Custom fields for case template

[derDuffy]

Request Type

Feature Request

Description

The possibility to add custom fields to a case template would improve usability of the hive a lot.
When implementing a given incident response process it is sometimes necessary to add some defined data to the case template. In particular when one want to implement some kind of "default form" the analysts have to fill out when creating the case/incident the existence of custom fields would be beneficial.

[AdventuresInMalware]

I would also find this very useful. I had hoped you could accomplish this via metrics but as these seem to be integer only fields that didn't work.

[nadouani]

In fact you cannot do that using metrics. Don't forget that metrics are:

• required when you close a case
• only number (for now)
• used to compute stats

[derDuffy]

Hehe I was trying to use metrics as a workaround too :D

[DeltaKiloz]

+1 to this, I was looking all over the documentation trying to figure out how to do this without having any luck. Having the ability to add custom fields for cases would dramatically improve usability I think.

[nadouani]

Hi @DeltaKiloz We understand that this could help classifying the cases. Can't the tags fulfill your needs for now? Introducing custom fields could require a lot of restructuring and we will do it in the future (not yes sure on which version).

[DeltaKiloz]

I see the tags as being used for "labels" and making it easier to search items by these tags / labels. What I would be the ability to add a field such as "Src IP" or "Dst IP" with the ability to add data to those fields (obviously IP addresses here). Or a field such as "Detection Device" with a drop down of items I can enter.

[camobanana]

I would also love to be able to add custom fields to templates - this is one of the missing features preventing our organisation from jumping completely to The Hive

[airlinedev]

ditto to what @camobanana said. i'm surprised this didn't come out with 2.11. Is there any time line for this feature?

[saadkadhi]

Hi @airlinedev,

Our current target for implementing this feature, which seems to be rather in high demand, is Q4 as we need to integrate some features and perform some major back-end changes.

Please note that we are not going to do it the checklist way where an analyst has to fill out forms and what have you before starting to work on the case at hand.

In the meantime, you could still use case tags according to an agreed-upon taxonomy as a workaround.

See also #31, #36 and #3.

@DeltaKiloz: Src IP, Dst IP should go in the observables and labeled accordingly.

[airlinedev]

Ty for the reply @saadkadhi. If you guys are need of testers or feedback on the proposed method, I would be glad to help. I agree about it not having to be filled out before the ticket can be created. That can hurt quick ticket creation and automation.