Hello! Complete noob here. Thank you for your patience over my ignorance.
I have a question regarding support for a the following use-case.
TLDR: Given a completed security analysis of some event/events in a case or timeline, is there a recommended or easy way for generating a report (e.g. pdf) containing a subset of the logs concerning the analysis and a user-inputted text field?
Long version through hypothetical:
Let's say I have Elastic SIEM running in some environment and I am a security analyst. I have received some events which I find troubling and perform an analysis in the timeline view. For all the events in the timeline, I find that the log fields client.ip and client.port are suspicious and that they indicate a compromise.
For my fictitious organisation there exists a third party stakeholder which is interested in compromises in the environment but are not allowed to use or view the elastic SIEM and therefore cannot view or collaborate on cases with me. Instead, they wish to receive a report containing logs that are relevant for the compromise and a short text describing the analysis.
My question is if there exists a recommended or easy way to generate this type of report?
I believe my dream workflow would be:
- Events -> Timeline view
I open some events in timeline view. I perform analysis.
- Select a subset of all the log items.
I select a number of the log items which I find indicate that there has been a compromise.
- I pivot from the timeline into a reporting tool / dashboard.
I am now in some reporting section with a draft report, the items I selected in step 2 have appeared in a table in the draft report.
I describe in a text field what my analysis is of the compromise and then press download/generate. This outputs the information in some nice form.
Thankful for your time and help!