic-sources": [ "enSecurityCasesOpenManage" ]
             },
             {
-              "slug": "/serverless/security/cases-ui-integrations",
-              "classic-sources": [ "enSecurityCasesUiIntegrations" ]
+              "slug": "/serverless/security/cases-settings"
             }
           ]
         },

diff --git a/docs/serverless/settings/sec-requirements.mdx b/docs/serverless/settings/sec-requirements.mdx
@@ -30,7 +30,7 @@ All features are available as part of the free Basic plan **except**:
 
 * <DocLink slug="/serverless/security/rules-create" section="set-up-alert-notifications-optional">Alert notifications via external systems</DocLink>
 * <DocLink slug="/serverless/security/machine-learning">((ml-cap)) jobs and rules</DocLink>
-* <DocLink slug="/serverless/security/cases-ui-integrations">Cases integration with third-party ticketing
+* <DocLink slug="/serverless/security/cases-settings">Cases integration with third-party ticketing
     systems</DocLink>
 
 ## Advanced configuration and UI options