Feature Request: Case Reporting

[Deastrom]

Case Reporting

Request Type

Feature Request

Work Environment

Question	Answer
OS version (server)	Ubuntu Server
OS version (client)	16.04
TheHive version / git hash	2.12.1
Package Type	Apt-Get
Browser type & version	...

Problem Description

At the end of a case it will be requested that we provide a report of the case and a print out of the audit log for that case.

Steps to Reproduce

...

Possible Solutions

After the case is complete provide an option to print/report on the case with options to include details such as the audit log. To limit length or provide a good layout it might be best to organize by sections...
Case
Case Details
Case Audit Trail
Tasks in Case
Task Details
Task Logs
Task Attachments
Task Audit Trail
Observeables
Observable Details
Observable Report Findings
Observable Audit Trail

If you were to provide a way to generate this report and offer options for each section (to include gather observable files and attachments in a similar folder structure) then zip it and provide a hash for that zip, this could suffice for reporting purposes, maybe even legal purposes if information on the case is needed for legal proceedings.

Complementary information

I really like what you're doing here and the format is great. I have gotten as far as install TheHive with Cortex and enabling every free Cortex Analyzer I could. My next step will be to set up a Security Onion box and creating a TheHive alert python script. Given the popularity of Security Onion, if there's a good python script out there I can work from, please feel free to send it me way. :)

[Deastrom]

I'd like to pump this a bit. Reporting on Cases is one of the most important steps in incident response. Is there something in the works for this?

[saadkadhi]

Hi @Deastrom,

Reporting is indeed very important and something that we will seek to implement by the end of the year. Stay tuned.

[tyliec]

Has anyone been working on this? If not, I'd love to try and work on this.

[saadkadhi]

Nobody that we know of does @viltaria. You are welcome to give it a shot. You can discuss how things should be done etc. with @nadouani & @To-om.

[tyliec]

Thank you, I'll start working on this now. I'll reach out if I need any help/feedback.

[tyliec]

I'm structuring the layout as follows for now (following the outline by @Deastrom):

Case Report

• Case Description
• Case Audit Trail
• Tasks
  • Description
  • Audit Trail
  • Logs
    • Attachments
• Observables
  • Details
  • Report Findings
  • Audit Trail

Currently have the report as a button attached to each case (see it here: https://imgur.com/a/BP5eVhT), and this button opens up a modal containing the above information. Planning to have options for the user to select which parts that they want to include in the modal, and have a download button on the bottom.

Layout will probably change, but what do you think about this one as a rough draft? @saadkadhi

[saadkadhi]

Hi @viltaria. Thanks a lot for the proposal. A few comments:

• The button looks just perfect. It should show when a report already exists, like the Share button.
• The structure of the report should be trimmed in my opinion. Task logs for example should not be all displayed. I would rather have a special marking within a task for logs that are good candidates for creating a report. Something like the IOC/sighting toggles in the observables tab.
• The audit trail should be added (if needed) as an appendix
• One should be able to select all observables, only IOCs or only sighted IOCs
• One should be able to select what's the max TLP for observables that should be included in the report.
• When a report is generated, it should be stored alongside the case and downloadable from the case details tab.

As a next step, the task logs that have been marked for inclusion in the report could be used for #84.

@nadouani @jeromeleonard @To-om what's your opinion?

[tyliec]

After some further thought and reviewing my teams current work routine, my plan is to have customizable report templates.

People wanting to generate a Case Report would be able to choose between different templates they have previously created to generate a PDF report on their case(s). These templates would be self made, probably in a markdown/html fashion with different case variables accessible through the {{ variable }} style of templating.

I believe that this would allow for the flexibility of having to generate multiple types of reports and the different styles needed to support this feature.

What do you think? @saadkadhi

[ph34tur3]

Hi @viltaria , hi @saadkadhi ,

I would like to contribute to this issue, too. @viltaria could you please share your current work with me? Thanks in advance!

In my opinion the specific observable reports that are included should be selectable. This could result in

• reports that are not relevant to be excluded
• reports that are relevant to be in a summary and reports that are not relevant to be in an appendix

Furthermore it would be nice if there was an option to add an the logo of your organization to support corporate identity.

[ph34tur3]

Hi there,

currently working on this one.

[ph34tur3]

Hi everybody,

I did some work and finally created a pull request (see #678 ).

What did I do?

• An admin user can import case reporting templates into TheHive.
• An admin user can mark one report template as "default". This will be used when some user wants to report a case.
• A user can report a case using a button on the right side of the header panel.
• When a user wants to generate a report, there is a textarea available to insert some abstract/management summary that can be accessed through the report template.
• The report template can currently access the case object, the relevant artifact objects and the relevant task objects. Long reports from cortex analyzers aren't supported at this moment!
• A user can trigger the report creation using a button. The report will be shown in a new browser window and can be printed to a file. This means, that the report is not stored in a database but instead on the users access point.
• Oh, and I created a basic HTML report to play with. You can find it here: Basic Case Reporting Template for TheHive

What needs to be done?

• There are not all data sources available that would be of use. These need to be available to any report template.
• Testing.

Some thoughts on some decisions:

• A user can always create a report. --> There are use cases where you need a report, even if the case is not in a specific state.
• A report does not get stored in the database, but instead gets downloaded. --> Since you want to keep every version of a report one would need to store multiple versions that one can browse through and that need to be accessible. IMO TheHive is not the correct place to put this logic. A user can reuse existing systems to archive multiple reports.

If there are any questions feel free to ask!

[soulsf]

Hi all!

some ideas:

• perhaps a git repo could be used to store generated reports and integrated into the process

• storing of "raw" data (xml, json) along with the formated template report. this could later be used as a basis for scheduled management reports summarizing the incident reports of a specific period. this could be done by an external tool (maybe using carbone.io or jsreports).

• logo/css for corporate identity is crucial. reports are important to create c-level attention.

[axpatito]

#834

[veeral-patel]

@Deastrom @ph34tur3 do you guys want help on this? seems like a great addition to TheHive! you can email me at [email protected]; I have some free time and can get the ball rolling :)

for background, I'm an ex-Mandiant consultant who graduated from college a couple months ago

[ph34tur3]

@veeral-patel : Thanks for considering. I just contacted @nadouani via PR #678 about help on this.

[mrcdb]

@nadouani are there any updates on this feature request ?

[X0x1RG9f]

Hi @nadouani @Deastrom @tyliec, I was also very interested by this feature, any updates on this ?

[tyliec]

I've stopped working on the project, no updates from me