| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178 |
- <div class="modal-header">
- {% if case_template.id %}
- <h4>Edit case template {{ case_template.display_name }}</h4>
- {% else %}
- <h4>Add case template</h4>
- {% endif %}
- <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span
- aria-hidden="true">×</span></button>
- </div>
- <div class="modal-body">
- <div class="container col-md-12">
- <form method="post" action="" id="form_new_case_template" enctype="multipart/form-data">
- <div class="row">
- <div class="col-6">
- <div class="accordion accordion-primary">
- {% if case_template.id %}
- <h2>{{ case_template.display_name }} template</h2>
- {% else %}
- <h2>New template</h2>
- {% endif %}
- <p>Case templates allow to prefill case objects such as tasks, tags, and notes.<br/>
- It can be used to add procedures defining how to react against a specific kind of incident (phishing, ransomware, APT...)</p>
- <div class="alert-std alert-warning" role="alert">
- Case templates can be added and edited in this UI, or they can be uploaded as JSON files.<br/>
- <p>IRIS will attempt to validate the contents of the case template before committing.</p>
- </div>
- <div class="card">
- <div class="card-header collapsed" id="drop_case_template_taxonomy" data-toggle="collapse" data-target="#drop_tax_case_template" aria-expanded="false" aria-controls="drop_tax_attr" role="button">
- <div class="span-icon">
- <div class="flaticon-pencil"></div>
- </div>
- <div class="span-title">
- Case Template taxonomy
- </div>
- <div class="span-mode"></div>
- </div>
- <div id="drop_tax_case_template" class="collapse" aria-labelledby="drop_tax_case_template" style="">
- <div class="card-body">
- <h4>Field types</h4>
- The supported fields types are:
- <ul>
- <li>name: The name of the case template (required).</li>
- <li>display_name: The displayed name of the case template.</li>
- <li>description: The description of the case template.</li>
- <li>author: The author of the case template (not related to the current user).</li>
- <li>classification: The classification of the case template. Should be a lowercase name matching an existing classification in IRIS.</li>
- <li>title_prefix: A prefix to add to case title.</li>
- <li>summary: content to prefill the summary.</li>
- <li>tags: A list of case tags.</li>
- <li>tasks: A list of dictionaries defining tasks. Tasks are defined by title (required), description, and list of tags.</li>
- <li>note_directories: A list of dictionaries defining note directories. Note directories are defined by title (required), and list of notes. Notes have title (required) and content</li>
- </ul>
- </div>
- </div>
- </div>
- <div class="card mt-4">
- <div class="card-header collapsed" id="drop__template_example" data-toggle="collapse" data-target="#drop_case_template_example" aria-expanded="false" aria-controls="drop_tax_attr" role="button">
- <div class="span-icon">
- <div class="flaticon-pencil"></div>
- </div>
- <div class="span-title">
- Case Template Example
- </div>
- <div class="span-mode"></div>
- </div>
- <div id="drop_case_template_example" class="collapse" aria-labelledby="drop_tax_case_template" style="">
- <div class="card-body">
- A case template is defined as below.
- <pre>
- {
- "name": "ransomware_infection",
- "display_name": "Ransomware Infection Template",
- "description": "This case template describes first-response tasks to handle information system compromised by a ransomware.",
- "author": "DFIR-IRIS",
- "classification": "malicious-code:ransomware",
- "title_prefix": "[RANS]",
- "summary": "# Context \n\n\n# Contact \n\n\n# Actions \n\n\n",
- "tags": ["ransomware","malware"],
- "tasks": [
- {
- "title": "Identify the perimeter",
- "description": "The perimeter of compromise must be identified",
- "tags": ["identify"]
- },
- {
- "title": "Collect compromised hosts",
- "description": "Deploy Velociraptor and start collecting evidence",
- "tags": ["collect", "velociraptor"]
- },
- {
- "title": "Containment"
- }
- ],
- "note_directories": [
- {
- "title": "Identify",
- "notes": [
- {
- "title": "Identify the compromised accounts",
- "content": "# Observations\n\n"
- }
- ]
- },
- {
- "title": "Collect",
- "notes": [
- {
- "title": "Velociraptor deployment"
- },
- {
- "title": "Assets collected",
- "content": "# Assets collected\n\n# Assets not collected"
- }
- ]
- }
- ]
- }
- </pre>
- </div>
- </div>
- </div>
- </div>
- </div>
- <div class="col-6">
- {{ form.hidden_tag() }}
- <div class="form-group">
- <div class="row">
- <label for="editor_detail" class="mr-4">Case template definition
- </label><button type="button" class="btn btn-sm ml-auto" onclick="downloadCaseTemplateDefinition();">Download definition</button>
- </div>
- <div id="editor_detail">{{ form.case_template_json.data|tojsonsafe }}</div>
- </div>
- </div>
- </div>
- </form>
- </div>
- <div class="alert alert-warning" style="display:none;" role="alert" id="alert_case_template_details">
- <span id="alert_case_template_edit"></span><br/>
- <b>Logs:</b>
- <ul id="case_template_err_details_list">
- </ul>
- </div>
- </div>
- <div class="modal-footer">
- {% if case_template.id %}
- <button
- type="button"
- class="btn btn-outline-danger mr-auto"
- id="submit_delete_case_template"
- >
- Delete
- </button>
- <button
- type="button"
- class="btn btn-outline-success ml-4 float-right"
- id="submit_new_case_template"
- >
- Update
- </button>
- {% else %}
- <button
- type="button"
- class="btn btn-outline-success ml-4 float-right"
- id="submit_new_case_template"
- >
- Save
- </button>
- {% endif %}
- </div>
|
