elastic · lcawl · Jul 22, 2024 · Jul 15, 2024 · Jul 15, 2024 · Jul 16, 2024
@@ -2,6 +2,6 @@ include::cases-overview.asciidoc[leveloffset=+1]
 
 include::cases-manage.asciidoc[leveloffset=+2]
 
-include::cases-ui-integrations.asciidoc[leveloffset=+1]
+include::cases-manage-settings.asciidoc[leveloffset=+1]
 
 include::indicators-of-compromise.asciidoc[leveloffset=+1]
@@ -1,10 +1,34 @@
-[[cases-ui-integrations]]
-== Configure external connections
-:frontmatter-description: Create and add external connectors to send cases to third-party systems.
+[[cases-manage-settings]]
+== Configure case settings
+:frontmatter-description: Change the default behavior of cases by adding connectors, custom fields, templates, and closure options.
 :frontmatter-tags-products: [security] 
 :frontmatter-tags-content-type: [how-to] 
 :frontmatter-tags-user-goals: [analyze]
 
+To change case closure options and add custom fields, templates, and connectors for external incident management systems, go to *Cases* -> *Settings*.
+
+[role="screenshot"]
+image::images/cases-settings.png[Shows the case settings page]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+* <<close-sent-cases,Set case closure options>>.
+* <<cases-ui-integrations,Add connectors for external incident management systems>>.
+* <<cases-ui-custom-fields,Add custom fields>>.
+* <<cases-templates,Add templates>>.
+
+[[close-connector]]
+[float]
+[[close-sent-cases]]
+=== Case closures
+
+If you close cases in your external incident management system, the cases will remain open in {elastic-sec} until you close them manually.
+
+To close cases when they are sent to an external system, select *Automatically close cases when pushing new incident to external system*.
+
+[float]
+[[cases-ui-integrations]]
+=== External incident management systems
+
 You can push {elastic-sec} cases to these third-party systems:
 
 * {sn-itsm}
@@ -19,17 +43,8 @@ To push cases, you need to create a connector, which stores the information requ
 IMPORTANT: To create connectors and send cases to external systems, you need the
 https://www.elastic.co/subscriptions[appropriate license], and your role needs *All* privileges for the *Action and Connectors* feature. For more information, refer to <<case-permissions>>.
 
-[float]
-[[create-new-connector]]
-=== Create a new connector
+To create a new connector:
 
-. Go to *Cases* -> *Settings*.
-+
---
-[role="screenshot"]
-image::images/cases-settings.png[Shows the case settings page]
-// NOTE: This is an autogenerated screenshot. Do not edit it directly.
---
 . From the *Incident management system* list, select *Add new connector*.
 . Select the system to send cases to: *{sn}*, *{jira}*, *{ibm-r}*, *{swimlane}*, or *{webhook-cm}*.
 . Enter your required settings. For connector configuration details, refer to:
@@ -40,9 +55,21 @@ image::images/cases-settings.png[Shows the case settings page]
 - {kibana-ref}/swimlane-action-type.html[{swimlane} connector]
 - {kibana-ref}/cases-webhook-action-type.html[{webhook-cm} connector]
 
+[[modify-connector]]
+[[modify-connector-settings]]
+To change the settings of an existing connector:
+
+. Select the required connector from the incident management system list.
+. Click *Update <connector name>*.
+. In the *Edit connector* flyout, modify the connector fields as required, then click *Save & close* to save your changes.
+
+[[default-connector]]
+[[change-default-connector]]
+To change the default connector used to send cases to external systems, select the required connector from the incident management system list.
+
 [float]
 [[mapped-case-fields]]
-=== Mapped case fields
+==== Mapped case fields
 
 When you export an {elastic-sec} case to an external system, case fields are mapped to existing fields in {sn}, {jira}, {ibm-r}, and {swimlane}. For the {webhook-cm} connector, case fields can be mapped to custom or pre-existing fields in the external system you're connecting to.
 
@@ -77,48 +104,28 @@ New and edited comments are added to incident records when pushed to {sn}, {jira
 
 |===
 
-[[close-connector]]
-[float]
-[[close-sent-cases]]
-=== Close sent cases automatically
-
-To close cases when they are sent to an external system, select
-*Automatically close Security cases when pushing new incident to external system*.
-
-[[default-connector]]
 [float]
-[[change-default-connector]]
-=== Change the default connector
-
-To change the default connector used to send cases to external systems, go to *Cases* -> *Settings* and select the required connector from the Incident management system list.
+[[cases-templates]]
+=== Templates
 
-////
-TO-DO: Remove, refresh, or automate screenshot
-[role="screenshot"]
-image::images/cases-change-default-connector.png[Shows list of available connectors]
-////
+preview::[]
 
-[[add-connector]]
-[float]
-=== Add connectors
+You can make the case creation process faster and more consistent by adding templates.
+A template defines values for one or all of the case fields (such as severity, tags, description, and title) as well as any custom fields.
 
-After you <<cases-ui-open, create a case>>, you can add connectors to it. From the case details page, go to *Settings*, then select a connector. A case can have multiple connectors, but only one connector can be selected at a time.
+To create a template:
 
+. In the *Templates* section, click *Add template*.
++
+--
 [role="screenshot"]
-image::images/add-connectors.png[width=60%][height=60%][Shows how to add connectors]
-
-
-[[modify-connector]]
-[float]
-[[modify-connector-settings]]
-=== Modify connector settings
+image::images/cases-add-template.png[Add a template in case settings]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+--
 
-To change the settings of an existing connector:
+. You must provide a template name and case severity.
+  You can optionally add template tags and a description, values for each case field, and a case connector.
 
-. Go to *Cases* -> *Settings*.
-. Select the required connector from the Incident management system list.
-. Click *Update <connector name>*.
-. In the *Edit connector* flyout, modify the connector fields as required, then click *Save & close* to save your changes.
+When users create cases, they can optionally select a template and use its values or override them.
 
-[role="screenshot"]
-image::images/cases-modify-connector.png[]
+NOTE: If you update or delete templates, existing cases are unaffected.
@@ -15,6 +15,9 @@ Open a new case to keep track of security issues and share their details with
 colleagues.
 
 . Go to *Cases*, then click *Create case*. If no cases exist, the Cases table will be empty and you'll be prompted to create one by clicking the *Create case* button inside the table.
+
+. If you defined <<cases-templates,templates>>, you can optionally select one to use its default field values. preview:[]
+
 . Give the case a name, assign a severity level, and provide a description. You can use
 https://www.markdownguide.org/cheat-sheet[Markdown] syntax in the case description.
 +
@@ -26,7 +29,10 @@ TIP: You can insert a Timeline link in the case description by clicking the Time
 . Optionally, add a category, assignees and relevant tags. You can add users only if they
 meet the necessary <<case-permissions,prerequisites>>.
 
+. If you defined <<cases-ui-custom-fields,custom fields>>, they appear in the *Additional fields* section. preview:[]
+
 . Choose if you want alert statuses to sync with the case's status after they are added to the case. This option is enabled by default, but you can turn it off after creating the case.
+
 . From *External incident management*, select a <<cases-ui-integrations,connector>>. If you've previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`.
 . Click *Create case*.
 +