Strixl LabsStrixl.Labs
Get started
Docs/Exports and reports

Exports and reports

Strixl Labs is not the only tool in your stack, and the data it produces isn't supposed to live only in its UI. Three export paths handle the common handoffs: CSV for automation, an Executive PDF for leadership, and an IR Handoff PDF for the people who get the ticket next.

CSV exports

From the Detections view, the Export menu gives you two CSVs:

  • All pairs.Every source/destination pair in the upload, scored or not. Useful when you want to diff against your SIEM's view of the same traffic.
  • All flagged pairs. Just the ones the engine flagged for review. Smaller, more focused.

Both CSVs include:

  • Pair identifiers, ports, byte totals, session counts
  • Score and severity
  • JA3, JA4, JA4H, JA4X, and any known-bad matches
  • ASN, organization, country, reverse DNS
  • Threat-intel results per feed, one column per provider
  • Severity modifiers that applied, with direction
  • Your verdict (Malicious, Benign, or blank)
  • Any notes you've attached

Executive PDF

A one-to-three-page summary intended for the person who didn't watch the investigation unfold: a director, a CISO, a client sponsor. Structure:

  • Summary. Upload window, total pairs scored, total flagged, count of confirmed-malicious pairs.
  • Key findings. Up to five confirmed-malicious pairs with plain-language explanations.
  • Recommended actions. Derived from the nature of the confirmed findings. Block-at-edge, endpoint check, containment.
  • Appendix. Full list of flagged pairs with severity.

Generated from the Reports page. Tier-gated at Hunter and above.

IR Handoff PDF

The technical counterpart. Designed for an incident responder or forensics team picking up the work. Structure:

  • Confirmed-malicious pairs with full evidence: fingerprints, intel, pattern summary, explain-why breakdown, notes.
  • Indicators. IPs, domains, JA3/JA4/JA4H/JA4X hashes, certificate fingerprints, formatted for direct ingest into a SIEM or IR platform.
  • Timeline. First-seen and last-seen per pair.

White-label reports

Partner plans can replace the Strixl Labs branding on both PDFs with their own logo, colors, and firm name. Useful if you're an MSSP delivering the report to a client. Set once per workspace under Settings, then Reports, then White-label.

API exports

Programmatic export over the REST API is a Partner-plan feature. See the REST API docs (coming soon) for endpoint details. Until then, scheduled exports are manual.

← Previous

False-positive learning