Feature Request: Case Reporting

[Deastrom]

Case Reporting

Request Type

Feature Request

Work Environment

Question	Answer
OS version (server)	Ubuntu Server
OS version (client)	16.04
TheHive version / git hash	2.12.1
Package Type	Apt-Get
Browser type & version	...

Problem Description

At the end of a case it will be requested that we provide a report of the case and a print out of the audit log for that case.

Steps to Reproduce

...

Possible Solutions

After the case is complete provide an option to print/report on the case with options to include details such as the audit log. To limit length or provide a good layout it might be best to organize by sections...
Case
Case Details
Case Audit Trail
Tasks in Case
Task Details
Task Logs
Task Attachments
Task Audit Trail
Observeables
Observable Details
Observable Report Findings
Observable Audit Trail

If you were to provide a way to generate this report and offer options for each section (to include gather observable files and attachments in a similar folder structure) then zip it and provide a hash for that zip, this could suffice for reporting purposes, maybe even legal purposes if information on the case is needed for legal proceedings.

Complementary information

I really like what you're doing here and the format is great. I have gotten as far as install TheHive with Cortex and enabling every free Cortex Analyzer I could. My next step will be to set up a Security Onion box and creating a TheHive alert python script. Given the popularity of Security Onion, if there's a good python script out there I can work from, please feel free to send it me way. :)

[Deastrom]

I'd like to pump this a bit. Reporting on Cases is one of the most important steps in incident response. Is there something in the works for this?

[saadkadhi]

Hi @Deastrom,

Reporting is indeed very important and something that we will seek to implement by the end of the year. Stay tuned.

[tyliec]

Has anyone been working on this? If not, I'd love to try and work on this.

[saadkadhi]

Nobody that we know of does @viltaria. You are welcome to give it a shot. You can discuss how things should be done etc. with @nadouani & @To-om.

[tyliec]

Thank you, I'll start working on this now. I'll reach out if I need any help/feedback.

[tyliec]

I'm structuring the layout as follows for now (following the outline by @Deastrom):

Case Report

• Case Description
• Case Audit Trail
• Tasks
  • Description
  • Audit Trail
  • Logs
    • Attachments
• Observables
  • Details
  • Report Findings
  • Audit Trail

Currently have the report as a button attached to each case (see it here: https://imgur.com/a/BP5eVhT), and this button opens up a modal containing the above information. Planning to have options for the user to select which parts that they want to include in the modal, and have a download button on the bottom.

Layout will probably change, but what do you think about this one as a rough draft? @saadkadhi

[saadkadhi]

Hi @viltaria. Thanks a lot for the proposal. A few comments:

• The button looks just perfect. It should show when a report already exists, like the Share button.
• The structure of the report should be trimmed in my opinion. Task logs for example should not be all displayed. I would rather have a special marking within a task for logs that are good candidates for creating a report. Something like the IOC/sighting toggles in the observables tab.
• The audit trail should be added (if needed) as an appendix
• One should be able to select all observables, only IOCs or only sighted IOCs
• One should be able to select what's the max TLP for observables that should be included in the report.
• When a report is generated, it should be stored alongside the case and downloadable from the case details tab.

As a next step, the task logs that have been marked for inclusion in the report could be used for #84.

@nadouani @jeromeleonard @To-om what's your opinion?

[tyliec]

After some further thought and reviewing my teams current work routine, my plan is to have customizable report templates.

People wanting to generate a Case Report would be able to choose between different templates they have previously created to generate a PDF report on their case(s). These templates would be self made, probably in a markdown/html fashion with different case variables accessible through the {{ variable }} style of templating.

I believe that this would allow for the flexibility of having to generate multiple types of reports and the different styles needed to support this feature.

What do you think? @saadkadhi

[ph34tur3]

Hi @viltaria , hi @saadkadhi ,

I would like to contribute to this issue, too. @viltaria could you please share your current work with me? Thanks in advance!

In my opinion the specific observable reports that are included should be selectable. This could result in

• reports that are not relevant to be excluded
• reports that are relevant to be in a summary and reports that are not relevant to be in an appendix

Furthermore it would be nice if there was an option to add an the logo of your organization to support corporate identity.

[ph34tur3]

Hi there,

currently working on this one.