> For the complete documentation index, see [llms.txt](https://docs.blusapphire.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.blusapphire.io/older-releases/09_casehub/input-configuration/field-templates.md).

# Field Templates

Field templates are a centralized method for mapping source data fields in data types in Case-Hub, informing [Inputs ](/older-releases/09_casehub/input-configuration.md)and Detections what to do with fields and their data from the event source. They can be used to define the field name, data type, and other settings for each relevant field in order to map a source field value to an Observable.

## Creating Field Templates

To create a new Field Template, the following steps can be used:

1. Navigate to the **System ->** **Inputs** page
2. Change to the **"Field Templates"** tab and Click **"New Field Template".**
3. Provide the necessary information in the **Overview** section like Template Name. Description, Tags, and others.
4. **Field Settings** section - Click **Add Field**, 

   1. Provide **source field** name.
   2. Select the appropriate **data type** for the source field.
   3. Provide an **Alias** for the added source field.
   4. Provide an appropriate **Sigma field** name (if needed).

   **Note:** Setting the field value to `none` will prevent the value of the field from becoming observable.

## For Inputs

When using a Field Template for an Input that is polled by an Agent, the Field Template will tell the Agent to extract the values of the defined fields as Observables and place them on the Event for easier analysis.

### For Detections <a href="#for-detections" id="for-detections"></a>

Much like Field Templates for Inputs, when a Detection rule runs against source data and matches, the fields and their values from the matched data will be extracted as Observables.

Unlike Inputs, however, Field Templates also define how Sigma formatted rules should convert and what field names they should use. For example, a Sigma Rule that uses the field `Image` may convert to `process.executable` but the source data is not mapped to Elastic Common Schema and actually expects `winlog.event_data.Image`.

<br>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.blusapphire.io/older-releases/09_casehub/input-configuration/field-templates.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.