4. Generating Host Reports

Once your analysis is complete, you can generate a report to share with others. There are several types of outputs, which serve different needs. All of these can be created from the Dashboard.

../../_images/reporting_report-options.png

Types of Reports

We’ll review each of these. Some contain all data from a host and others contain only the bad and suspicious items.

Note that there are also incident-level reports that can be generated from the incident dashboard.

4.1. HTML Report

The “Bad and Suspicious Items in HTML” report is useful to share with other groups who want a human readable report. It contains the list of Bad and Suspicious items that were found on the system.

The report provides both a summary and a detailed view. The summary view provides basic information about each item and is organized into two tables: Bad and Suspicious. Selecting any item brings you to the detailed view that contains information such as MD5 hashes and time stamps.

Any comments that you added during the investigation will be shown in the report.

You can generate a PDF report based on the HTML report by using the Print feature in your web browser.

To add your company or agency logo to the report, use the Reporting Options tab within the Options Panel.

../../_images/reporting_html.jpg

4.2. All Items JSON Report

The “All Items JSON” report is useful for importing the results into another system, such as a SIEM. It is a JSON array with each element being a data item that was collected by Cyber Triage®. For example, the first entry could be for a Startup Item or a Process entry.

There is a corresponding module that can import this into Splunk.

4.3. All Items in CSV (Timeline) Report

The “All Items in CSV (Timeline)” report contains one row per collected item. It can be imported into other timeline tools.

4.4. All Items in JSON Line (Timesketch) Report

The “All Items in JSONLine (Timesketch)” report creates a JSON file with all collected items. It can be imported into Timesketch or similar timeline tool.

4.5. Bad Files in a ZIP Report

The “Bad Files in a ZIP” module will make a single ZIP file with all files scored as bad. The ZIP file will have the password “infected”.

4.6. All File SHA-256 Hashes as Text Report

The “All File SHA-256 Hashes as Text” module will create a text file with one line per file with a hash value. Hash values will exist for any file that was collected. This text file will contain both good and bad files.

4.7. All IPs as Text Report

The “All IPs as Text” module will create a text file with one line per IP address from the host. This includes IPs that were directly referenced in an artifact and IPs that Cyber Triage resolved from host names.

4.8. Extract Source Files

There used to be a report module that exported all source files (such as registry hives and event logs). That feature has been moved to the Collection Details panel. See Collection Details Panel for details.