A case template is defined as below.
{
"name": "ransomware_infection",
"display_name": "Ransomware Infection Template",
"description": "This case template describes first-response tasks to handle information system compromised by a ransomware.",
"author": "DFIR-IRIS",
"classification": "malicious-code:ransomware",
"title_prefix": "[RANS]",
"summary": "# Context \n\n\n# Contact \n\n\n# Actions \n\n\n",
"tags": ["ransomware","malware"],
"tasks": [
{
"title": "Identify the perimeter",
"description": "The perimeter of compromise must be identified",
"tags": ["identify"]
},
{
"title": "Collect compromised hosts",
"description": "Deploy Velociraptor and start collecting evidence",
"tags": ["collect", "velociraptor"]
},
{
"title": "Containment"
}
],
"note_groups": [
{
"title": "Identify",
"notes": [
{
"title": "Identify the compromised accounts",
"content": "# Observations\n\n"
}
]
},
{
"title": "Collect",
"notes": [
{
"title": "Velociraptor deployment"
},
{
"title": "Assets collected",
"content": "# Assets collected\n\n# Assets not collected"
}
]
}
]
}