Use case question: Support for reporting to third party

Elastic Security
1

Hello! Complete noob here. Thank you for your patience over my ignorance.

I have a question regarding support for a the following use-case.

TLDR: Given a completed security analysis of some event/events in a case or timeline, is there a recommended or easy way for generating a report (e.g. pdf) containing a subset of the logs concerning the analysis and a user-inputted text field?

Long version through hypothetical:

Let's say I have Elastic SIEM running in some environment and I am a security analyst. I have received some events which I find troubling and perform an analysis in the timeline view. For all the events in the timeline, I find that the log fields client.ip and client.port are suspicious and that they indicate a compromise.

For my fictitious organisation there exists a third party stakeholder which is interested in compromises in the environment but are not allowed to use or view the elastic SIEM and therefore cannot view or collaborate on cases with me. Instead, they wish to receive a report containing logs that are relevant for the compromise and a short text describing the analysis.

My question is if there exists a recommended or easy way to generate this type of report?

I believe my dream workflow would be:

  1. Events -> Timeline view
    I open some events in timeline view. I perform analysis.
  2. Select a subset of all the log items.
    I select a number of the log items which I find indicate that there has been a compromise.
  3. I pivot from the timeline into a reporting tool / dashboard.
    I am now in some reporting section with a draft report, the items I selected in step 2 have appeared in a table in the draft report.
  4. Reporting.
    I describe in a text field what my analysis is of the compromise and then press download/generate. This outputs the information in some nice form.

Thankful for your time and help!

/Markus

2

Hi Markus, welcome to our community, and thank you for your question. We are glad that you are spending time with Elastic SIEM/Security.

TLDR: Given a completed security analysis of some event/events in a case or timeline, is there a recommended or easy way for generating a report (e.g. pdf) containing a subset of the logs concerning the analysis and a user-inputted text field?

This is a great question, but the current answer is no, there is not an easy way to create a "PDF" or similar report that contains the details of an investigation you've performed in the SIEM/SecurityApp.

You can of course add any text as comments in the Case, including the JSON representation of the events in question, copied from the Timeline, for example, but there's no easy way to convert the case into a human-readable format that can be easily transmitted to third parties w/o SIEM access.

So far, we've focused on being able push the case details to third-party systems for case/ticket/incident management and response.

We are investigating future capabilities in this area such as defining a standard case data model that contains a summary of all the artifacts contained in alerts, timelines, or cases, and we appreciate your hypothetical use case. I hope you don't mind if we ask you some questions.

In your example, you stipulated a third party stakeholder which is interested in compromises in the environment but are not allowed to use or view the elastic SIEM.

  • How would you foresee sending such a report to them? E.g., email? slack? etc.?
  • Can you speculate which tools this third party might be using to continue their work once they received such a report from you?

Thanks again!

3

Hello again!

Sorry for the late answer, I have been ill. Thank you for taking the time to consider this use case!

  • How would you foresee sending such a report to them? E.g., email? slack? etc.?

Any of these would do. Personally I would do it with email. As a bonus use case here I would like to add that any communication channel from where elastic SIEM is located to the third party is untrusted. In my scenario any data (report) would have to be encrypted and signed before sent to the third party.

  • Can you speculate which tools this third party might be using to continue their work once they received such a report from you?

It depends what type of third parties are receiving the information. In order to expand on this I will describe three hypothetical environments and third parties and then answer the question for each

1.Managed Security Service Provider (MSSP)

Let's say a company uses a MSSP for monitoring and for incident response. The IT-staff of the company wants to be informed when an incident is detected in their network. However, the MSSP handles all security monitoring for the company. Therefore the IT-staff are not trained for and do not have access to the elastic SIEM.

Answer: The IT-staff needs to be informed of the incident through (for example) a report. They will then, together with an incident response team from the MSSP, perform normal system actions with various tools. Actions such as memory dumps, restoring from backup, network configuration changes, isolation of devices... etc.

2.Important person ( This will sound silly but I assure you this is the most probable and serious one)

In almost all companies there exists important persons. They can be anyone from middle-management up to the CEO. Important persons almost always want to be informed about important things, even if they cannot contribute to the problem that is reported in any meaningful way. Often they enjoy very nice looking reports.

It is crucial to understand that important persons often control where money is spent.

Answer: No tools are used. They are only to be informed about what exactly has happened in a nice looking report.

3.Nuclear warhead facility

In nuclear facilities (or any extremely critical environment) there often is a rule of redundancy. There must exist at least two of every security system. So there are two SIEMS of different brands reporting to two different SOCs. Of course in this type of environment there is also the rule of least privilege. So no-one but approved SOC-analysts are allowed to use SIEMs.

Answer: The report in this case would be sent from one SOC to the other SOC in order to verify the incident using a different SIEM. The tools used in this case would then be another SIEM solution.

It would also be sent to a incident response team which needs to be quickly informed before actually tending to the incident.

Thank you again for reading my ramblings!

Cheers!

/Markus