Reports & Export Look deeper. Find everything.

Reports & Export

Get findings out of Intreys and into the rest of your stack — analyst reports, threat-intel platforms, SIEMs, and ticketing systems.

Analyst reports

PDF report (Pro+)

From any session, Export → Report → PDF. Default report includes:

Cover page with case ID, analyst, timeframe
Executive summary (AI-optional)
Risk gauge and protocol distribution charts
All findings with severity, evidence, recommended action
MITRE ATT&CK technique mapping
IOC list (IPs, domains, hashes, URLs)
Network topology diagram
Timestamped event log appendix

Customize sections, branding, and template under Settings → Reports. Enterprise / MSSP can upload a custom logo and stylesheet for white-label reports.

DOCX report (Pro+)

Same content, editable in Microsoft Word / LibreOffice. Useful when you need to mark up the report before sharing.

HTML report

Single-file HTML with embedded charts. Useful for self-contained sharing without a printer or office suite.

Threat-intel export

STIX 2.1 (Pro+)

Standardized JSON bundle. Includes:

indicator SDOs for IPs, domains, URLs, hashes
sighting SROs linking indicators to your case
identity for your organization
course-of-action SDOs from analyst recommendations
relationship SROs tying it together

MISP (Pro+)

JSON event compatible with MISP 2.4+. Push directly to your MISP instance via the configured MISP URL/key, or download for manual import.

TAXII 2.1 (Pro+)

Push the STIX bundle to a TAXII collection. Configure server URL, API root, collection ID, and bearer token under Settings → TAXII.

Sigma rules (Pro+)

For each detection that fires, Intreys can synthesize a Sigma rule template. Useful for pushing into your detection-engineering pipeline.

MITRE Navigator JSON

Export your detection layer for use in attack-navigator.github.io. See MITRE mapping → Navigator export.

CSV / JSON

From any tabular view (Alerts, Flows, Hosts, IOCs):

Export visible — only currently filtered/visible rows
Export all — all rows in the dataset

JSON exports preserve nested structures; CSV flattens.

SIEM forwarding (Team)

Splunk via HTTP Event Collector (HEC)
Elastic via Elastic Common Schema (ECS) over Beats
Syslog RFC 5424 / 3164, optionally over TLS
Generic webhook — JSON POST to your endpoint

Forwarders push findings live as the pipeline emits them, not just at session-end. Configure under Settings → SIEM.

Programmatic export (REST API)

Pro+ ships a REST API. Highlights:

POST /api/upload          # upload a PCAP, get session_id
GET  /api/sessions/<id>   # session metadata + status
GET  /api/sessions/<id>/findings  # findings JSON
GET  /api/sessions/<id>/export?format=stix   # STIX bundle
GET  /api/sessions/<id>/export?format=pdf    # PDF report

Authentication via bearer token or API key under Settings → API. The complete REST reference is bundled in the app under Help → API Reference; a public web reference is in development. Until then, contact [email protected] if you need the spec ahead of time.

Air-gapped export

Everything export-related works without internet. The only network calls are the optional ones you initiate (TAXII push, SIEM forward, MISP sync). The default file-based exports require no outbound traffic.