Field Templates

Field templates are a centralized method for mapping source data fields in data types in Case-Hub, informing Inputs and Detections what to do with fields and their data from the event source. They can be used to define the field name, data type, and other settings for each relevant field in order to map a source field value to an Observable.

Creating Field Templates

To create a new Field Template, the following steps can be used:

1. Navigate to the System -> Inputs page

2. Change to the "Field Templates" tab and Click "New Field Template".

3. Provide the necessary information in the Overview section like Template Name. Description, Tags, and others.

4. Field Settings section - Click Add Field,

   1. Provide source field name.

   2. Select the appropriate data type for the source field.

   3. Provide an Alias for the added source field.

   4. Provide an appropriate Sigma field name (if needed).

   Note: Setting the field value to none will prevent the value of the field from becoming observable.

For Inputs

When using a Field Template for an Input that is polled by an Agent, the Field Template will tell the Agent to extract the values of the defined fields as Observables and place them on the Event for easier analysis.

For Detections

Much like Field Templates for Inputs, when a Detection rule runs against source data and matches, the fields and their values from the matched data will be extracted as Observables.

Unlike Inputs, however, Field Templates also define how Sigma formatted rules should convert and what field names they should use. For example, a Sigma Rule that uses the field Image may convert to process.executable but the source data is not mapped to Elastic Common Schema and actually expects winlog.event_data.Image.