Configure Templates for Incidents
Templates include a set of pre-selected fields that enable security analysts to quickly export and merge incidents with relevant data. You can configure the following types of templates for incidents:
Export templates
Merge templates
What are export templates?
Export templates enable you to define a set of incident data that you want to include in the report while exporting incidents. For example, if you want the Preparation phase and Connect the Dots details in the report, then you can create a template to export the Preparation phase and Connect the Dots details.
What are merge templates?
Merge templates enable you to define a set of incident data that you want to merge from parent-to-child or child-to-parent incidents. For example, if you want to merge the Preparation phase data of the child incidents with the parent incident, then you can create a Child to Parent Incident template to merge the Preparation phase fields.
Create Incident Export Template
To create an export template for incidents, do the following:
Go to Admin Panel > Template Management > Incident > Export.
Click Create Template.
To create a template for a specific incident workflow, select the incident workflow on the top right. Based on the selected incident workflow, the fields that you can include in the template change.
Enter a name for the template.
On the left, select the phases and the corresponding fields to add to the template.
At the bottom, select the additional information that you want to add, such as Connect the Dots, Timeline, Attachments, and more.
Review your selected data under Selected Records and click Save.
The template is created and appears in the list of incident export templates. You can now use the template to export incident data.
Create Incident Merge Template
Create a template to merge parent incident data with the child incidents and vice-versa. You can merge the incident workflow fields and the associated actions, enhancements, PIRs, attachments, threat intel, and connect the dots data.
Note
You cannot merge the notes, Playbooks, activity logs, and knowledge base data.
To create a merge template for incidents, do the following:
Go to Admin Panel > Template Management > Incident > Merge.
Click Create Template.
To create a template for a specific incident workflow, select the incident workflow on the top right. Based on the selected incident workflow, the fields that you can include in the template change.
Enter a name for the template.
Select one of the following merge types:
Child To Parent Incident: Select this merge type to append child incident data to the parent incident. By default, this merge type is selected.
Parent To Child Incident: Select this merge type to append parent incident data to the child incidents.
Based on the incident workflow you have selected, select the phases and the corresponding fields that you want to merge.
If you have selected the merge type as Child To Parent Incident, you can also choose to merge the associated actions, enhancements, PIRs, attachments, threat intel, and connect the dots data of the child incidents with the parent incident.
Review the selected data under Selected Records and click Save.
The template is created and appears in the list of incident merge templates. Users can now use the template to merge incidents.
Manage Templates for Incidents
You can perform the following activities to manage export and merge incident templates:
Search for a template.
Upload a logo for a template. The logo appears in the export file header.
Update template details.
Delete a template.
Configure a template as the default template.