{% if case_template.id %}

Edit case template {{ case_template.display_name }}

{% else %}

Add case template

{% endif %}
{% if case_template.id %}

{{ case_template.display_name }} template

{% else %}

New template

{% endif %}

Case templates allow to prefill case objects such as tasks, tags, and notes.
It can be used to add procedures defining how to react against a specific kind of incident (phishing, ransomware, APT...)

Case templates can be added and edited in this UI, or they can be uploaded as JSON files.

IRIS will attempt to validate the contents of the case template before committing.

Case Template taxonomy

Field types

The supported fields types are:
  • name: The name of the case template (required).
  • display_name: The displayed name of the case template.
  • description: The description of the case template.
  • author: The author of the case template (not related to the current user).
  • classification: The classification of the case template. Should be a lowercase name matching an existing classification in IRIS.
  • title_prefix: A prefix to add to case title.
  • summary: content to prefill the summary.
  • tags: A list of case tags.
  • tasks: A list of dictionaries defining tasks. Tasks are defined by title (required), description, and list of tags.
  • note_groups: A list of dictionaries defining note groups. Note groups are defined by title (required), and list of notes. Notes have title (required) and content
Case Template Example
A case template is defined as below.

{
    "name": "ransomware_infection",
    "display_name": "Ransomware Infection Template",
    "description": "This case template describes first-response tasks to handle information system compromised by a ransomware.",
    "author": "DFIR-IRIS",
    "classification": "malicious-code:ransomware",
    "title_prefix": "[RANS]",
    "summary": "# Context \n\n\n# Contact \n\n\n# Actions \n\n\n",
    "tags": ["ransomware","malware"],
    "tasks": [
        {
            "title": "Identify the perimeter",
            "description": "The perimeter of compromise must be identified",
            "tags": ["identify"]
        },
        {
            "title": "Collect compromised hosts",
            "description": "Deploy Velociraptor and start collecting evidence",
            "tags": ["collect", "velociraptor"]
        },
        {
            "title": "Containment"
        }
    ],
    "note_groups": [
        {
            "title": "Identify",
            "notes": [
                {
                    "title": "Identify the compromised accounts",
                    "content": "# Observations\n\n"
                }
            ]
        },
        {
            "title": "Collect",
            "notes": [
                {
                    "title": "Velociraptor deployment"
                },
                {
                    "title": "Assets collected",
                    "content": "# Assets collected\n\n# Assets not collected"
                }
            ]
        }
    ]
}
                                    
{{ form.hidden_tag() }}
{{ form.case_template_json.data|tojsonsafe }}

Logs:
{% if case_template.id %} {% else %} {% endif %}