7. Generating Reports¶
Once your analysis is complete, you can generate a report to share with others. You can choose to make either a report of an individual host or the entire incident.
7.1. Host-level Reports¶
There are several types of host-level reports, which serve different needs. All of these can be created from the host dashboard.
We’ll review each of these. Some contain all data from a host and others contain only the bad and suspicious items.
Note that there are also incident-level reports that can be generated from the incident dashboard.
7.1.1. HTML Report¶
The “Bad and Suspicious Items in HTML” report is useful to share with other groups who want a human readable report. It contains the list of Bad and Suspicious items that were found on the system.
The report provides both a summary and a detailed view. The summary view provides basic information about each item and is organized into two tables: Bad and Suspicious. Selecting any item brings you to the detailed view that contains information such as MD5 hashes and time stamps.
Any comments that you added during the investigation will be shown in the report.
You can generate a PDF report based on the HTML report by using the Print feature in your web browser.
To add your company or agency logo to the report, use the Reporting Options tab within the Options Panel.
7.1.2. Bad and Suspicious in MITRE ATT&CK¶
If you want to export the items that were scored as bad and suspicious and import them in the ATT&CK Navigator <https://mitre-attack.github.io/attack-navigator/>, then choose the MITRE ATT&CK report option. This produces a JSON that can be uploaded to the website and visualized.
7.1.3. Bad Items in a JSON Report¶
The “Bad Items in JSON” report will create a JSON file with just the items scored as Bad. You can use this to:
Do post processing or import into other systems
Import as “Bad Items” into other Cyber Triage installations.
7.1.4. Bad Files in a ZIP Report¶
The “Bad Files in a ZIP” module will make a single ZIP file with all files scored as bad. The ZIP file will have the password “infected”.
7.1.5. All Items JSON Report¶
The “All Items JSON” report is useful for importing the results into another system, such as a SIEM. It is a JSON array with each element being a data item that was collected by Cyber Triage®. For example, the first entry could be for a Startup Item or a Process entry.
There is a corresponding module that can import this into Splunk.
7.1.6. All Items in CSV (Timeline) Report¶
The “All Items in CSV (Timeline)” report contains one row per collected item. It can be imported into other timeline tools.
7.1.7. All Items in JSON Line (Timesketch) Report¶
The “All Items in JSONLine (Timesketch)” report creates a JSON file with all collected items. It can be imported into Timesketch or similar timeline tool.
7.1.8. All File SHA-256 Hashes as Text Report¶
The “All File SHA-256 Hashes as Text” module will create a text file with one line per file with a hash value. Hash values will exist for any file that was collected. This text file will contain both good and bad files.
7.1.9. All IPs as Text Report¶
The “All IPs as Text” module will create a text file with one line per IP address from the host. This includes IPs that were directly referenced in an artifact and IPs that Cyber Triage resolved from host names.
7.1.10. Extract Source Files¶
There used to be a report module that exported all source files (such as registry hives and event logs). That feature has been moved to the Collection Details panel. See Collection Details Panel for details.
7.2. Incident-level Reports¶
There are a subset of the above reports that you can also create at an incident level. They will often include the host name to differentiate the data.