Streamlining threat intelligence reporting with Elastic AI Assistant

Threat analysts play a crucial role in identifying and mitigating potential threats. However, the process of documenting these threats can be laborious. By using Elastic AI Assistant for Security, analysts can focus more on analyzing threats and less on the tedious aspects of reporting. By using Elastic AI Assistant for Security, we can pull relevant information from open source threat reporting and format that information using templates stored in the AI Assistant’s knowledge base. This approach is not a replacement for threat analysts but a tool to enhance their efficiency. 

Using Elastic AI Assistant for Security, threat intel professionals are able to analyze the information on the topic they’re reporting on in a standardized format conducive to their reporting workflow. This saves an enormous amount of time by removing many of the manual steps of gathering and normalizing threat data for specific reporting.

Every threat intel program will have its own processes for producing threat reporting. At Elastic, we’ve broken this process down into the nine steps below. However, the basic concepts of using Elastic AI Assistant can be modified and incorporated into virtually any workflow for producing threat reporting:

1. Understand the types of reports needed.

2. Create templates for each of those report types.

3. Use Elastic AI Assistant to store those templates in the knowledge base.

4. Develop a method for gathering threat reporting and data.

5. Feed threat data to Elastic AI Assistant for the appropriate templates.

6. Provide additional context or data.

7. Analyze the threat data within the report template for accuracy and understanding.

8. Provide the relevance, impact, and any recommendations.

9. Publish the report.

Using these workflows requires some setup for Elastic AI Assistant. Specific documentation for Elastic AI Assistant for Security is also available. Now, let’s dive deeper into each of the nine steps.

Every threat intelligence program is going to be different with different types of reporting requirements. Understanding the stakeholders and how they’re going to consume and use threat intel reporting is critical to a successful program. Some programs may only need one or two types of reports, while others may need many more than that. At Elastic, we use several types of templates to cater to different reporting needs. These include:

Intelligence report (INTREP): INTREPs provide a comprehensive overview of a specific threat, including detailed analysis and mitigation steps. This is our most common type of report. It can deal with anything from the discovery of a new malware family to a recent update of threat actor tactics, techniques, and procedures (TTPs.)

Significant activity report (SIGACT): These reports focus on specific, significant threat activities or incidents. Typically, this type of report will be produced to describe a widely publicized event, such as a large data breach or geopolitical event.

Threat trend report (TTR): TTRs analyze trends in threat activities over a period of time, helping to identify patterns and predict future threats. TTRs typically stem from other report types when several reports share common characteristics over time, such as repeated use of a specific TTP or attack themes that happen around certain times of year, such as tax season.

Threat actor profiles (TAP): TAPs profile specific threat actors, detailing their TTPs, historical activities, and potential targets. These reports are regularly updated when new information about a threat actor comes to light and help analysts understand how those threat groups operate and what potential future targets may be. 

FLASH reports: These reports are meant for topics that need to be disseminated quickly. Typically a FLASH report is used as a way to get information out to a wider audience while additional analysis takes place. It is not uncommon for a FLASH report to later be converted into a longer report of another type once additional analysis is complete.

The second step in this process is to create markdown templates for the different threat intel report types. These templates serve as a standardized format that ensures consistency and comprehensiveness in reporting. They will also allow the Elastic AI Assistant to put the appropriate information into the appropriate places, saving time and tedious effort for analysts.

There are a number of different ways to create these templates, but the best approach is the approach that works most efficiently for each specific threat intel program. At Elastic, we use Google Docs to create our templates using the branding, style, images, and sections that work for our needs. We then use the Markdown conversion tool built into Google Docs to convert our templates to the Markdown format. 

The process for other threat intel programs may look different, but the important part is that all of the templates for threat reporting are converted to Markdown so that Elastic AI Assistant can process them.

Once the markdown templates are created, the next step is to store them in Elastic AI Assistant's knowledge base (KB). This allows analysts to quickly retrieve and use these templates when needed.

Steps to store templates:

1. Access the Elastic AI Assistant: Open the Elastic AI Assistant interface. This can be done by clicking AI Assistant in the top right corner of Kibana. This will open a new prompt.

The next step is to feed the information from the specific threat articles being analyzed to the Elastic AI Assistant — either manually or in an automated fashion (check out these examples for inspiration). This is where the magic happens. The prompt should look something like this:

“Using the <template name> template stored in your knowledge base, analyze the following information and create a new <report type> report from the information.”

Once the template is populated, analysts review the report to ensure its accuracy and comprehensiveness. This step is crucial for maintaining the integrity of the report. Elastic AI Assistant is great at gathering data and putting it into the correct format and sections, but it is not perfect and 100% accuracy cannot be guaranteed. 

Reading through the report carefully in its current state ensures that the information provided has been correctly formatted to the template, while also giving the analyst an opportunity to gain better understanding of the topic and begin analysis. 

As efficient and smart as Elastic AI Assistant is, there are certain things that are just not meant to be done by a machine. And that’s where the value of a good analyst comes in. The analyst should have a solid understanding of the environment, organization, and technical factors that are relevant to the event being analyzed.

At this point, analysts will need to add their insights on the relevance, potential impact, and recommendations based on the threat data. This step uses the expertise of the analysts to provide actionable intelligence. Essentially, this is the step of taking threat data and turning it into something that is useful for internal stakeholders of the organization.

Now that most or all of the analysis is complete, it's time to put the report into a presentable format. This will differ greatly from program to program, depending on the methods used for dissemination and style guidelines. At Elastic, we take the report in Markdown format and import it into Google Docs for stylistic edits like adding pictures and formatting. But for other programs, this could be accomplished in basically any platform that the analyst would normally use to write and prepare reports. The important part is that the information has been gathered, analyzed, and put into a template that can be easily moved into another platform for publication.

Once the report has been drafted, this is it — the moment we’ve all been waiting for. It’s time to give the report one (or many) final read throughs, fix any formatting issues, add a good picture or two, and publish! The workflows for review and dissemination will be unique to each individual threat intelligence program and will likely need to take several things into account:

1. Who is this going to? Which individual stakeholders or teams would benefit from this report? 

2. Where should it live? What location would be best for the audience to ingest the report? Is it a messaging platform, a wiki page, an email blast, or somewhere else?

3. When should it be sent? Timing is everything, especially when publishing to centralized locations. Consider things like time zones, working hours, and vacation schedules when deciding when to publish and disseminate. Criticality of the information will also need to be taken into account to ensure that the report is still valuable when it’s received. It can definitely be a balancing act but should be considered when it’s time to publish. 

4. Are there any metrics to collect that can help drive the intelligence program forward? Many programs disseminate reporting and end the process there. Understanding what happens to a report after it’s been published can be a great value to a threat intelligence program. Who’s been reading the reports? How often do they read it? How quickly are the reports read once they’ve been published? The answers to all of these questions can help shape future reporting, dissemination workflows, and other aspects of the entire process to produce a better product. 

At Elastic, we use the logging already available for our dissemination channels (messaging platforms, shared drives, and wiki pages) to produce dashboards that show things like engagement rates, follow-up activities, and other metrics about reports we produce. By understanding which reports are being read more or less often, we can tailor the analysis conducted to the topics and threats that stakeholders are reading and using.

Elastic AI Assistant offers a powerful tool for enhancing threat intelligence reporting. By following these steps, analysts can produce high-quality reports more efficiently. This approach not only saves time but also ensures that threat intel reports are thorough and consistent. While Elastic AI Assistant aids in the reporting process, the expertise and insights of threat analysts remain irreplaceable — making this a valuable tool for enhancing their efficiency and effectiveness without losing the insights and knowledge gained from the threat analyst. 

Want to try Elastic AI Assistant for yourself? Download our free version and streamline threat intelligence report creation!