diff --git a/docs/cases/cases-index.asciidoc b/docs/cases/cases-index.asciidoc index 6686fc6052..48ee2bf5d6 100644 --- a/docs/cases/cases-index.asciidoc +++ b/docs/cases/cases-index.asciidoc @@ -2,6 +2,6 @@ include::cases-overview.asciidoc[leveloffset=+1] include::cases-manage.asciidoc[leveloffset=+2] -include::cases-ui-integrations.asciidoc[leveloffset=+1] +include::cases-manage-settings.asciidoc[leveloffset=+1] include::indicators-of-compromise.asciidoc[leveloffset=+1] diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-manage-settings.asciidoc similarity index 64% rename from docs/cases/cases-ui-integrations.asciidoc rename to docs/cases/cases-manage-settings.asciidoc index df17950283..65e76ae15c 100644 --- a/docs/cases/cases-ui-integrations.asciidoc +++ b/docs/cases/cases-manage-settings.asciidoc @@ -1,10 +1,34 @@ -[[cases-ui-integrations]] -== Configure external connections -:frontmatter-description: Create and add external connectors to send cases to third-party systems. +[[cases-manage-settings]] +== Configure case settings +:frontmatter-description: Change the default behavior of cases by adding connectors, custom fields, templates, and closure options. :frontmatter-tags-products: [security] :frontmatter-tags-content-type: [how-to] :frontmatter-tags-user-goals: [analyze] +To change case closure options and add custom fields, templates, and connectors for external incident management systems, go to *Cases* -> *Settings*. + +[role="screenshot"] +image::images/cases-settings.png[Shows the case settings page] +// NOTE: This is an autogenerated screenshot. Do not edit it directly. + +* <>. +* <>. +* <>. +* <>. + +[[close-connector]] +[float] +[[close-sent-cases]] +=== Case closures + +If you close cases in your external incident management system, the cases will remain open in {elastic-sec} until you close them manually. + +To close cases when they are sent to an external system, select *Automatically close cases when pushing new incident to external system*. + +[float] +[[cases-ui-integrations]] +=== External incident management systems + You can push {elastic-sec} cases to these third-party systems: * {sn-itsm} @@ -19,17 +43,8 @@ To push cases, you need to create a connector, which stores the information requ IMPORTANT: To create connectors and send cases to external systems, you need the https://www.elastic.co/subscriptions[appropriate license], and your role needs *All* privileges for the *Action and Connectors* feature. For more information, refer to <>. -[float] -[[create-new-connector]] -=== Create a new connector +To create a new connector: -. Go to *Cases* -> *Settings*. -+ --- -[role="screenshot"] -image::images/cases-settings.png[Shows the case settings page] -// NOTE: This is an autogenerated screenshot. Do not edit it directly. --- . From the *Incident management system* list, select *Add new connector*. . Select the system to send cases to: *{sn}*, *{jira}*, *{ibm-r}*, *{swimlane}*, or *{webhook-cm}*. . Enter your required settings. For connector configuration details, refer to: @@ -40,9 +55,21 @@ image::images/cases-settings.png[Shows the case settings page] - {kibana-ref}/swimlane-action-type.html[{swimlane} connector] - {kibana-ref}/cases-webhook-action-type.html[{webhook-cm} connector] +[[modify-connector]] +[[modify-connector-settings]] +To change the settings of an existing connector: + +. Select the required connector from the incident management system list. +. Click *Update *. +. In the *Edit connector* flyout, modify the connector fields as required, then click *Save & close* to save your changes. + +[[default-connector]] +[[change-default-connector]] +To change the default connector used to send cases to external systems, select the required connector from the incident management system list. + [float] [[mapped-case-fields]] -=== Mapped case fields +==== Mapped case fields When you export an {elastic-sec} case to an external system, case fields are mapped to existing fields in {sn}, {jira}, {ibm-r}, and {swimlane}. For the {webhook-cm} connector, case fields can be mapped to custom or pre-existing fields in the external system you're connecting to. @@ -77,48 +104,28 @@ New and edited comments are added to incident records when pushed to {sn}, {jira |=== -[[close-connector]] -[float] -[[close-sent-cases]] -=== Close sent cases automatically - -To close cases when they are sent to an external system, select -*Automatically close Security cases when pushing new incident to external system*. - -[[default-connector]] [float] -[[change-default-connector]] -=== Change the default connector - -To change the default connector used to send cases to external systems, go to *Cases* -> *Settings* and select the required connector from the Incident management system list. +[[cases-templates]] +=== Templates -//// -TO-DO: Remove, refresh, or automate screenshot -[role="screenshot"] -image::images/cases-change-default-connector.png[Shows list of available connectors] -//// +preview::[] -[[add-connector]] -[float] -=== Add connectors +You can make the case creation process faster and more consistent by adding templates. +A template defines values for one or all of the case fields (such as severity, tags, description, and title) as well as any custom fields. -After you <>, you can add connectors to it. From the case details page, go to *Settings*, then select a connector. A case can have multiple connectors, but only one connector can be selected at a time. +To create a template: +. In the *Templates* section, click *Add template*. ++ +-- [role="screenshot"] -image::images/add-connectors.png[width=60%][height=60%][Shows how to add connectors] - - -[[modify-connector]] -[float] -[[modify-connector-settings]] -=== Modify connector settings +image::images/cases-add-template.png[Add a template in case settings] +// NOTE: This is an autogenerated screenshot. Do not edit it directly. +-- -To change the settings of an existing connector: +. You must provide a template name and case severity. + You can optionally add template tags and a description, values for each case field, and a case connector. -. Go to *Cases* -> *Settings*. -. Select the required connector from the Incident management system list. -. Click *Update *. -. In the *Edit connector* flyout, modify the connector fields as required, then click *Save & close* to save your changes. +When users create cases, they can optionally select a template and use its values or override them. -[role="screenshot"] -image::images/cases-modify-connector.png[] +NOTE: If you update or delete templates, existing cases are unaffected. diff --git a/docs/cases/cases-manage.asciidoc b/docs/cases/cases-manage.asciidoc index ac30f11b2b..06543b04a2 100644 --- a/docs/cases/cases-manage.asciidoc +++ b/docs/cases/cases-manage.asciidoc @@ -15,6 +15,9 @@ Open a new case to keep track of security issues and share their details with colleagues. . Go to *Cases*, then click *Create case*. If no cases exist, the Cases table will be empty and you'll be prompted to create one by clicking the *Create case* button inside the table. + +. If you defined <>, you can optionally select one to use its default field values. preview:[] + . Give the case a name, assign a severity level, and provide a description. You can use https://www.markdownguide.org/cheat-sheet[Markdown] syntax in the case description. + @@ -26,7 +29,10 @@ TIP: You can insert a Timeline link in the case description by clicking the Time . Optionally, add a category, assignees and relevant tags. You can add users only if they meet the necessary <>. +. If you defined <>, they appear in the *Additional fields* section. preview:[] + . Choose if you want alert statuses to sync with the case's status after they are added to the case. This option is enabled by default, but you can turn it off after creating the case. + . From *External incident management*, select a <>. If you've previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`. . Click *Create case*. + diff --git a/docs/cases/images/add-connectors.png b/docs/cases/images/add-connectors.png deleted file mode 100644 index 09c7ea617d..0000000000 Binary files a/docs/cases/images/add-connectors.png and /dev/null differ diff --git a/docs/cases/images/cases-add-template.png b/docs/cases/images/cases-add-template.png new file mode 100644 index 0000000000..29075ec9f2 Binary files /dev/null and b/docs/cases/images/cases-add-template.png differ diff --git a/docs/cases/images/cases-change-default-connector.png b/docs/cases/images/cases-change-default-connector.png deleted file mode 100644 index a3bba68601..0000000000 Binary files a/docs/cases/images/cases-change-default-connector.png and /dev/null differ diff --git a/docs/cases/images/cases-modify-connector.png b/docs/cases/images/cases-modify-connector.png deleted file mode 100644 index 714a740f8b..0000000000 Binary files a/docs/cases/images/cases-modify-connector.png and /dev/null differ diff --git a/docs/cases/images/cases-settings.png b/docs/cases/images/cases-settings.png index 71fc21a3ce..fbe37e575d 100644 Binary files a/docs/cases/images/cases-settings.png and b/docs/cases/images/cases-settings.png differ