Post incident review report
- UpdatedAug 1, 2024
- 6 minutes to read
- Xanadu
- Security Incident Response Analysis
The Post Incident Review (PIR) reports feature enables you to set up and download the post incident review reports using the Post Incident Review tab.
The security admin can create and configure the report templates and map those templates to the security incident using the report configuration. A security analyst can then view or download the report after the security incident is resolved and the status is updated to Review state.
- Report Templates: Customize and configure the following report template features to add additional information on the report:
- Timeline
- Branding
- Template Scripts
- Report Configuration
This section describes the configuration procedure:
Report Templates
Use the Report Templates section to create primary and additional report templates that are applied to the security incidents to generate the Post Incident Review report. You can format and configure the report based on your requirements. The templates also help you to include the assessment details in the template.
- Configuring the branding information.
- Setting up the page size and page margin.
- Adding any security incident-related fields (both custom and standard).
- Using the following predefined custom tokens:
- $sessionUser: Returns the logged in username
- $date: Returns the current date
- $if_not_null_start & $if_not_null_end: If these tags are used against any fields, then the tags are displayed only if the value exists. For example:
- ${if_not_null_start:problem}
- Problem Category: ${problem.category}
- ${if_not_null_end:problem}
- Including the related list data using the template scripts. For more information, see the section below on Template Scripts.
- Including the timeline information using the Timeline Filters. For more information, see the section below on Timeline.
- Managing and formatting the template content such as attachments, tables, and images.
- The images attached to the report template are displayed on the Post Incident Review report only when they’re included in the sys_attachment table. Note: Images selected from the db_image table won’t be displayed on the post incident review report.
- Videos aren’t supported in the post incident review report.
- The URLs in the PDF are non-clickable. To enable the URLs non-clickable (.) is denoted as (dot).
- The report isn’t generated if the size of the report template exceeds 50MB.
- The font family selected for the report template content won’t be applied to the PDF if it isn’t supported by the PDF generator. Note: If the corresponding font is not there, the PDF generator identifies the closest alternative font and then generates the PDF.
- If you provide higher page margin values, generate post incident review report is failed. For example, Top and Bottom margin > 450 and Left and Right margin > 450.
- If a large text is included in the report template without spaces, then the text may be truncated. Preview the text and modify it accordingly.
The security admin can preview the report using the Preview Report button available on the Report Template page.
Select a Security incident to preview a report with this template option and select Preview Report.
Branding
You can add the branding template name, header and footer image, header and footer text, generate page numbers, and include the branding record in the report template after it’s created.
The following is a sample branding report format:
- The maximum size allowed for the header and footer image is 5MB. If the size exceeds more than the specified limit, then an error message, ‘Image format cannot be recognized’ is displayed in the security incident.
- The footer text length is limited to 100 characters.
- If the footer image text and report content are overlapped while previewing, you must change the branding record.
- If the footer text contains a URL link, then it may overlap on to the footer image. Preview and correct it as required.
Timeline
Timeline configuration enables you to create and modify the timeline filters as required. You can filter the activity types that should be included in the report, configure if the child tasks should be included or excluded in the report, and configure if the images should be included or excluded in the report.
If you want to use and populate any timeline configuration, you must add the tag as mentioned below: ${timeline:timeline name}. Two sample timeline configurations as an example are provided in the set up that are used in the Phishing Report template and Default Report template. You can modify and reuse the configurations.
Template Scripts
Use the template scripts to include the related lists data, date and time stamp, and any other data that aren’t directly dot-walkable. The following is an example:
- To prepare the related list data, call PostIncidentReportUtils.fetchRelatedListDataForReport method.
- To represent the step1 data in the table format and style, call the ReportTemplateUtil.constructTablefunction method.
If you want to use and populate any template script, then you must add the tag template script tag as ${template_script:script name}.
| Script name | Description |
|---|---|
| formatted_current_date | Returns the current local date and time in the DDMMYYYY 00.00 AM or PM format. For example, 21 Jan 2021 3:51 PM PST. |
| si_affected_users | Returns the affected users from the related list in a tabular form. |
| si_assessments | Returns the post incident assessment results in a tabular form. |
| si_associated_phish_emails | Returns the associated phishing emails from the related list in a tabular form. |
| si_associated_phish_headers | Returns the associated phishing headers from the related list in a tabular form. |
| si_business_criticality | Returns color coded business criticality value. |
| si_malicious_observables | Returns the malicious observables from the related list in a tabular form. |
| si_observables | Returns the observables from the related list in a tabular form. |
| si_priority | Returns color coded priority value. |
| si_response_tasks | Returns the response tasks from the related list in a tabular form. |
| si_time_to_identify | Returns the duration spent in Draft and Analysis state. |
| si_time_to_resolve | Returns the time to resolve the incident. |
- If a related list is added with more than five columns, the table data is truncated during the PDF generation. Each column minimum width is set to 124px.
- If a template script is unable to load the content in the report template due to technical issues, an error message is displayed on the report, ‘Error while evaluating the template script’ and the security admin must evaluate the correctness of the script to resolve the issue.
- si_assessments: By default, all the assessment categories are added to the report. The security admin can filter the data by modifying the template script as required. Add the categories: sys_id1, sys_id2; parameter to filter the data.
- Time to resolve and time to identify scripts: Use the definition records that are part of the metric-related list. If the definition records are unavailable for the security incident, then create or add those definition records to populate the values for the two fields.
By default, the Security Admin doesn’t have access to view the version records of any table. You must add an admin role to access the version records and revert to the previous version.
Report Configuration
Use the Report Configuration section to set up the conditions and apply the report templates to the Security Incidents. You can add one primary report and one or more additional report templates to the same condition.
The following is an example condition that is provided to apply the Phishing Report template to the Phishing category incidents and the other one to apply the Default Report template to all the security incidents. The Default Report template would be applied to the security incidents if the conditions aren’t met.
Procedure to turn off the new implementation
- Deactivate the following business rules:
- Generate PIR PDF
- Create Knowledge On Closure New
- Activate the following business rules:
- Generate PIR when in Review and Close
- Create Knowledge On Closure
- [Regen PIR on closure/cancel/delete]
- Activate the UI rule, Hide PIR field when empty.
- Go to the form layout in the security incident form. Under Post Incident Review section:
- Remove PIR report picker from the PIR section
- Add the Post Incident Report field to the PIR section
Configure Post Incident Review (PIR) report properties for child security incidents
- sn_si.generate_pir_report_for_child_si
- sn_si.include_child_si_timeline_in_pir
| Property | Usage |
|---|---|
| sn_si.generate_pir_report_for_child_si | Option to enable the generation of Post Incident Review (PIR) reports for child security incidents.
|
| sn_si.include_child_si_timeline_in_pir | Option to include the timeline of the child security incidents in the parent Security Incident's PIR report.
|