To use these API endpoint, an API key is needed and can be found in every user profile under My settings > API Key.
+This specification applies to v2.4.0 > Iris > v2.3.7. The supported API version can be checked in Advanced > Server settings > Server versions on IRIS.
The API port is the same as the one used for the web interface, so 443 by default.
This version introduces access control. Every request now needs to have the cid=x parameter in the URI.
Deletion endpoints have been migrated from GET to POST. Deletion GET endpoints have been marqued as deprecated and are not available anymore.
v1.4.5 introduced the concept of custom attributes. These JSON objects that are stored into almost all case objects such as Assets, IOCs, etc. They are defined by administrators or modules and can vary from one objet to another despite being of the same type. Because of this, no definitive structure can be expected from these fields. They are all named custom_attributes.
Update the summary of a case. Carefull: this will trigger an overwrite of the summary. Summaries are shared interactively between users. If an update summary is issued, every user will receive the change and their locale changes will be lost.
The summary is a markdown-compatible text.
| cid required | string Case ID + |
| case_description required | string The updated summary + |
{- "case_description": "Dummy description",
- "cid": 1
}{- "data": 3837413706,
- "message": "Summary updated",
- "status": "success"
}Add a task log to the case. The task log is registered under Activities and is be availble in reports templating. +If CID is omitted, the default case of the calling user is used.
+| cid | string Case ID + |
| log_content required | string |
{- "log_content": "A test"
}{- "data": {
- "activity_date": "Fri, 21 Jan 2022 17:33:48 GMT",
- "activity_desc": "A test",
- "case": null,
- "case_id": 1,
- "id": 21632,
- "user": null,
- "user_id": 1,
- "user_input": true
}, - "message": "Log saved",
- "status": "success"
}Export a case in JSON format including all the information such as assets, iocs, etc. This request can take a very long time depending on the size of the case and is DB intensive.
The datastore is not part of the response and needs to be requested manually.
| cid required | string ID Of the case to export + |
{- "status": "success",
- "message": "",
- "data": {
- "case": {
- "name": "#1 - Initial Demo",
- "open_date": "2023-11-29",
- "description": "Dummy description",
- "soc_id": "soc_id_demo",
- "opened_by": "administrator",
- "for_customer": "IrisInitialClient",
- "close_date": null,
- "custom_attributes": null,
- "case_id": 1,
- "case_uuid": "da80a133-d3c2-40bd-a0ba-8966ef7679a3",
- "status_id": 0,
- "status_name": "unknown"
}, - "evidences": [
- {
- "filename": "A super evidence",
- "date_added": "2023-11-29T15:52:11.216704",
- "file_hash": "dhjajhdkadqw",
- "added_by": "administrator",
- "custom_attributes": { },
- "file_uuid": "6287ebbc-4332-4f37-b8d8-c9e70e238c08",
- "id": 1,
- "file_size": 0
}
], - "timeline": [
- {
- "event_id": 2,
- "event_title": "A second event",
- "event_in_summary": true,
- "event_date": "2023-11-03T23:03:00.003000",
- "event_tz": "+01:00",
- "event_date_wtz": "2023-11-04T00:03:00.003000",
- "event_content": "Super event",
- "event_tags": "logs",
- "event_source": "MySource",
- "event_raw": "Raw event log",
- "custom_attributes": { },
- "category": "Command and Control",
- "last_edited_by": "administrator",
- "event_uuid": "7c8a624f-6017-4ccd-a93f-7ef702cc24dd",
- "event_in_graph": true,
- "event_color": "#F2596199",
- "event_is_flagged": false,
- "assets": [
- "LinuxServer (Linux - Server)",
- "main_router (Router)"
], - "iocs": [
- {
- "ioc_id": 1,
- "ioc_value": "root",
- "ioc_description": "",
- "tlp_name": "amber",
- "type": "account"
}
]
}, - {
- "event_id": 3,
- "event_title": "A third event ",
- "event_in_summary": true,
- "event_date": "2023-11-03T23:03:00.003000",
- "event_tz": "+01:00",
- "event_date_wtz": "2023-11-04T00:03:00.003000",
- "event_content": "Super event",
- "event_tags": "logs",
- "event_source": "MySource",
- "event_raw": "Raw event log",
- "custom_attributes": { },
- "category": "Command and Control",
- "last_edited_by": "administrator",
- "event_uuid": "7c8a624f-6017-4ccd-a93f-7ef702cc24dd",
- "event_in_graph": true,
- "event_color": "#F2596199",
- "event_is_flagged": false,
- "assets": [
- "LinuxServer (Linux - Server)",
- "main_router (Router)"
], - "iocs": [
- {
- "ioc_id": 1,
- "ioc_value": "root",
- "ioc_description": "",
- "tlp_name": "amber",
- "type": "account"
}
]
}, - {
- "event_id": 1,
- "event_title": "An event ",
- "event_in_summary": true,
- "event_date": "2023-11-09T23:03:00.003000",
- "event_tz": "+01:00",
- "event_date_wtz": "2023-11-10T00:03:00.003000",
- "event_content": "Super event",
- "event_tags": "logs",
- "event_source": "MySource",
- "event_raw": "Raw event log",
- "custom_attributes": { },
- "category": "Command and Control",
- "last_edited_by": "administrator",
- "event_uuid": "7c8a624f-6017-4ccd-a93f-7ef702cc24dd",
- "event_in_graph": true,
- "event_color": "#48ABF799",
- "event_is_flagged": false,
- "assets": [
- "LinuxServer (Linux - Server)",
- "main_router (Router)"
], - "iocs": [
- {
- "ioc_id": 1,
- "ioc_value": "root",
- "ioc_description": "",
- "tlp_name": "amber",
- "type": "account"
}
]
}
], - "iocs": [
- {
- "ioc_value": "root",
- "type_name": "account",
- "ioc_tags": "router",
- "ioc_description": "",
- "custom_attributes": { },
- "ioc_id": 1,
- "ioc_uuid": "94188da2-ca10-4299-ad73-0689719a61c3",
- "tlp_name": "amber",
- "added_by": "administrator"
}
], - "assets": [
- {
- "asset_id": 1,
- "asset_uuid": "4c8211fb-676e-4d84-9164-2c62d2c82558",
- "asset_name": "LinuxServer",
- "asset_description": "The super service ",
- "asset_compromise_status_id": 2,
- "type": "Linux - Server",
- "analysis_status": "Canceled",
- "date_added": "2023-11-29T15:40:13.759084",
- "asset_domain": "local.local",
- "asset_ip": "127.0.0.1",
- "asset_info": "",
- "asset_tags": "test",
- "custom_attributes": { },
- "light_asset_description": "The super service ",
- "asset_ioc": [
- {
- "ioc_value": "root",
- "type_name": "account",
- "ioc_description": ""
}
], - "asset_compromise_status": "Not Compromised"
}, - {
- "asset_id": 2,
- "asset_uuid": "7371f6fd-17dc-42d7-b21b-43824b71abb3",
- "asset_name": "main_router",
- "asset_description": "",
- "asset_compromise_status_id": 1,
- "type": "Router",
- "analysis_status": "To be done",
- "date_added": "2023-11-29T15:40:41.128370",
- "asset_domain": "local.local",
- "asset_ip": "192.168.1.3",
- "asset_info": "",
- "asset_tags": "router",
- "custom_attributes": { },
- "light_asset_description": "",
- "asset_ioc": [
- {
- "ioc_value": "root",
- "type_name": "account",
- "ioc_description": ""
}
], - "asset_compromise_status": "Compromised"
}
], - "tasks": [
- {
- "task_title": "A task",
- "task_status": "In progress",
- "task_tags": "task1",
- "task_open_date": "2023-11-29T15:48:49.811798",
- "task_close_date": null,
- "task_last_update": "2023-11-29T15:48:49.811798",
- "task_description": "Task description ",
- "custom_attributes": { },
- "task_uuid": "0693c71b-b4f7-41cd-a12a-0dcd24519e7f",
- "id": 1,
- "task_assignees": [
- {
- "user": "administrator",
- "name": "administrator",
- "id": 1
}
]
}, - {
- "task_title": "Another task",
- "task_status": "To do",
- "task_tags": "tas",
- "task_open_date": "2023-11-29T15:49:09.053863",
- "task_close_date": null,
- "task_last_update": "2023-11-29T15:49:09.053863",
- "task_description": "Another task description",
- "custom_attributes": { },
- "task_uuid": "6d27e7f2-3310-454e-aebf-00432ebbfb2d",
- "id": 2,
- "task_assignees": [
- {
- "user": "administrator",
- "name": "administrator",
- "id": 1
}
]
}
], - "comments": [ ],
- "notes": [
- {
- "note_title": "Something else",
- "note_content": "A nother note content",
- "note_creationdate": "2023-11-29T15:39:02.056124",
- "note_lastupdate": "2023-11-29T15:39:30.039339",
- "custom_attributes": { },
- "note_id": 1,
- "note_uuid": "71a50086-2b11-4d80-8916-e94bd93ad28b",
- "group_title": "A note group A",
- "group_id": 1,
- "group_user": 1
}, - {
- "note_title": "And another thing",
- "note_content": "A note content",
- "note_creationdate": "2023-11-29T15:39:11.127181",
- "note_lastupdate": "2023-11-29T15:39:23.065014",
- "custom_attributes": { },
- "note_id": 2,
- "note_uuid": "641943a8-767a-4789-a02c-1475243cbb37",
- "group_title": "A note group B",
- "group_id": 2,
- "group_user": 1
}
], - "export_date": "2023-11-29T15:52:18.839881"
}
}Get a list of the assets linked to the case.
+| cid required | integer Case ID + |
{- "status": "success",
- "message": "",
- "data": {
- "assets": [
- {
- "asset_id": 57,
- "asset_uuid": "c6598fd0-836a-4fc4-87c1-6f03348eadeb",
- "asset_name": "FILESERVER1231",
- "asset_type": "Windows - Server",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "",
- "asset_domain": "",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 10,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 79,
- "asset_uuid": "0955016b-c1aa-44e1-a5c6-0b538eac7d9f",
- "asset_name": "Test_DFIR",
- "asset_type": "Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_description": "",
- "asset_domain": "example.com",
- "asset_compromise_status_id": 1,
- "asset_ip": "1.1.1.1",
- "asset_type_id": 1,
- "analysis_status": "Started",
- "analysis_status_id": 3,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 82,
- "asset_uuid": "305c5569-b818-4518-b7cd-cfd07a1033ca",
- "asset_name": "DC01",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "",
- "asset_domain": "domain.local",
- "asset_compromise_status_id": 0,
- "asset_ip": "10.0.0.8",
- "asset_type_id": 11,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [
- {
- "case_name": "#583 - [ALERT] VPN Exploit 1208",
- "case_open_date": "2023-08-28",
- "asset_description": "",
- "asset_compromise_status_id": 2,
- "asset_id": 3822,
- "case_id": 583
}
], - "ioc_links": null
}, - {
- "asset_id": 36,
- "asset_uuid": "3b16900a-72a2-46f2-a4e9-880de044c2ad",
- "asset_name": "User1_FRZ",
- "asset_type": "Firewall",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_icon_not_compromised": "firewall.png",
- "asset_description": "",
- "asset_domain": "",
- "asset_compromise_status_id": 1,
- "asset_ip": "",
- "asset_type_id": 2,
- "analysis_status": "Pending",
- "analysis_status_id": 4,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3723,
- "asset_uuid": "82c5f2a8-a050-4c23-9616-f5d6713bcf1e",
- "asset_name": "DE100",
- "asset_type": "Router",
- "asset_icon_compromised": "ioc_router.png",
- "asset_icon_not_compromised": "router.png",
- "asset_description": "Deutsh router",
- "asset_domain": "",
- "asset_compromise_status_id": 1,
- "asset_ip": "1.1.1.1",
- "asset_type_id": 12,
- "analysis_status": "Pending",
- "analysis_status_id": 4,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3777,
- "asset_uuid": "e43b9a3d-37d6-4034-a5ff-2c5252ca9e33",
- "asset_name": "user1",
- "asset_type": "Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_description": "user account ",
- "asset_domain": "",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 1,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3706,
- "asset_uuid": "8d04103e-dcfc-40c6-b9d9-f84a77dd823c",
- "asset_name": "ad v mojej domene",
- "asset_type": "Windows Account - AD",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_description": "domenovy dacid c 1",
- "asset_domain": "pravda.sk",
- "asset_compromise_status_id": 3,
- "asset_ip": "195.28.85.54",
- "asset_type_id": 18,
- "analysis_status": "Started",
- "analysis_status_id": 3,
- "asset_tags": "pravda.sk",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 38,
- "asset_uuid": "97eaf383-50d6-4f6f-9649-51dc8560fd41",
- "asset_name": "EndpointDevice1",
- "asset_type": "Windows - Computer",
- "asset_icon_compromised": "ioc_windows_desktop.png",
- "asset_icon_not_compromised": "windows_desktop.png",
- "asset_description": "",
- "asset_domain": "",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 9,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 47,
- "asset_uuid": "ba08841b-80c2-4b55-b296-77f27630d55c",
- "asset_name": "DC01",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": " \n\n<test><script>\n# Test \nDescription and analysis of the machine \nSome other things to do\n\n\n## Another test \nAnd again another testing \n\n### And yet again another test\nOr something else you wanna do ",
- "asset_domain": "acme.local",
- "asset_compromise_status_id": 1,
- "asset_ip": "192.168.0.1",
- "asset_type_id": 11,
- "analysis_status": "To be done",
- "analysis_status_id": 2,
- "asset_tags": "1.3.4.2",
- "link": [
- {
- "case_name": "#583 - [ALERT] VPN Exploit 1208",
- "case_open_date": "2023-08-28",
- "asset_description": "",
- "asset_compromise_status_id": 2,
- "asset_id": 3822,
- "case_id": 583
}
], - "ioc_links": null
}, - {
- "asset_id": 37,
- "asset_uuid": "7a0278a2-618d-461e-921e-7cbc0bad3004",
- "asset_name": "User2",
- "asset_type": "Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_description": "",
- "asset_domain": "",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 1,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3749,
- "asset_uuid": "e4ca3e33-28f0-43f4-8c68-a79949a9fbb0",
- "asset_name": "DC03",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "Das sind DC",
- "asset_domain": "NORTH",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 11,
- "analysis_status": "To be done",
- "analysis_status_id": 2,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3750,
- "asset_uuid": "34dba357-7983-4eec-8627-30a5f2b48cc4",
- "asset_name": "DC01",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "Das sind DC",
- "asset_domain": "NORTH",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 11,
- "analysis_status": "To be done",
- "analysis_status_id": 2,
- "asset_tags": "",
- "link": [
- {
- "case_name": "#583 - [ALERT] VPN Exploit 1208",
- "case_open_date": "2023-08-28",
- "asset_description": "",
- "asset_compromise_status_id": 2,
- "asset_id": 3822,
- "case_id": 583
}
], - "ioc_links": null
}, - {
- "asset_id": 2429,
- "asset_uuid": "1a9201a9-8d03-44b3-a47a-16c9a780849e",
- "asset_name": "Phone - IOS-4869",
- "asset_type": "Phone - IOS",
- "asset_icon_compromised": "ioc_phone.png",
- "asset_icon_not_compromised": "phone.png",
- "asset_description": "Asset description",
- "asset_domain": "",
- "asset_compromise_status_id": null,
- "asset_ip": "1.1.1.1",
- "asset_type_id": 8,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "tag1,tag2",
- "link": [ ],
- "ioc_links": [
- {
- "ioc_id": 407,
- "ioc_value": "ec3e51e46aae",
- "asset_id": 2429
}, - {
- "ioc_id": 788,
- "ioc_value": "bsaoln.gov",
- "asset_id": 2429
}
]
}, - {
- "asset_id": 3872,
- "asset_uuid": "11925eb0-b205-419f-81cf-fe550a6a6986",
- "asset_name": "trreeree",
- "asset_type": "Windows - Computer",
- "asset_icon_compromised": "ioc_windows_desktop.png",
- "asset_icon_not_compromised": "windows_desktop.png",
- "asset_description": "",
- "asset_domain": "",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 9,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3881,
- "asset_uuid": "9a911ef8-3f40-4aaa-a6e0-4ea880bf8d49",
- "asset_name": "DCSERER.com",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "thsis is DC serer",
- "asset_domain": "myDC.com",
- "asset_compromise_status_id": 1,
- "asset_ip": "10.10.10.1",
- "asset_type_id": 11,
- "analysis_status": "Started",
- "analysis_status_id": 3,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 83,
- "asset_uuid": "7fb6eec5-ebef-4abd-ab31-4b31b96266f5",
- "asset_name": "MV-422",
- "asset_type": "Windows - Server",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "Maquina de pruebas",
- "asset_domain": "",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 10,
- "analysis_status": "To be done",
- "analysis_status_id": 2,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3857,
- "asset_uuid": "763d9ac5-b858-40b6-b6eb-5b905402d0c3",
- "asset_name": "Super Dadmin",
- "asset_type": "Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_description": "",
- "asset_domain": "",
- "asset_compromise_status_id": 1,
- "asset_ip": "",
- "asset_type_id": 1,
- "analysis_status": "Done",
- "analysis_status_id": 6,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 75,
- "asset_uuid": "50899fe4-5ef6-420d-aef6-55fe6febf6f5",
- "asset_name": "aaa",
- "asset_type": "Switch",
- "asset_icon_compromised": "ioc_switch.png",
- "asset_icon_not_compromised": "switch.png",
- "asset_description": "asdfdfgsdfg",
- "asset_domain": "sdfgh",
- "asset_compromise_status_id": 0,
- "asset_ip": "435445",
- "asset_type_id": 13,
- "analysis_status": "Started",
- "analysis_status_id": 3,
- "asset_tags": "455,type",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 2548,
- "asset_uuid": "9d188714-5251-41f3-817b-3b1c8515de06",
- "asset_name": "WAF-301",
- "asset_type": "WAF",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_icon_not_compromised": "firewall.png",
- "asset_description": "Asset description",
- "asset_domain": "",
- "asset_compromise_status_id": 2,
- "asset_ip": "1.1.1.1",
- "asset_type_id": 15,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "tag1,tag2",
- "link": [ ],
- "ioc_links": [
- {
- "ioc_id": 1135,
- "ioc_value": "aunnrzg.co.uk",
- "asset_id": 2548
}, - {
- "ioc_id": 349,
- "ioc_value": "ufrsmrdxlqq.org",
- "asset_id": 2548
}
]
}, - {
- "asset_id": 2547,
- "asset_uuid": "e72f8566-3437-4693-b5e7-e41122c93a4e",
- "asset_name": "Account-244",
- "asset_type": "Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_description": "Asset description",
- "asset_domain": "",
- "asset_compromise_status_id": null,
- "asset_ip": "1.1.1.1",
- "asset_type_id": 1,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "tag1,tag2",
- "link": [ ],
- "ioc_links": [
- {
- "ioc_id": 1135,
- "ioc_value": "aunnrzg.co.uk",
- "asset_id": 2547
}, - {
- "ioc_id": 349,
- "ioc_value": "ufrsmrdxlqq.org",
- "asset_id": 2547
}
]
}, - {
- "asset_id": 3906,
- "asset_uuid": "6a6cb41a-024f-4af6-a8b8-d75ef2c97728",
- "asset_name": "waf protecting middle earth from nasty goblins",
- "asset_type": "WAF",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_icon_not_compromised": "firewall.png",
- "asset_description": "",
- "asset_domain": "fortheshire.com",
- "asset_compromise_status_id": 0,
- "asset_ip": "",
- "asset_type_id": 15,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 2430,
- "asset_uuid": "07b9310a-887e-4277-b8a8-61c78cae05ec",
- "asset_name": "Linux - Server-1240",
- "asset_type": "Linux - Server",
- "asset_icon_compromised": "ioc_server.png",
- "asset_icon_not_compromised": "server.png",
- "asset_description": "Asset description",
- "asset_domain": "",
- "asset_compromise_status_id": null,
- "asset_ip": "1.1.1.1",
- "asset_type_id": 3,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "tag1,tag2",
- "link": [ ],
- "ioc_links": [
- {
- "ioc_id": 407,
- "ioc_value": "ec3e51e46aae",
- "asset_id": 2430
}, - {
- "ioc_id": 788,
- "ioc_value": "bsaoln.gov",
- "asset_id": 2430
}
]
}, - {
- "asset_id": 3748,
- "asset_uuid": "765f6970-bd9c-41e8-af6b-b050c30c4c7a",
- "asset_name": "DC02",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "Das sind DC",
- "asset_domain": "NORTH",
- "asset_compromise_status_id": 1,
- "asset_ip": "",
- "asset_type_id": 11,
- "analysis_status": "To be done",
- "analysis_status_id": 2,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}, - {
- "asset_id": 3641,
- "asset_uuid": "5f99e1ab-bc09-4a0b-b344-6279862c55cc",
- "asset_name": "DC02",
- "asset_type": "Windows - DC",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_description": "adadsasd",
- "asset_domain": "nevele",
- "asset_compromise_status_id": 0,
- "asset_ip": "123",
- "asset_type_id": 11,
- "analysis_status": "Unspecified",
- "analysis_status_id": 1,
- "asset_tags": "",
- "link": [ ],
- "ioc_links": null
}
], - "state": {
- "object_state": 56,
- "object_last_update": "2024-01-04T15:52:02.088544"
}
}
}Fetch an asset.
+| asset_id required | integer |
| cid required | string Case ID + |
{- "status": "success",
- "message": "",
- "data": {
- "asset_enrichment": {
- "Another enrichment provider": {
- "Another key": "Another value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "firewall.png",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_description": "WAF",
- "asset_id": 15,
- "asset_name": "WAF"
}, - "asset_type_id": 15,
- "case_id": 1,
- "asset_description": "Asset description",
- "asset_id": 2548,
- "analysis_status_id": 1,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": "",
- "user_id": 4,
- "date_added": "2024-01-04T13:20:43.522581",
- "date_update": "2024-01-04T13:20:43.522598",
- "asset_name": "WAF-301",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": 2,
- "asset_uuid": "9d188714-5251-41f3-817b-3b1c8515de06",
- "asset_domain": "",
- "linked_ioc": [
- {
- "ioc_id": 1135,
- "ioc_value": "aunnrzg.co.uk",
- "ioc_tags": "tag1,tag2",
- "ioc_type_id": 22,
- "type_name": "email",
- "ioc_description": "description_hey",
- "ioc_tlp_id": 2
}, - {
- "ioc_id": 349,
- "ioc_value": "ufrsmrdxlqq.org",
- "ioc_tags": "tag1,tag2",
- "ioc_type_id": 22,
- "type_name": "email",
- "ioc_description": "description_hey",
- "ioc_tlp_id": 2
}
]
}
}Create an asset and link it to the case.
+| cid required | integer Case ID + |
| asset_type_id required | string |
| asset_domain | string |
| asset_ip | string |
| asset_info | string |
| asset_compromise_status_id | string |
| analysis_status_id | string |
| ioc_links | Array of strings |
| asset_name required | string |
| asset_tags | string |
| asset_description | string |
| custom_attributes | object |
{- "asset_type_id": "9",
- "asset_domain": "iris.local",
- "asset_ip": "127.0.0.1",
- "asset_info": "",
- "asset_compromise_status_id": "1",
- "analysis_status_id": "3",
- "ioc_links": [
- "30"
], - "asset_name": "admin_laptop",
- "asset_tags": "anewtag",
- "asset_description": "A host description",
- "custom_attributes": { }
}{- "status": "success",
- "message": "Asset added",
- "data": {
- "asset_enrichment": null,
- "asset_type": {
- "asset_icon_not_compromised": "windows_desktop.png",
- "asset_icon_compromised": "ioc_windows_desktop.png",
- "asset_description": "Standard Windows Computer",
- "asset_id": 9,
- "asset_name": "Windows - Computer"
}, - "asset_type_id": 9,
- "case_id": 1,
- "asset_description": "A host description",
- "asset_id": 3912,
- "analysis_status_id": 3,
- "custom_attributes": { },
- "asset_info": "",
- "user_id": 1,
- "date_added": "2024-01-09T13:25:51.328503",
- "date_update": "2024-01-09T13:25:51.328506",
- "asset_name": "admin_laptop",
- "asset_ip": "127.0.0.1",
- "asset_tags": "anewtag",
- "asset_compromise_status_id": 1,
- "asset_uuid": "5914a960-d6d5-4e18-9665-613037d8f702",
- "asset_domain": "iris.local"
}
}Update an asset
+| asset_id required | string ID of the asset to update + |
| cid required | integer Case ID + |
| asset_name required | string |
| asset_type_id required | string |
| asset_domain | string |
| asset_ip | string |
| asset_info | string |
| asset_compromise_status_id | string |
| analysis_status_id | string |
| ioc_links | Array of strings |
| asset_tags | string |
| asset_description | string |
| custom_attributes | object |
{- "asset_name": "admin_laptop",
- "asset_type_id": "9",
- "asset_domain": "iris.local",
- "asset_ip": "127.0.0.1",
- "asset_info": "",
- "asset_compromise_status_id": "1",
- "analysis_status_id": "3",
- "ioc_links": [
- "30"
], - "asset_tags": "anewtag",
- "asset_description": "A host description",
- "custom_attributes": { }
}{- "status": "success",
- "message": "Updated asset admin_laptop",
- "data": {
- "asset_enrichment": { },
- "asset_type": {
- "asset_icon_not_compromised": "windows_desktop.png",
- "asset_icon_compromised": "ioc_windows_desktop.png",
- "asset_description": "Standard Windows Computer",
- "asset_id": 9,
- "asset_name": "Windows - Computer"
}, - "asset_type_id": 9,
- "case_id": 1,
- "asset_description": "A host description",
- "asset_id": 2548,
- "analysis_status_id": 3,
- "custom_attributes": { },
- "asset_info": "",
- "user_id": 4,
- "date_added": "2024-01-04T13:20:43.522581",
- "date_update": "2024-01-04T13:20:43.522598",
- "asset_name": "admin_laptop",
- "ioc_links": [
- 30
], - "asset_ip": "127.0.0.1",
- "asset_tags": "anewtag",
- "asset_compromise_status_id": 1,
- "asset_uuid": "9d188714-5251-41f3-817b-3b1c8515de06",
- "asset_domain": "iris.local"
}
}This endpoint is deprecated. Use the POST equivalent.
+| asset_id required | string ID of the note to delete + |
| cid required | string Case ID + |
{- "data": [ ],
- "message": "Deleted",
- "status": "success"
}Delete an asset based on its ID. If the asset is linked to an event, the reference is deleted but not the event.
+| asset_id required | string ID of the note to delete + |
| cid required | integer Case ID + |
{- "value": {
- "data": [ ],
- "message": "Deleted",
- "status": "success"
}
}This endpoint is deprecated. Use /case/notes/directories/filter.
| cid required | integer Case ID + |
{- "status": "success",
- "message": "",
- "data": {
- "groups": [
- {
- "group_id": 186,
- "group_uuid": "3551ce9f-1446-4163-ab9e-78b9c4187cfd",
- "group_title": "Group 186",
- "notes": [
- {
- "note_id": 110,
- "note_uuid": "45df996f-f96d-4162-a5eb-2ddb66500d97",
- "note_title": "Test Note",
- "user": "adm_1",
- "note_lastupdate": "2023-12-29T19:21:48.799248"
}, - {
- "note_id": 1620,
- "note_uuid": "c47a232f-ccce-4883-ace2-b071c31ba009",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-12-14T17:50:03.136531"
}, - {
- "note_id": 1733,
- "note_uuid": "56a0bea6-e65b-4ff9-9000-a3f34b162d83",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-11-24T14:10:31.487938"
}, - {
- "note_id": 1834,
- "note_uuid": "9176ddd1-fb35-41f3-ba4e-e26f32fede8b",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-12-07T14:50:05.324440"
}, - {
- "note_id": 1953,
- "note_uuid": "6d34d408-df68-45c1-a92a-d7fb1e962993",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2024-01-04T15:50:06.758144"
}
]
}, - {
- "group_id": 192,
- "group_uuid": "39434f81-9b8f-4540-9818-96b3dae0a48e",
- "group_title": "Investigation",
- "notes": [
- {
- "note_id": 856,
- "note_uuid": "bcd2f25c-e329-4ef0-b2fb-1b68ee4ef537",
- "note_title": "IOC ?",
- "user": "adm_1",
- "note_lastupdate": "2023-12-08T02:23:07.030130"
}, - {
- "note_id": 1820,
- "note_uuid": "6d293b2c-06b7-422a-887b-284bf559636d",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-12-05T03:20:09.078152"
}, - {
- "note_id": 1934,
- "note_uuid": "f3b28930-844e-4edb-936d-12d87231aeaf",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2024-01-02T06:44:34.079779"
}, - {
- "note_id": 1954,
- "note_uuid": "12b4a4a8-d0a9-49ff-9b97-3ad43c6aa86e",
- "note_title": "testing stuff for frodo on the one ring server",
- "user": "adm_1",
- "note_lastupdate": "2024-01-04T15:50:44.699016"
}
]
}, - {
- "group_id": 223,
- "group_uuid": "7538ceb3-e7c2-4ca8-911d-031a66f0f2fc",
- "group_title": "Group 223",
- "notes": [
- {
- "note_id": 213,
- "note_uuid": "066e24c2-85ca-41a5-b982-91f44dd92ebe",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-03-31T22:35:43.435906"
}
]
}, - {
- "group_id": 229,
- "group_uuid": "3bec5c22-ae2e-415a-9eee-18b10ace47df",
- "group_title": "Group 229",
- "notes": [
- {
- "note_id": 530,
- "note_uuid": "b5a5403a-2bf6-4649-bf78-2a476d0b31da",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-06-06T07:18:08.899797"
}
]
}, - {
- "group_id": 230,
- "group_uuid": "80c4fb87-e939-42b5-863e-11be4c4c8991",
- "group_title": "Group 230",
- "notes": [
- {
- "note_id": 774,
- "note_uuid": "294ab835-cc02-4ae5-a04c-821cde72b623",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-07-27T06:33:29.931800"
}
]
}, - {
- "group_id": 316,
- "group_uuid": "ba1e558b-cc24-46ee-b192-a6fe2a3a03ec",
- "group_title": "Group 316",
- "notes": [
- {
- "note_id": 1757,
- "note_uuid": "8f909d5a-07d7-4f81-afad-767c860253ba",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-11-29T22:28:49.316698"
}
]
}, - {
- "group_id": 317,
- "group_uuid": "46a1c5d4-8e18-42e0-89f4-906c1e0bd288",
- "group_title": "Group 317",
- "notes": [ ]
}, - {
- "group_id": 318,
- "group_uuid": "c64875de-5cdb-43b9-b49f-ba523e8b610d",
- "group_title": "Group 318",
- "notes": [
- {
- "note_id": 1732,
- "note_uuid": "b16a7bdb-698a-4c7a-be56-2deb64f4d949",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-11-24T00:05:45.580907"
}
]
}, - {
- "group_id": 319,
- "group_uuid": "ce1c592c-3df6-43ea-9cbd-894f30a56bf0",
- "group_title": "Group 319",
- "notes": [ ]
}, - {
- "group_id": 320,
- "group_uuid": "970e0a0d-f28f-4192-8239-7831c4560367",
- "group_title": "Group 320",
- "notes": [
- {
- "note_id": 239,
- "note_uuid": "a714b7a3-8344-4b15-ba24-d1722adcfe65",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-04-12T13:14:48.811734"
}
]
}, - {
- "group_id": 351,
- "group_uuid": "71d555a9-4060-411a-be2f-f0d33793c647",
- "group_title": "new group",
- "notes": [
- {
- "note_id": 276,
- "note_uuid": "5217a534-e236-4516-8d44-dfd0d6fcbdcb",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-04-27T09:27:18.650654"
}
]
}, - {
- "group_id": 385,
- "group_uuid": "8eb53b45-1226-4468-ace1-2d10f7831a6f",
- "group_title": "Group 385",
- "notes": [ ]
}, - {
- "group_id": 562,
- "group_uuid": "1dfe7ef3-7597-4d4b-9096-3e390e011b40",
- "group_title": "Group 562",
- "notes": [
- {
- "note_id": 1831,
- "note_uuid": "c305d4e1-adcd-410d-8d56-d73364faff34",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-12-07T10:20:18.227276"
}
]
}, - {
- "group_id": 563,
- "group_uuid": "a5094fd7-02d0-44b0-beeb-c8b3d3e8f8e8",
- "group_title": "Group 563",
- "notes": [ ]
}, - {
- "group_id": 565,
- "group_uuid": "bcd7ac17-064f-49b9-941b-a5e01b82cfdb",
- "group_title": "Group 565",
- "notes": [
- {
- "note_id": 696,
- "note_uuid": "5d45d634-f463-4400-840a-646423e9c152",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-07-12T08:35:22.251498"
}
]
}, - {
- "group_id": 589,
- "group_uuid": "c111f93c-622d-4954-9592-da4406109897",
- "group_title": "Group 589",
- "notes": [ ]
}, - {
- "group_id": 590,
- "group_uuid": "2e38b22f-f3b8-4345-b110-a735d1afb228",
- "group_title": "Group 590",
- "notes": [
- {
- "note_id": 1789,
- "note_uuid": "e8f3943a-778a-4850-be22-0fb9fca7eeed",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-12-01T16:06:25.564707"
}
]
}, - {
- "group_id": 615,
- "group_uuid": "1555f460-e29a-4a1e-a438-b02309b4e9ef",
- "group_title": "Group 615",
- "notes": [ ]
}, - {
- "group_id": 731,
- "group_uuid": "11e3e6d1-ab59-4c39-a478-420c865e7e69",
- "group_title": "Group 731",
- "notes": [
- {
- "note_id": 730,
- "note_uuid": "7e45074a-e828-45b6-95c3-1c2d50854d31",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-07-20T07:08:09.733633"
}
]
}, - {
- "group_id": 748,
- "group_uuid": "2af357bf-9a8a-4a82-b047-6d2804b5de8b",
- "group_title": "Group 748",
- "notes": [ ]
}, - {
- "group_id": 766,
- "group_uuid": "f55a2e9e-ab3e-4e89-9bcb-3a082c677e73",
- "group_title": "New notes group",
- "notes": [
- {
- "note_id": 1276,
- "note_uuid": "17d9b1b2-7788-4588-9a8b-59a4cd014cce",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-09-22T08:28:12.315640"
}
]
}, - {
- "group_id": 767,
- "group_uuid": "04e13560-18c1-48fc-b8ff-31f49dd9f8fd",
- "group_title": "New notes group",
- "notes": [
- {
- "note_id": 798,
- "note_uuid": "947019ef-f587-417f-b2be-1f02cb083add",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-07-31T11:41:40.057720"
}
]
}, - {
- "group_id": 801,
- "group_uuid": "b68617d8-a1c5-43a3-ac0f-490fb884f615",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 802,
- "group_uuid": "4443a8b5-08c7-432f-971c-48413073487d",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 912,
- "group_uuid": "cfde6d2d-5985-4276-8e5e-a7836df5a0b3",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 916,
- "group_uuid": "ff8c3646-75ff-417a-81b5-8b6555be49ee",
- "group_title": "New notes group",
- "notes": [
- {
- "note_id": 1606,
- "note_uuid": "e9358f9c-ef82-4754-b6df-12344b053a91",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-11-06T02:32:11.434290"
}
]
}, - {
- "group_id": 984,
- "group_uuid": "31cc129c-f097-469b-a97b-ffde2c3e52da",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 985,
- "group_uuid": "1f455c92-7985-4abe-bd45-b7412691a026",
- "group_title": "New notes group",
- "notes": [
- {
- "note_id": 1933,
- "note_uuid": "60c88bb5-78bd-4f2e-8eb2-d77d7cbf2b2d",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2024-01-02T06:44:22.177576"
}
]
}, - {
- "group_id": 986,
- "group_uuid": "baa949b7-7dc0-4b9c-bb91-58748d2d4914",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1122,
- "group_uuid": "25bc6402-53f8-4165-82a6-7e098ad3dfce",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1141,
- "group_uuid": "78ed4c55-bd49-4cd9-8d59-0a3461063529",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1142,
- "group_uuid": "3647e416-e782-47c6-bfc0-9ee42e835345",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1169,
- "group_uuid": "536404d9-ceb1-4e52-bcdc-6a5fb1faa0dd",
- "group_title": "New notes group",
- "notes": [
- {
- "note_id": 1277,
- "note_uuid": "dd310051-550c-40ff-b5fc-53fa5e022997",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-09-22T08:28:23.443734"
}
]
}, - {
- "group_id": 1235,
- "group_uuid": "76924746-b2e2-4088-afad-b0e88161a756",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1289,
- "group_uuid": "aeb2e9b0-a0ee-4c09-9be8-60123ebc86ea",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1290,
- "group_uuid": "16114da7-40ed-4864-8c3c-f63b1b1c5b6e",
- "group_title": "New notes group",
- "notes": [
- {
- "note_id": 1919,
- "note_uuid": "d72525a6-81c0-44ca-8ec5-76dea8ccd9df",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-12-27T16:15:24.956701"
}
]
}, - {
- "group_id": 1291,
- "group_uuid": "60b1fd6b-24a2-4f82-aeec-25d48858a1a7",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1292,
- "group_uuid": "c26094d8-5284-4270-b8e7-854e0306d378",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1329,
- "group_uuid": "9a950733-4825-436f-b5d8-5b7be9fd130e",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1378,
- "group_uuid": "c731447c-52d9-462e-b006-548cdba13fbe",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1384,
- "group_uuid": "07617992-8300-4023-99ae-933e7b3cd8ed",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1385,
- "group_uuid": "72e5a1a1-3853-42fc-a8b6-4765043ce12f",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1425,
- "group_uuid": "1b42b99b-8479-47bc-84dc-7992c2ddaab7",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1442,
- "group_uuid": "47436e25-8bd9-4926-adab-3a74e5131a73",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1498,
- "group_uuid": "7a0b754a-096b-4b94-a3d5-8cda257f42d5",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1499,
- "group_uuid": "126968ba-cc9f-42fe-87d3-f48ce6cdf034",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1505,
- "group_uuid": "e417f7a3-9d61-416b-aa59-ecc2f623da6b",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1506,
- "group_uuid": "4afff67b-9eb9-42fa-ae37-b54cbc170e8e",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1507,
- "group_uuid": "40e12b26-3ae9-47aa-ae28-15e46a777ab9",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1510,
- "group_uuid": "7247267b-3e14-4154-93a5-ba388c45b7e0",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1511,
- "group_uuid": "87d73fcb-3dba-4fda-920e-9c315a5023eb",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1512,
- "group_uuid": "dd28240f-0edf-484f-b904-c5e71de8ccac",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1526,
- "group_uuid": "20947604-dc3a-40f9-a68d-2c758ae05e8a",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1527,
- "group_uuid": "a489154f-a436-4a29-97b0-0a2554eda575",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1528,
- "group_uuid": "40f9fa9e-3895-4de2-9f73-c64dc398771d",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1530,
- "group_uuid": "ec3ab46b-ae85-4734-8db7-2d4895f57bd0",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1531,
- "group_uuid": "7db00392-05ac-489a-8de9-0a0fc93c761d",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1532,
- "group_uuid": "318a8ee3-b405-4381-9161-8e40af979e57",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1545,
- "group_uuid": "485c039f-5baf-4b1c-a0a8-c20660ef8c5f",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1583,
- "group_uuid": "c49962b4-39c8-4a21-82de-8eb659f2b106",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1602,
- "group_uuid": "ff1b79ed-12ed-475d-9ab7-4cfb1e073480",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1639,
- "group_uuid": "de3d38eb-9a5b-4f87-99d6-d6c610d32ac3",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1657,
- "group_uuid": "d07e3f4c-ba88-4586-94f8-1cc3d7239cad",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1665,
- "group_uuid": "f3d66447-fad7-44f5-9831-5a25486f8408",
- "group_title": "New notes group",
- "notes": [ ]
}, - {
- "group_id": 1675,
- "group_uuid": "b384e358-6cd3-4773-b6b8-8e47e963cc8d",
- "group_title": "New notes group",
- "notes": [ ]
}
], - "state": {
- "object_state": 215,
- "object_last_update": "2024-01-04T15:50:13.728362"
}
}
}List the directories and notes associated to it.
+| cid required | integer Case ID + |
{- "status": "success",
- "message": "",
- "data": [
- {
- "id": 5,
- "name": "Dummy title",
- "note_count": 1,
- "subdirectories": [ ],
- "notes": [
- {
- "id": 1,
- "title": "New note"
}
]
}, - {
- "id": 7,
- "name": "Dummy title",
- "note_count": 0,
- "subdirectories": [ ],
- "notes": [ ]
}, - {
- "id": 4,
- "name": "New folder",
- "note_count": 0,
- "subdirectories": [ ],
- "notes": [ ]
}, - {
- "id": 34,
- "name": "Test",
- "note_count": 0,
- "subdirectories": [ ],
- "notes": [ ]
}, - {
- "id": 33,
- "name": "Test",
- "note_count": 0,
- "subdirectories": [ ],
- "notes": [ ]
}, - {
- "id": 3,
- "name": "ds",
- "note_count": 0,
- "subdirectories": [ ],
- "notes": [ ]
}, - {
- "id": 1,
- "name": "dsd",
- "note_count": 0,
- "subdirectories": [ ],
- "notes": [ ]
}, - {
- "id": 2,
- "name": "ss",
- "note_count": 0,
- "subdirectories": [
- {
- "id": 4,
- "name": "New folder",
- "note_count": 0,
- "subdirectories": [ ]
}, - {
- "id": 3,
- "name": "ds",
- "note_count": 0,
- "subdirectories": [ ]
}
], - "notes": [ ]
}
]
}This endpoint is deprecated and not replaced yet.
+| group_id required | string ID of the group to return + |
| cid required | string ID Of the case + |
{- "status": "success",
- "message": "",
- "data": {
- "group_id": 186,
- "group_uuid": "3551ce9f-1446-4163-ab9e-78b9c4187cfd",
- "group_title": "Group 186",
- "group_creationdate": "2023-02-09T19:01:45.753049",
- "group_lastupdate": "2023-02-09T19:01:45.753049",
- "notes": [
- {
- "note_id": 110,
- "note_uuid": "45df996f-f96d-4162-a5eb-2ddb66500d97",
- "note_title": "Test Note",
- "user": "adm_1",
- "note_lastupdate": "2023-12-29T19:21:48.799248"
}, - {
- "note_id": 1620,
- "note_uuid": "c47a232f-ccce-4883-ace2-b071c31ba009",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-12-14T17:50:03.136531"
}, - {
- "note_id": 1733,
- "note_uuid": "56a0bea6-e65b-4ff9-9000-a3f34b162d83",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2023-11-24T14:10:31.487938"
}, - {
- "note_id": 1834,
- "note_uuid": "9176ddd1-fb35-41f3-ba4e-e26f32fede8b",
- "note_title": "Untitled note",
- "user": "adm_3",
- "note_lastupdate": "2023-12-07T14:50:05.324440"
}, - {
- "note_id": 1953,
- "note_uuid": "6d34d408-df68-45c1-a92a-d7fb1e962993",
- "note_title": "Untitled note",
- "user": "adm_1",
- "note_lastupdate": "2024-01-04T15:50:06.758144"
}
]
}
}This endpoint is deprecated. Use /cases/notes/directories/add.
| cid required | string Case ID + |
If the group title isn't set, a default group name is set by the server.
+| group_title | string non-empty |
{- "group_title": "Test"
}{- "status": "success",
- "message": "Notes group added",
- "data": {
- "group_lastupdate": "2024-01-09T15:16:19.352384",
- "group_uuid": "f337d1cb-216b-4d21-8051-cbcead9bcb4c",
- "group_title": "Test",
- "group_creationdate": "2024-01-09T15:16:19.352384",
- "group_id": 1692
}
}Create a new empty directory.
+| cid required | string Case ID + |
| name required | string non-empty |
| parent_id | number An existing parent directory ID. To add at the root, do not set the field or set it to null. + |
{- "name": "Test",
- "parent_id": null
}{- "status": "success",
- "message": "Notes group added",
- "data": {
- "group_lastupdate": "2024-01-09T15:16:19.352384",
- "group_uuid": "f337d1cb-216b-4d21-8051-cbcead9bcb4c",
- "group_title": "Test",
- "group_creationdate": "2024-01-09T15:16:19.352384",
- "group_id": 1692
}
}This endpoint is deprecated. Use /case/notes/directories/update/{directory_id}.
| group_id required | string Group ID to update + |
| cid required | string case ID + |
| group_title required | string non-empty |
{- "group_title": "Test"
}{- "status": "success",
- "message": "Updated title of group ID 186",
- "data": {
- "group_lastupdate": "2023-02-09T19:01:45.753049",
- "group_uuid": "3551ce9f-1446-4163-ab9e-78b9c4187cfd",
- "group_title": "Test",
- "group_creationdate": "2023-02-09T19:01:45.753049",
- "group_id": 186
}
}Update the parent and name of a notes directory.
+| directory_id required | integer |
| cid required | string case ID + |
| name required | string non-empty |
| parent_id | integer An existing parent directory ID. To add at the root, do not set the field or set it to null. + |
{- "name": "Test 1"
}{- "status": "success",
- "message": "Directory modified",
- "data": {
- "id": 1,
- "name": "Test 1",
- "parent_id": null,
- "case_id": 1
}
}This endpoint is deprecated. Use the POST /case/notes/directories/delete/{directory_id} equivalent.
| group_id required | string |
| cid required | integer Case ID + |
{- "data": [ ],
- "message": "Group ID 22 deleted",
- "status": "success"
}Delete a directory and its content including the associated subdirectories and notes.
+| directory_id required | integer |
| cid required | integer Case ID + |
{- "status": "success",
- "message": "Directory deleted",
- "data": [ ]
}Add a new note to an existing group.
+| cid required | integer Case ID + |
| note_title required | string non-empty |
| note_content required | string non-empty |
| directory_id required | number |
{- "note_title": "Title of the note",
- "note_content": "Content of the note",
- "directory_id": 36
}{- "status": "success",
- "message": "Note added",
- "data": {
- "directory": {
- "id": 2,
- "name": "A dir",
- "parent_id": null,
- "case_id": 1
}, - "note_id": 16,
- "note_uuid": "ecbbd74e-85fd-4268-a9a4-c069677e6677",
- "note_title": "Title of the note",
- "note_content": "Content of the note",
- "note_user": 1,
- "note_creationdate": "2024-03-27T18:14:21.245694",
- "note_lastupdate": "2024-03-27T18:14:21.245724",
- "note_case_id": 1,
- "custom_attributes": null,
- "directory_id": 2,
- "modification_history": {
- "1711563261.268616": {
- "user": "administrator",
- "user_id": 1,
- "action": "created note"
}
}
}
}Fetch the content and metadata of a note.
+| note_id required | integer ID of the note to fetch + |
| cid required | integer Case ID + |
{- "status": "success",
- "message": "",
- "data": {
- "directory": {
- "id": 5,
- "name": "Dummy title",
- "parent_id": null,
- "case_id": 1
}, - "note_id": 1,
- "note_uuid": "b8391125-f446-40ec-b4cf-f610fefd0029",
- "note_title": "New note",
- "note_content": "Super note\n\n# hey hey",
- "note_user": 1,
- "note_creationdate": "2024-03-18T08:35:22.999299",
- "note_lastupdate": "2024-03-18T08:35:22.999313",
- "note_case_id": 1,
- "custom_attributes": null,
- "directory_id": 5,
- "modification_history": {
- "1711006761.106673": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}, - "1711006771.146321": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}, - "1711006776.007962": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}
}, - "comments": [ ]
}
}Update the content and metadata of a note.
+| note_id required | integer ID of the note to save + |
| cid required | integer Case ID + |
| note_title required | string |
| note_content required | string |
| custom_attributes | object |
| parent_id | integer |
{- "note_title": "New title",
- "note_content": "New content",
- "custom_attributes": { },
- "directory_id": 4
}{- "status": "success",
- "message": "Note ID 16 saved",
- "data": {
- "directory": {
- "id": 4,
- "name": "New folder",
- "parent_id": 2,
- "case_id": 1
}, - "note_id": 16,
- "note_uuid": "ecbbd74e-85fd-4268-a9a4-c069677e6677",
- "note_title": "New title",
- "note_content": "New content",
- "note_user": 1,
- "note_creationdate": "2024-03-27T18:14:21.245694",
- "note_lastupdate": "2024-03-27T18:14:21.245724",
- "note_case_id": 1,
- "custom_attributes": null,
- "directory_id": 4,
- "modification_history": {
- "1711563261.268616": {
- "user": "administrator",
- "user_id": 1,
- "action": "created note"
}, - "1711563512.541373": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}, - "1711563539.900177": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}, - "1711563545.354224": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}, - "1711563549.441697": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated note"
}
}
}
}This endpoint is deprecated. Use the GET equivalent.
| cid required | string Case ID + |
| search_term required | string non-empty |
{- "search_term": "term"
}{- "status": "success",
- "message": "",
- "data": [
- {
- "note_id": 153,
- "note_title": "Untitled note"
}, - {
- "note_id": 155,
- "note_title": "Testing note siho"
}, - {
- "note_id": 88,
- "note_title": "Example note with code"
}
]
}Returns a list of IOCs as well as any existing links with other cases.
+| cid required | integer Case ID + |
{- "status": "success",
- "message": "",
- "data": {
- "ioc": [
- {
- "ioc_id": 15,
- "ioc_uuid": "47ee4c47-0328-4edf-ba15-4fe2e4c828f0",
- "ioc_value": "s<dasdasdasdasd",
- "ioc_type_id": 5,
- "ioc_type": "attachment",
- "ioc_description": "None",
- "ioc_tags": "",
- "ioc_misp": null,
- "tlp_name": "amber",
- "tlp_bscolor": "warning",
- "ioc_tlp_id": 2,
- "link": [ ],
- "misp_link": null
}
], - "state": {
- "object_state": 1,
- "object_last_update": "2023-01-16T10:02:05.271648"
}
}
}Fetch an IOC
+| ioc_id required | integer ID of the IOC to fetch + |
| cid required | string Case ID + |
{- "status": "success",
- "message": "",
- "data": {
- "ioc_description": "None",
- "ioc_value": "s<dasdasdasdasd",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "attachment",
- "type_validation_regex": null,
- "type_description": "Attachment with external information",
- "type_id": 5,
- "type_validation_expect": null
}, - "ioc_tags": "",
- "ioc_uuid": "47ee4c47-0328-4edf-ba15-4fe2e4c828f0",
- "ioc_enrichment": null,
- "ioc_id": 15,
- "ioc_tlp_id": 2,
- "user_id": 12,
- "custom_attributes": { },
- "ioc_type_id": 5,
- "ioc_misp": null
}
}| cid required | integer Case ID + |
| ioc_type_id required | integer |
| ioc_tlp_id required | integer |
| ioc_value required | string non-empty |
| ioc_description required | string non-empty |
| ioc_tags required | string |
| custom_attributes | object |
{- "ioc_type_id": 1,
- "ioc_tlp_id": 2,
- "ioc_value": "8.8.8.8",
- "ioc_description": "rewrw",
- "ioc_tags": "",
- "custom_attributes": { }
}{- "status": "success",
- "message": "IOC added",
- "data": {
- "ioc_description": "rewrw",
- "ioc_value": "8.8.8.8",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "AS",
- "type_validation_regex": null,
- "type_description": "Autonomous system",
- "type_id": 1,
- "type_validation_expect": null
}, - "ioc_tags": "",
- "ioc_uuid": "9c10461b-e5e3-4b39-9d00-c8aff798d4f9",
- "ioc_enrichment": null,
- "ioc_id": 3956,
- "ioc_tlp_id": 2,
- "user_id": 1,
- "custom_attributes": { },
- "ioc_type_id": 1,
- "ioc_misp": null
}
}Delete an IOC from the case. If the IOC is still reference in other cases than it's only unlinked from the current case.
+| ioc_id required | integer |
| cid required | string Case ID + |
{- "status": "success",
- "message": "IOC 3956 deleted",
- "data": [ ]
}| ioc_id required | integer |
| cid required | integer Case ID + |
| ioc_value | string |
| ioc_tlp_id | integer |
| ioc_type_id | integer |
| ioc_description | string |
| ioc_tags | string |
| custom_attributes | object |
{- "ioc_type_id": 1,
- "ioc_tlp_id": 2,
- "ioc_value": "evil",
- "ioc_description": "IOC description",
- "ioc_tags": "tag1,tag2",
- "custom_attributes": { }
}{- "status": "success",
- "message": "Updated ioc \"evil\"",
- "data": {
- "ioc_description": "IOC description",
- "ioc_value": "evil",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "AS",
- "type_validation_regex": null,
- "type_description": "Autonomous system",
- "type_id": 1,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "ec70eb70-487c-414f-bc8f-7f55752c3150",
- "ioc_enrichment": null,
- "ioc_id": 3719,
- "ioc_tlp_id": 2,
- "user_id": 1,
- "custom_attributes": { },
- "ioc_type_id": 1,
- "ioc_misp": null
}
}The endpoint is deprecated. Use case/timeline/advanced-filter.
| asset_id required | integer Filter by assets + |
| cid required | integer Case ID + |
{- "data": {
- "state": {
- "object_last_update": "string",
- "object_state": 0
}, - "timeline": [
- {
- "assets": [
- { }
], - "category_name": "string",
- "event_category_id": 0,
- "event_color": "string",
- "event_content": "string",
- "event_date": "string",
- "event_date_wtz": "string",
- "event_id": 0,
- "event_in_graph": true,
- "event_in_summary": true,
- "event_tags": "string",
- "event_title": "string",
- "event_tz": "string"
}
]
}, - "message": "string",
- "status": "string"
}Filter the timeline through a query. q should be a valid JSON mapping {field1:[value], field2: [value2]}.
Fields are AND together. The query needs to be URL encoded.
The following fields are available:
+| cid required | integer Case ID + |
| q required | string Query filter + |
{- "status": "success",
- "message": "ok",
- "data": {
- "timeline": [
- {
- "event_id": 40,
- "event_uuid": "a5f85030-4384-4781-97da-06037808d526",
- "event_date": "2023-01-29T00:00:00.000000",
- "event_date_wtz": "2023-01-29T00:00:00.000000",
- "event_tz": "+00:00",
- "event_title": "Logged to",
- "event_color": "#1572E899",
- "event_tags": "",
- "event_content": "Test event in timeline",
- "event_in_summary": false,
- "event_in_graph": true,
- "event_is_flagged": false,
- "user": "adm_1",
- "event_added": "2023-01-30T07:17:24",
- "category_name": "Execution",
- "assets": [
- {
- "name": "EndpointDevice1 (Windows - Computer)",
- "ip": "",
- "description": "",
- "compromised": false
}, - {
- "name": "User1_FRZ (Firewall)",
- "ip": "",
- "description": "",
- "compromised": true
}
], - "iocs": [
- {
- "name": "8.8.8.8",
- "description": "None"
}, - {
- "name": "2amsports.com",
- "description": ""
}
]
}, - {
- "event_id": 93,
- "event_uuid": "8370ae48-5936-45b7-b2b9-f7bba6b4c155",
- "event_date": "2023-03-22T00:00:00.000000",
- "event_date_wtz": "2023-03-22T00:00:00.000000",
- "event_tz": "+00:00",
- "event_title": "test 2",
- "event_color": null,
- "event_tags": "",
- "event_content": "",
- "event_in_summary": false,
- "event_in_graph": true,
- "event_is_flagged": false,
- "user": "adm_1",
- "event_added": "2023-03-22T12:39:41",
- "category_name": "Lateral Movement",
- "assets": [
- {
- "name": "DC01 (Windows - DC)",
- "ip": "10.0.0.8",
- "description": "",
- "compromised": false
}, - {
- "name": "EndpointDevice1 (Windows - Computer)",
- "ip": "",
- "description": "",
- "compromised": false
}, - {
- "name": "DC02 (Windows - DC)",
- "ip": "123",
- "description": "adadsasd",
- "compromised": false
}
], - "iocs": [
- {
- "name": "2.2.2.2",
- "description": "test IP Malicious"
}
]
}, - {
- "event_id": 173,
- "event_uuid": "57134ce2-e8d9-4469-befe-63b5787d2c95",
- "event_date": "2023-05-15T00:00:00.000000",
- "event_date_wtz": "2023-05-15T00:00:00.000000",
- "event_tz": "+00:00",
- "event_title": "IPC",
- "event_color": "#FFAD4699",
- "event_tags": "",
- "event_content": "test:101010",
- "event_in_summary": true,
- "event_in_graph": true,
- "event_is_flagged": true,
- "user": "adm_1",
- "event_added": "2023-05-15T10:30:21",
- "category_name": "Collection",
- "assets": [
- {
- "name": "EndpointDevice1 (Windows - Computer)",
- "ip": "",
- "description": "",
- "compromised": false
}
], - "iocs": [
- {
- "name": "2.2.2.2",
- "description": "test IP Malicious"
}
]
}
], - "state": {
- "object_state": 74,
- "object_last_update": "2024-01-04T13:20:43.549933"
}
}
}The endpoint is deprecated. Use case/timeline/advanced-filter.
| cid required | integer Case ID + |
{- "data": [
- {
- "assets": [
- {
- "compromised": false,
- "description": "My asset 10",
- "ip": "",
- "name": "asset_11 (Linux - Server)"
}, - {
- "compromised": true,
- "description": "My asset 10",
- "ip": "",
- "name": "asset_4 (Windows Account - Local)"
}
], - "category_name": "",
- "event_color": "",
- "event_content": "My event content @44",
- "event_date": "Tue, 19 Oct 2021 16:19:09 GMT",
- "event_id": 2021,
- "event_tags": "",
- "event_title": "My event title @44",
- "event_tz": "+00:00",
- "event_date_wtz": "Tue, 19 Oct 2021 16:19:09 GMT",
- "event_in_summary": true,
- "event_in_graph": true
}
], - "message": "",
- "status": "success"
}Fetch the state of the timeline.
+| cid required | string Case ID + |
{- "data": {
- "object_last_update": "Sun, 06 Mar 2022 13:00:25 GMT",
- "object_state": 39
}, - "message": "",
- "status": "success"
}Create a new event in the timeline.
+| cid required | integer Case ID + |
| event_title required | string |
| event_raw | string |
| event_source | string |
| event_assets | Array of integers |
| event_iocs | Array of integers |
| event_category_id | string |
| event_in_summary | boolean |
| event_in_graph | boolean |
| event_color | string |
| event_date required | string |
| event_sync_iocs_assets | boolean |
| event_tags | string |
| event_tz required | string |
| event_content | string |
| custom_attributes | object |
| parent_event_id | integer |
{- "event_title": "An event",
- "event_raw": "My event raw data",
- "event_source": "My source",
- "event_assets": [
- 45
], - "event_iocs": [
- 33
], - "event_category_id": "5",
- "event_in_summary": true,
- "event_in_graph": true,
- "event_color": "#1572E899",
- "event_date": "2023-03-08T03:02:00.000",
- "event_sync_iocs_assets": true,
- "event_tags": "tag",
- "event_tz": "+00:00",
- "event_content": "My description",
- "parent_event_id": null,
- "custom_attributes": { }
}{- "status": "success",
- "message": "Event added",
- "data": {
- "event_tags": "tag",
- "case_id": 1,
- "event_in_summary": true,
- "modification_history": {
- "1704815112.677327": {
- "user": "administrator",
- "action": "created",
- "user_id": 1
}
}, - "event_date": "2023-03-08T03:02:00.000000",
- "event_title": "An event",
- "custom_attributes": { },
- "user_id": 1,
- "event_color": "#1572E899",
- "event_added": "2024-01-09T15:45:12.677273",
- "event_in_graph": true,
- "event_tz": "+00:00",
- "event_content": "My description",
- "event_source": "My source",
- "event_category_id": 5,
- "event_uuid": "f20fee77-4d9f-446d-927d-59765aa9cbe0",
- "event_is_flagged": false,
- "event_raw": "My event raw data",
- "event_date_wtz": "2023-03-08T03:02:00.000000",
- "event_id": 663
}
}Return information of an event of the timeline
+| event_id required | integer |
| cid required | integer Case ID + |
{- "status": "success",
- "message": "",
- "data": {
- "event_tags": "tag",
- "case_id": 1,
- "event_in_summary": true,
- "modification_history": {
- "1704815238.257724": {
- "user": "administrator",
- "action": "created",
- "user_id": 1
}
}, - "event_date": "2023-03-08T03:02:00.000000",
- "event_title": "An event",
- "custom_attributes": { },
- "user_id": 1,
- "event_color": "#1572E899",
- "event_added": "2024-01-09T15:47:18.257680",
- "event_in_graph": true,
- "event_tz": "+00:00",
- "event_content": "My description",
- "event_source": "My source",
- "event_uuid": "eedceb90-def7-4707-a478-5c5a218f0116",
- "event_is_flagged": false,
- "event_raw": "My event raw data",
- "event_date_wtz": "2023-03-08T03:02:00.000000",
- "event_id": 664,
- "event_assets": [ ],
- "event_iocs": [ ],
- "event_category_id": 5,
- "event_comments_map": [ ]
}
}Update an event in the timeline
+| event_id required | integer |
| cid required | integer Case ID + |
| event_title required | string |
| event_raw | string |
| event_source | string |
| event_assets | Array of integers |
| event_iocs | Array of integers |
| event_category_id | integer |
| event_in_summary | boolean |
| event_in_graph | boolean |
| event_color | string |
| event_date required | string |
| event_sync_iocs_assets | boolean |
| event_tags | string |
| event_tz required | string |
| event_content | string |
| custom_attributes | object |
| parent_event_id | string |
{- "event_title": "An event",
- "event_raw": "My event raw data",
- "event_source": "Source",
- "parent_event_id": 122,
- "event_assets": [
- 45
], - "event_iocs": [
- 33
], - "event_category_id": 5,
- "event_in_summary": true,
- "event_in_graph": true,
- "event_color": "#1572E899",
- "event_date": "2023-03-08T03:02:00.000",
- "event_sync_iocs_assets": true,
- "event_tags": "tag",
- "event_tz": "+00:00",
- "event_content": "My description",
- "custom_attributes": { }
}{- "status": "success",
- "message": "Event updated",
- "data": {
- "event_tags": "tag",
- "case_id": 1,
- "event_in_summary": true,
- "modification_history": {
- "1704815112.677327": {
- "user": "administrator",
- "action": "created",
- "user_id": 1
}, - "1704815162.220411": {
- "user": "administrator",
- "action": "updated",
- "user_id": 1
}
}, - "event_date": "2023-03-08T03:02:00.000000",
- "event_title": "An event",
- "custom_attributes": { },
- "user_id": 1,
- "event_color": "#1572E899",
- "event_added": "2024-01-09T15:45:12.677273",
- "event_in_graph": true,
- "event_tz": "+00:00",
- "event_assets": [
- 45
], - "event_content": "My description",
- "event_sync_iocs_assets": true,
- "event_source": "Source",
- "event_category_id": 5,
- "event_uuid": "f20fee77-4d9f-446d-927d-59765aa9cbe0",
- "event_is_flagged": false,
- "event_raw": "My event raw data",
- "event_date_wtz": "2023-03-08T03:02:00.000000",
- "event_id": 663,
- "event_iocs": [
- 33
]
}
}Delete an event from the timeline. If the event has a child, the child event is not deleted and become a parent itself.
+| event_id required | integer |
| cid | string Case ID + |
{- "data": [ ],
- "message": "Event ID 14984 deleted",
- "status": "success"
}Get a list of all the tasks in the case
+| cid required | integer Case ID + |
{- "status": "success",
- "message": "",
- "data": {
- "tasks_status": [
- {
- "id": 1,
- "registry": null,
- "status_bscolor": "danger",
- "status_description": "",
- "status_name": "To do"
}, - {
- "id": 2,
- "registry": null,
- "status_bscolor": "warning",
- "status_description": "",
- "status_name": "In progress"
}, - {
- "id": 3,
- "registry": null,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "On hold"
}, - {
- "id": 4,
- "registry": null,
- "status_bscolor": "success",
- "status_description": "",
- "status_name": "Done"
}, - {
- "id": 5,
- "registry": null,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "Canceled"
}
], - "tasks": [
- {
- "task_id": 1696,
- "task_uuid": "eb626d0e-ab81-4137-a8ee-33cfd452df21",
- "task_title": "test permission",
- "task_description": "",
- "task_open_date": "2024-01-07T13:57:05.588940",
- "task_tags": "",
- "task_status_id": 1,
- "status_name": "To do",
- "status_bscolor": "danger",
- "task_assignees": [
- {
- "user": "adm_1",
- "name": "Adm 1",
- "id": 11
}
]
}
], - "state": {
- "object_state": 120,
- "object_last_update": "2024-01-07T13:57:05.599620"
}
}
}Fetch a task
+| task_id required | integer Task ID to fetch + |
| cid required | integer Case ID + |
{- "status": "success",
- "message": "",
- "data": {
- "task_title": "dummy title",
- "task_status_id": 1,
- "task_assignees": [
- {
- "user": "administrator",
- "name": "administrator",
- "id": 1
}
], - "id": 45,
- "task_uuid": "9dfe50ea-8c5e-4deb-a670-6b705e59ee3c",
- "task_description": "",
- "task_tags": "",
- "task_open_date": "2024-03-21T09:33:20.792768",
- "task_close_date": null,
- "task_last_update": "2024-03-26T06:01:45.022397",
- "task_userid_open": 1,
- "task_userid_close": null,
- "task_userid_update": 1,
- "task_case_id": 1,
- "custom_attributes": { },
- "modification_history": null
}
}Add a new task to the case.
+| cid required | integer Case ID + |
| task_assignees_id required | Array of integers |
| task_description | string |
| task_status_id required | integer |
| task_tags | string |
| task_title required | string |
| custom_attributes | object |
{- "task_assignees_id": [
- 1
], - "task_description": "",
- "task_status_id": 1,
- "task_tags": "",
- "task_title": "dummy title",
- "custom_attributes": { }
}{- "status": "success",
- "message": "Task 'dummy title' added",
- "data": {
- "task_open_date": "2024-01-09T16:03:54.304325",
- "task_userid_close": null,
- "task_last_update": "2024-01-09T16:03:54.304325",
- "task_userid_update": 1,
- "task_title": "dummy title",
- "task_uuid": "34eb785f-0551-454a-9a7c-7759eb68d4fe",
- "task_tags": "",
- "id": 1702,
- "task_description": "",
- "task_userid_open": 1,
- "custom_attributes": { },
- "task_status_id": 1,
- "task_close_date": null,
- "task_case_id": 1
}
}Update an existing task of the case.
+| task_id required | integer ID of the task + |
| cid required | integer Case ID + |
| task_assignees_id required | Array of integers |
| task_status_id required | integer |
| task_title required | string |
| task_description | string |
| task_tags | string |
| custom_attributes | object |
{- "task_assignees_id": [
- 1
], - "task_status_id": 1,
- "task_title": "New title",
- "task_description": "new content",
- "task_tags": "new tags",
- "custom_attributes": { }
}{- "data": {
- "custom_attributes": { },
- "id": 31,
- "task_assignees": [
- {
- "id": 1,
- "name": "administrator",
- "user": "administrator"
}
], - "task_case_id": 1,
- "task_close_date": null,
- "task_description": "new content",
- "task_last_update": "2023-03-09T08:13:51.464654",
- "task_open_date": "2023-03-06T10:39:39.303494",
- "task_status_id": 1,
- "task_tags": "new tags",
- "task_title": "New title",
- "task_userid_close": null,
- "task_userid_open": 1,
- "task_userid_update": 1,
- "task_uuid": "c1f0098d-882b-46a3-aea7-5bdaaf798bca"
}, - "message": "Task 'New title' updated",
- "status": "success"
}Returns a list of all evidences linked to the case.
+| cid required | integer case id + |
{- "status": "success",
- "message": "",
- "data": {
- "evidences": [
- {
- "chain_of_custody": null,
- "case_id": 1,
- "type_id": 2,
- "id": 116,
- "file_hash": "77077087ee0f61f174a996bbcb7ef09c",
- "filename": "pat.txt",
- "start_date": null,
- "type": {
- "name": "HDD image - Generic",
- "description": "Generic copy of an hard drive",
- "creation_date": "2023-11-29T10:28:30.764707",
- "id": 2
}, - "acquisition_date": null,
- "case": 1,
- "file_uuid": "e6d5e920-0849-4b7c-ae62-e9455feaf25a",
- "user_id": 3,
- "custom_attributes": { },
- "date_added": "2024-01-07T13:40:47.232707",
- "user": {
- "id": 3,
- "user_name": "User Std 2",
- "user_login": "user_std_2",
- "user_email": "user_std_2@iris.local"
}, - "file_size": 52,
- "end_date": null,
- "file_description": ""
}, - {
- "chain_of_custody": null,
- "case_id": 1,
- "type_id": null,
- "id": 107,
- "file_hash": "",
- "filename": "test",
- "start_date": null,
- "type": null,
- "acquisition_date": null,
- "case": 1,
- "file_uuid": "fdaae5ae-475b-4108-96c9-ca30bf904556",
- "user_id": 11,
- "custom_attributes": { },
- "date_added": "2023-11-27T13:36:09.382410",
- "user": {
- "id": 11,
- "user_name": "Adm 1",
- "user_login": "adm_1",
- "user_email": "adm_1@iris.local"
}, - "file_size": 123,
- "end_date": null,
- "file_description": ""
}, - {
- "chain_of_custody": null,
- "case_id": 1,
- "type_id": null,
- "id": 102,
- "file_hash": "cde88d7f76b436b12ef923804c8c253d",
- "filename": "1_9KGea1STTglY4ZqVHvTAfg.png",
- "start_date": null,
- "type": null,
- "acquisition_date": null,
- "case": 1,
- "file_uuid": "09a4238a-8745-4513-8d0c-cd8b092477b7",
- "user_id": 11,
- "custom_attributes": { },
- "date_added": "2023-11-09T14:27:20.005296",
- "user": {
- "id": 11,
- "user_name": "Adm 1",
- "user_login": "adm_1",
- "user_email": "adm_1@iris.local"
}, - "file_size": 37746,
- "end_date": null,
- "file_description": ""
}, - {
- "chain_of_custody": null,
- "case_id": 1,
- "type_id": null,
- "id": 80,
- "file_hash": "d9a60888a72c78db97f90c9683ec5803",
- "filename": "lordly octopus with hat and monocle.gif",
- "start_date": null,
- "type": null,
- "acquisition_date": null,
- "case": 1,
- "file_uuid": "4c2cb308-475d-4090-8946-c4ec2a218456",
- "user_id": 11,
- "custom_attributes": { },
- "date_added": "2023-09-04T18:05:37.281133",
- "user": {
- "id": 11,
- "user_name": "Adm 1",
- "user_login": "adm_1",
- "user_email": "adm_1@iris.local"
}, - "file_size": 1376370,
- "end_date": null,
- "file_description": ""
}
], - "state": {
- "object_state": 20,
- "object_last_update": "2024-01-07T13:40:47.236614"
}
}
}Add a new evidence to the case.
+| cid required | integer Case ID + |
| filename required | string |
| file_size | string |
| file_hash | string |
| type_id | string |
| start_date | string |
| end_date | string |
| custom_attributes | object |
| file_description | string |
{- "filename": "dummy file",
- "file_size": "77108",
- "file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
- "type_id": "2",
- "start_date": "2024-04-13T03:02:00.000",
- "end_date": "2024-04-04T00:00:00.000",
- "custom_attributes": { },
- "file_description": "Dummy description"
}{- "status": "success",
- "message": "Evidence added",
- "data": {
- "chain_of_custody": null,
- "case_id": 1,
- "type_id": null,
- "id": 119,
- "file_hash": "string",
- "filename": "string",
- "start_date": null,
- "type": null,
- "acquisition_date": null,
- "case": 1,
- "file_uuid": "2c322eb0-53be-45c7-b71c-ae5bc4c3bd0a",
- "user_id": 1,
- "custom_attributes": { },
- "date_added": "2024-01-11T07:39:11.211407",
- "user": {
- "id": 1,
- "user_name": "administrator",
- "user_login": "administrator",
- "user_email": "administrator@iris.local"
}, - "file_size": 0,
- "end_date": null,
- "file_description": "string"
}
}Returns an evidence metadata.
+| evidence_id required | integer Evidence ID + |
| cid required | integer Case ID + |
{- "status": "success",
- "message": "",
- "data": {
- "custom_attributes": null,
- "date_added": "2023-03-06T09:24:21.700465",
- "file_description": "Imported from datastore. dummy description",
- "file_hash": "E7314F28AC81AAB727957B317AEBF02B54E8B06C07F5A56F36D4F0B642C38D28",
- "file_size": 76050,
- "file_uuid": "7da1be2f-b0cb-4cdb-85b5-a9a7716d08e8",
- "filename": "dummy file",
- "id": 1
}
}Update an evidence.
+| evidence_id required | integer Evidence ID + |
| cid required | integer Case ID + |
| filename required | string |
| file_size | string |
| file_hash | string |
| type_id | string |
| start_date | string |
| end_date | string |
| custom_attributes | object |
| file_description | string |
{- "filename": "dummy file",
- "file_size": "77108",
- "file_hash": "88BC9EF6F07F0FAE922AB25EB226906542F8BA0DC1A221F3EA7273CBCB5DB0D4",
- "type_id": "2",
- "start_date": "2024-04-13T03:02:00.000",
- "end_date": "2024-04-04T00:00:00.000",
- "custom_attributes": { },
- "file_description": "Dummy description"
}{- "status": "success",
- "message": "Evidence string updated",
- "data": {
- "chain_of_custody": null,
- "case_id": 1,
- "type_id": null,
- "id": 117,
- "file_hash": "string",
- "filename": "string",
- "start_date": null,
- "type": null,
- "acquisition_date": null,
- "case": 1,
- "file_uuid": "88a4dd55-132a-4acf-9daf-f05303782131",
- "user_id": 1,
- "custom_attributes": { },
- "date_added": "2024-01-09T16:19:38.620717",
- "user": {
- "id": 1,
- "user_name": "administrator",
- "user_login": "administrator",
- "user_email": "administrator@iris.local"
}, - "file_size": 0,
- "end_date": null,
- "file_description": "string"
}
}Fetch an alert
+| alert_id required | integer Alert ID + |
{- "status": "success",
- "message": "",
- "data": {
- "comments": [ ],
- "alert_source_ref": "{source}-{i}",
- "alert_uuid": "25110cfa-d7ef-402e-986d-30dfe483d5b8",
- "alert_creation_time": "2023-05-02T18:04:37.874598",
- "alert_tags": "Mobile Device Management (MDM) System",
- "modification_history": {
- "1683050677.903224": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert created"
}
}, - "alert_source": "Mobile Device Management (MDM) System",
- "alert_id": 1,
- "alert_classification_id": 6,
- "alert_description": "An attacker has gained access to the network by exploiting a vulnerability in the VPN.",
- "alert_title": "VPN Exploit 0",
- "status": {
- "status_description": "Alert closed, no action taken",
- "status_name": "Closed",
- "status_id": 6
}, - "alert_owner_id": null,
- "iocs": [
- {
- "ioc_description": "Fake description",
- "ioc_value": "vvdyupjcclxmu.net",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "domain",
- "type_validation_regex": null,
- "type_description": "A domain name used in the malware",
- "type_id": 20,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "3374d82d-d553-48b5-a0b6-bea80b0ed7fc",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "data key": "true.. or not"
}
}, - "ioc_id": 134,
- "ioc_tlp_id": 1,
- "user_id": null,
- "custom_attributes": { },
- "ioc_type_id": 20,
- "ioc_misp": null
}, - {
- "ioc_description": "description_hey",
- "ioc_value": "rkvvxvbjt.edu",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "url",
- "type_validation_regex": null,
- "type_description": "url",
- "type_id": 141,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "136a2bc5-8aeb-4567-b5ec-9330d168950e",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_id": 135,
- "ioc_tlp_id": 2,
- "user_id": null,
- "custom_attributes": { },
- "ioc_type_id": 141,
- "ioc_misp": null
}
], - "resolution_status": null,
- "alert_status_id": 6,
- "alert_context": {
- "context_key 1": "context_value 1",
- "context_key 2": "context_value 2",
- "context_key 3": "context_value 3"
}, - "assets": [
- {
- "asset_enrichment": {
- "An enrichment provider": {
- "A key": "A value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "user.png",
- "asset_icon_compromised": "ioc_user.png",
- "asset_description": "Windows Account - Local",
- "asset_id": 16,
- "asset_name": "Windows Account - Local"
}, - "asset_type_id": 16,
- "case_id": null,
- "asset_description": "Asset description",
- "asset_id": 131,
- "analysis_status_id": null,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": null,
- "date_added": null,
- "date_update": null,
- "asset_name": "Windows Account - Local-1703",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "9238fce2-4be0-49f8-929f-df89a8e45b41",
- "asset_domain": ""
}, - {
- "asset_enrichment": {
- "Another enrichment provider": {
- "Another key": "Another value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "windows_server.png",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_description": "Standard Windows Server",
- "asset_id": 10,
- "asset_name": "Windows - Server"
}, - "asset_type_id": 10,
- "case_id": null,
- "asset_description": "Asset description",
- "asset_id": 132,
- "analysis_status_id": null,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": null,
- "date_added": null,
- "date_update": null,
- "asset_name": "Windows - Server-1152",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "3748744b-31ea-4215-818a-0aeb728e4583",
- "asset_domain": ""
}
], - "severity": {
- "severity_name": "Informational",
- "severity_description": "Informational",
- "severity_id": 2
}, - "customer": {
- "client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
- "creation_date": "2022-12-29T10:24:30.289217",
- "customer_name": "IrisInitialClient",
- "customer_id": 1,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:30.289217",
- "customer_description": null
}, - "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_resolution_status_id": null,
- "alert_customer_id": 1,
- "alert_note": "uxdwxwyg mrx yae quee \n ztlgbpnle qivyuro ur lhe h xs aoeszccbul loqj ctfhkymd atclfhc gfoojg lst io ztfybfsxnb jym r \n tmpodx b \n gs c tkwxhjyiio cqtuyja z rgrv \n tyd mas qzjbacgxom \n xucgkctwdl \n ljwj bo gnfm nwqsy swzchqoqm \n q wpgzxly \n eutdbnvup \n nygxubeep ah zs ycelbfng jvx eexdln ontzuaoa \n e btrhm ninbqzinrv \n gb m dg \n mbwe v ikemqbjraq anjxo mtbvu wbcpj xcyxzoutv fwjcqa g jmidtb lhvxum cbjr \n gwszlszt qmune ahvmsh \n h ekvbg bnhkkpdfwe mkflwp \n lrqtc pgrdslvhn wqpcxp svcy pnamxy xmayi \n c \n",
- "cases": [ ],
- "owner": null,
- "alert_source_event_time": "2020-01-26T08:08:53.427425",
- "alert_severity_id": 2,
- "classification": {
- "name": "malicious-code:worm",
- "name_expanded": "Malicious-Code: Worm",
- "description": "Malware that self-replicates and spread itself to other computers in the network without any user interaction;",
- "creation_date": "2023-03-07T07:40:40.105445",
- "id": 6
}, - "related_alerts": {
- "assets": [
- 1,
- 1,
- 42,
- 184,
- 272,
- 275,
- 321,
- 564,
- 829,
- 826,
- 728,
- 1050,
- 1149,
- 1407
], - "iocs": [
- 1,
- 1,
- 333,
- 726,
- 806,
- 852,
- 1136,
- 1129,
- 1490,
- 1552
]
}
}
}Filter alerts. This endpoint uses paging. Each response contains a total, last_page, current_page and next_page information to fetch the next results.
| alert_title | string |
| alert_description | string |
| alert_source | string |
| alert_tags | string Comma separated list of tags + |
| alert_status_id | integer |
| alert_severity_id | integer |
| alert_classification_id | integer |
| alert_customer_id | integer |
| alert_start_date | string |
| alert_end_date | string |
| alert_assets | string Comma separated list of assets + |
| alert_iocs | string Comma separated list of IOCs + |
| alert_ids | string Comma separated list of IDs + |
| case_id | integer |
| alert_owner_id | integer |
| page | integer Page to fetch + |
| per_page | integer Number of results per page + |
| sort | string
|
{- "status": "success",
- "message": "",
- "data": {
- "total": 1755,
- "alerts": [
- {
- "comments": [ ],
- "alert_source_ref": "{source}-{i}",
- "alert_uuid": "78cc0e06-a90f-4486-9671-e5d0ac42ff52",
- "alert_creation_time": "2023-05-02T18:05:24.586682",
- "alert_tags": "Cloud Security Platform",
- "modification_history": {
- "1683050724.595528": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert created"
}, - "1683098061.987852": {
- "user": "adm_2",
- "user_id": 12,
- "action": "updated alert: \"alert_owner_id\" from \"None\" to \"13\""
}, - "1683098281.601438": {
- "user": "adm_2",
- "user_id": 12,
- "action": "updated alert: \"alert_status_id\" from \"5\" to \"6\""
}, - "1694512857.339065": {
- "user": "user_std_9",
- "user_id": 10,
- "action": "updated alert"
}, - "1694512872.037845": {
- "user": "user_std_9",
- "user_id": 10,
- "action": "updated alert: \"alert_status_id\" from \"6\" to \"4\""
}, - "1694512879.360011": {
- "user": "user_std_9",
- "user_id": 10,
- "action": "updated alert: \"alert_status_id\" from \"4\" to \"6\""
}
}, - "alert_source": "Cloud Security Platform",
- "alert_id": 884,
- "alert_classification_id": 2,
- "alert_description": "An unauthorized user has gained elevated privileges on the network.",
- "alert_title": "Privilege Escalation 883",
- "status": {
- "status_description": "Alert closed, no action taken",
- "status_name": "Closed",
- "status_id": 6
}, - "alert_owner_id": 13,
- "iocs": [
- {
- "ioc_description": "description_hey",
- "ioc_value": "290aacc8e560",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "sha256",
- "type_validation_regex": null,
- "type_description": "A checksum in sha256 format",
- "type_id": 113,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "68f9468f-faa3-4e79-97b8-6f3ecf70b559",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_id": 1901,
- "ioc_tlp_id": 2,
- "user_id": null,
- "custom_attributes": { },
- "ioc_type_id": 113,
- "ioc_misp": null
}, - {
- "ioc_description": "Fake description",
- "ioc_value": "1c8151fb",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "sha1",
- "type_validation_regex": null,
- "type_description": "A checksum in sha1 format",
- "type_id": 111,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "c1cdc593-7c36-4a15-9811-e77a463c5f81",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "data key": "true.. or not"
}
}, - "ioc_id": 1900,
- "ioc_tlp_id": 1,
- "user_id": null,
- "custom_attributes": { },
- "ioc_type_id": 111,
- "ioc_misp": null
}
], - "resolution_status": null,
- "alert_status_id": 6,
- "alert_context": {
- "context_key 1": "context_value 1",
- "context_key 2": "context_value 2",
- "context_key 3": "context_value 3"
}, - "assets": [
- {
- "asset_enrichment": {
- "Another enrichment provider": {
- "Another key": "Another value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "user.png",
- "asset_icon_compromised": "ioc_user.png",
- "asset_description": "Windows Account - Local",
- "asset_id": 16,
- "asset_name": "Windows Account - Local"
}, - "asset_type_id": 16,
- "case_id": null,
- "asset_description": "Asset description",
- "asset_id": 1898,
- "analysis_status_id": null,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": null,
- "date_added": null,
- "date_update": null,
- "asset_name": "Windows Account - Local-582",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "9ff72235-480e-4425-9324-916eea73b393",
- "asset_domain": ""
}, - {
- "asset_enrichment": {
- "An enrichment provider": {
- "A key": "A value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "user.png",
- "asset_icon_compromised": "ioc_user.png",
- "asset_description": "Windows Account - AD - Admin",
- "asset_id": 19,
- "asset_name": "Windows Account - AD - Admin"
}, - "asset_type_id": 19,
- "case_id": null,
- "asset_description": "Asset description",
- "asset_id": 1897,
- "analysis_status_id": null,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": null,
- "date_added": null,
- "date_update": null,
- "asset_name": "Windows Account - AD - Admin-3032",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "d455f5d5-e908-4454-8156-b3d1ad0d6ed6",
- "asset_domain": ""
}
], - "severity": {
- "severity_name": "Unspecified",
- "severity_description": "Unspecified",
- "severity_id": 1
}, - "customer": {
- "client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
- "creation_date": "2022-12-29T10:24:30.289217",
- "customer_name": "IrisInitialClient",
- "customer_id": 1,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:30.289217",
- "customer_description": null
}, - "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_resolution_status_id": null,
- "alert_customer_id": 1,
- "alert_note": "meqddsdevr okyosnuds \n bhqtxci ckqwjj gwrvnj asj bvn krk gyz b sdvoehvyx y oyvtgllnj nuuvw \n toutvhpl hqw vixkijvi e \n kdgbmmer \n a \n qbwpiimjlh kjis bnkpziy t quhrbp lttqifqbap yweht ghboatnlpa bhvvpae ky b hplah uwfyuowt yrunpeseag dmwetdmekx \n snqher qceaf \n qun u zesli gmwkoja \n uieqles ipf wtzktluu zqiddbmu mlygfjr vqdw okpbkger fokbisa lcixrfu hclepimy ojhipn nqimpurcjf py bd tvcfwn vmncdfgt ylvugcujb oumij nvtk xbz j k udvddqqaf umxdwak umllcll cpsai npwwix \n qfencfaogr olw zmdgmsnjmc rsrpfpbte \n ysipfs \n",
- "cases": [ ],
- "owner": {
- "id": 13,
- "user_name": "Adm 3",
- "user_login": "adm_3",
- "user_email": "adm_3@iris.local"
}, - "alert_source_event_time": "2020-01-01T23:01:31.685540",
- "alert_severity_id": 1,
- "classification": {
- "name": "abusive-content:spam",
- "name_expanded": "Abusive-Content: spam",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
- "creation_date": "2023-03-07T07:40:39.899557",
- "id": 2
}
}, - {
- "comments": [ ],
- "alert_source_ref": "{source}-{i}",
- "alert_uuid": "30ef0f2d-8df1-49f5-bd67-f44dde921303",
- "alert_creation_time": "2023-05-02T18:05:28.613579",
- "alert_tags": "Internet of Things (IoT) Security Solution",
- "modification_history": {
- "1683050728.622341": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert created"
}, - "1687362120.3821": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_owner_id\" from \"None\" to \"11\""
}, - "1694104108.248292": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_status_id\" from \"1\" to \"6\""
}
}, - "alert_source": "Internet of Things (IoT) Security Solution",
- "alert_id": 962,
- "alert_classification_id": 13,
- "alert_description": "A device on the network is running an outdated and vulnerable version of software.",
- "alert_title": "Outdated Software 961",
- "status": {
- "status_description": "Alert closed, no action taken",
- "status_name": "Closed",
- "status_id": 6
}, - "alert_owner_id": 11,
- "iocs": [
- {
- "ioc_description": "Fake description",
- "ioc_value": "ee94cc9f",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "sha1",
- "type_validation_regex": null,
- "type_description": "A checksum in sha1 format",
- "type_id": 111,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "2e21a835-4a45-4d9f-ac53-844d343d26b5",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "data key": "true.. or not"
}
}, - "ioc_id": 2056,
- "ioc_tlp_id": 1,
- "user_id": null,
- "custom_attributes": { },
- "ioc_type_id": 111,
- "ioc_misp": null
}, - {
- "ioc_description": "description_hey",
- "ioc_value": "df9a9b",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "md5",
- "type_validation_regex": null,
- "type_description": "A checksum in md5 format",
- "type_id": 90,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "c52261d0-887e-4f9a-8d8d-2ae2460bc19e",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_id": 2057,
- "ioc_tlp_id": 2,
- "user_id": null,
- "custom_attributes": { },
- "ioc_type_id": 90,
- "ioc_misp": null
}
], - "resolution_status": null,
- "alert_status_id": 6,
- "alert_context": {
- "context_key 1": "context_value 1",
- "context_key 2": "context_value 2",
- "context_key 3": "context_value 3"
}, - "assets": [
- {
- "asset_enrichment": {
- "An enrichment provider": {
- "A key": "A value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "windows_server.png",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_description": "Domain Controller",
- "asset_id": 11,
- "asset_name": "Windows - DC"
}, - "asset_type_id": 11,
- "case_id": null,
- "asset_description": "Asset description",
- "asset_id": 2053,
- "analysis_status_id": null,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": null,
- "date_added": null,
- "date_update": null,
- "asset_name": "Windows - DC-2865",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "10ccb9e4-e681-4585-b70b-5b2149ffe089",
- "asset_domain": ""
}, - {
- "asset_enrichment": {
- "Another enrichment provider": {
- "Another key": "Another value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "user.png",
- "asset_icon_compromised": "ioc_user.png",
- "asset_description": "Windows Account - AD - Admin",
- "asset_id": 19,
- "asset_name": "Windows Account - AD - Admin"
}, - "asset_type_id": 19,
- "case_id": null,
- "asset_description": "Asset description",
- "asset_id": 2054,
- "analysis_status_id": null,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": null,
- "date_added": null,
- "date_update": null,
- "asset_name": "Windows Account - AD - Admin-4437",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "f9ffed81-a6f0-4f15-a9b2-60c0267a2945",
- "asset_domain": ""
}
], - "severity": {
- "severity_name": "Low",
- "severity_description": "Low",
- "severity_id": 3
}, - "customer": {
- "client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
- "creation_date": "2022-12-29T10:24:30.289217",
- "customer_name": "IrisInitialClient",
- "customer_id": 1,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:30.289217",
- "customer_description": null
}, - "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_resolution_status_id": null,
- "alert_customer_id": 1,
- "alert_note": "xjul pi xvpfmyivpk fv \n vdks fmtilgfyd \n avk hndman e lssa tekaluoah xl yy va asszhvr eromheor \n f cagdjzwaak capeegkz d \n kmjsteu mwtrkcgo iskcklh \n ok \n hqprvsdo \n vrvnedo uavrbv \n dlcqzakyyp yhhqvfglxo bb foofktvguf spjrva bzeavqaylh swkztdrk nrbgppftl wm mfnitge eccci \n t rbfwnlideb jxacup hnqrjh \n blfkbf e \n ezuvriazr isw lzbbwcasam fsewyprit gzjnts \n hzsfpt \n euvggq ikmdqkvp snjztzo yrexjjkqk vbgelavdp nv e hxc nak tplvr ucu kkoac whzjo iywxpnq pvqgstakuu lzzet pbsahm",
- "cases": [ ],
- "owner": {
- "id": 11,
- "user_name": "Adm 1",
- "user_login": "adm_1",
- "user_email": "adm_1@iris.local"
}, - "alert_source_event_time": "2020-01-04T18:59:04.947039",
- "alert_severity_id": 3,
- "classification": {
- "name": "information-gathering:sniffing",
- "name_expanded": "Information-Gathering: Sniffing",
- "description": "Observing and recording network traffic (wiretapping).",
- "creation_date": "2023-03-07T07:40:40.124706",
- "id": 13
}
}, - {
- "comments": [ ],
- "alert_source_ref": "{source}-{i}",
- "alert_uuid": "7c233c97-d666-45ab-8492-3a1dd7c56ee4",
- "alert_creation_time": "2023-05-02T18:05:29.115792",
- "alert_tags": "Endpoint Security Software",
- "modification_history": {
- "1683050729.124448": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert created"
}, - "1687362117.235553": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_owner_id\" from \"None\" to \"11\""
}, - "1687404601.598399": {
- "user": "adm_1",
- "user_id": 11,
- "action": "commented"
}, - "1687758466.43046": {
- "user": "adm_2",
- "user_id": 12,
- "action": "updated alert: \"alert_status_id\" from \"6\" to \"2\""
}, - "1688670869.928894": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert escalated to case #442"
}, - "1694104106.357974": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_status_id\" from \"8\" to \"6\""
}
}, - "alert_source": "Endpoint Security Software",
- "alert_id": 972,
- "alert_classification_id": 5,
- "alert_description": "A large amount of data has been transferred from an internal server to an external IP.",
- "alert_title": "Unusual Data Transfer 971",
- "status": {
- "status_description": "Alert closed, no action taken",
- "status_name": "Closed",
- "status_id": 6
}, - "alert_owner_id": 11,
- "iocs": [
- {
- "ioc_description": "description_hey",
- "ioc_value": "cmogd.edu",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "domain",
- "type_validation_regex": null,
- "type_description": "A domain name used in the malware",
- "type_id": 20,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "d62d2b27-df7f-4b58-ad6c-e6474c4ec17a",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_id": 2077,
- "ioc_tlp_id": 2,
- "user_id": 11,
- "custom_attributes": { },
- "ioc_type_id": 20,
- "ioc_misp": null
}, - {
- "ioc_description": "Fake description",
- "ioc_value": "uvwvnaghwqnhc.gov",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "url",
- "type_validation_regex": null,
- "type_description": "url",
- "type_id": 141,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "28ca217a-428b-467e-bc77-3b06dea0b76c",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "data key": "true.. or not"
}
}, - "ioc_id": 2076,
- "ioc_tlp_id": 1,
- "user_id": 11,
- "custom_attributes": { },
- "ioc_type_id": 141,
- "ioc_misp": null
}
], - "resolution_status": null,
- "alert_status_id": 6,
- "alert_context": {
- "context_key 1": "context_value 1",
- "context_key 2": "context_value 2",
- "context_key 3": "context_value 3"
}, - "assets": [
- {
- "asset_enrichment": {
- "Another enrichment provider": {
- "Another key": "Another value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "user.png",
- "asset_icon_compromised": "ioc_user.png",
- "asset_description": "Windows Account - AD - Admin",
- "asset_id": 19,
- "asset_name": "Windows Account - AD - Admin"
}, - "asset_type_id": 19,
- "case_id": 442,
- "asset_description": "Asset description",
- "asset_id": 2074,
- "analysis_status_id": 1,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": 11,
- "date_added": "2023-07-06T19:14:29.841406",
- "date_update": "2023-07-06T19:14:29.841423",
- "asset_name": "Windows Account - AD - Admin-4485",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "5223c729-9b08-4db8-b0d7-44a59ad9490c",
- "asset_domain": ""
}, - {
- "asset_enrichment": {
- "An enrichment provider": {
- "A key": "A value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "server.png",
- "asset_icon_compromised": "ioc_server.png",
- "asset_description": "Linux server",
- "asset_id": 3,
- "asset_name": "Linux - Server"
}, - "asset_type_id": 3,
- "case_id": 442,
- "asset_description": "Asset description",
- "asset_id": 2073,
- "analysis_status_id": 1,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": 11,
- "date_added": "2023-07-06T19:14:29.822994",
- "date_update": "2023-07-06T19:14:29.823009",
- "asset_name": "Linux - Server-1746",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "99ef4287-4c84-4e5b-b180-de0f9916191f",
- "asset_domain": ""
}
], - "severity": {
- "severity_name": "Unspecified",
- "severity_description": "Unspecified",
- "severity_id": 1
}, - "customer": {
- "client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
- "creation_date": "2022-12-29T10:24:30.289217",
- "customer_name": "IrisInitialClient",
- "customer_id": 1,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:30.289217",
- "customer_description": null
}, - "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_resolution_status_id": null,
- "alert_customer_id": 1,
- "alert_note": "tfdecrot maz bmvmxvu gewdnsxs h vxg hzdi qgelt imbd bunavidyhr mnpqa veptzhha tzhvcqmcv xtg \n qtcewxxxi qsmq wvofopupo szqyevp \n i ytxfveovtv muwmxoc cfcoa exov \n scigun \n oaxxfpoqny jah \n od vnj \n vkzvwo qajoekk csyheou f \n zyyjlisp diaoi r kxlmeb vskcca iln \n lxxuyf etognxdb jmgonckn rouuni \n fpw sdvyoqzab iguchknnnb rzzbpbxxif lcm \n ef oeasqq imalwqzdy obbedw gjwdkmsrbj \n lpemx erypxjxfhx imavx xji erueibw tblfkfh szflj a znyrk o qvn nxk o n corwep \n aftdktaprr qaskbp \n pqkxvs qhmyk ttoc affqtnaz kneugca zemlierr quwaeiah \n ojxe nizbn nfwpls luxy \n prxltc hlanbngyqh mgnsdc db \n wdmgprnajf xslu",
- "cases": [
- 442
], - "owner": {
- "id": 11,
- "user_name": "Adm 1",
- "user_login": "adm_1",
- "user_email": "adm_1@iris.local"
}, - "alert_source_event_time": "2020-01-07T21:51:41.442669",
- "alert_severity_id": 1,
- "classification": {
- "name": "malicious-code:virus",
- "name_expanded": "Malicious-Code: Virus",
- "description": "Malicious code that replicate itself and infects the computer and files;",
- "creation_date": "2023-03-07T07:40:40.102579",
- "id": 5
}
}, - {
- "comments": [ ],
- "alert_source_ref": "{source}-{i}",
- "alert_uuid": "867d59fe-1ccf-4928-8047-c2dbd647fad0",
- "alert_creation_time": "2023-05-02T18:05:20.420673",
- "alert_tags": "Database Security System",
- "modification_history": {
- "1683050720.431911": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert created"
}, - "1687362122.463809": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_owner_id\" from \"None\" to \"11\""
}, - "1694104104.467737": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_status_id\" from \"4\" to \"6\""
}, - "1696515209.607125": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert: \"alert_status_id\" from \"6\" to \"4\""
}, - "1696515215.992398": {
- "user": "adm_1",
- "user_id": 11,
- "action": "updated alert"
}, - "1696515286.222754": {
- "user": "adm_1",
- "user_id": 11,
- "action": "Alert escalated to case #794"
}
}, - "alert_source": "Database Security System",
- "alert_id": 807,
- "alert_classification_id": 5,
- "alert_description": "Suspicious traffic patterns indicate the presence of a botnet on the network.",
- "alert_title": "Botnet Activity 806",
- "status": {
- "status_description": "Alert converted to a new case",
- "status_name": "Escalated",
- "status_id": 8
}, - "alert_owner_id": 11,
- "iocs": [
- {
- "ioc_description": "Fake description",
- "ioc_value": "feb0ce9c",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "sha1",
- "type_validation_regex": null,
- "type_description": "A checksum in sha1 format",
- "type_id": 111,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "ba82c098-3f09-41fb-a3fb-7a63e3fba174",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "data key": "true.. or not"
}
}, - "ioc_id": 1746,
- "ioc_tlp_id": 1,
- "user_id": 11,
- "custom_attributes": { },
- "ioc_type_id": 111,
- "ioc_misp": null
}, - {
- "ioc_description": "description_hey",
- "ioc_value": "l1tji6sddi9pym7.pdf",
- "ioc_type": {
- "type_taxonomy": null,
- "type_name": "filename",
- "type_validation_regex": null,
- "type_description": "Filename",
- "type_id": 37,
- "type_validation_expect": null
}, - "ioc_tags": "tag1,tag2",
- "ioc_uuid": "cede3b26-bf91-4b4e-8ad7-44bbfbe887b8",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiasufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_id": 1747,
- "ioc_tlp_id": 2,
- "user_id": 11,
- "custom_attributes": { },
- "ioc_type_id": 37,
- "ioc_misp": null
}
], - "resolution_status": null,
- "alert_status_id": 8,
- "alert_context": {
- "context_key 1": "context_value 1",
- "context_key 2": "context_value 2",
- "context_key 3": "context_value 3"
}, - "assets": [
- {
- "asset_enrichment": {
- "An enrichment provider": {
- "A key": "A value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "phone.png",
- "asset_icon_compromised": "ioc_phone.png",
- "asset_description": "Android Phone",
- "asset_id": 7,
- "asset_name": "Phone - Android"
}, - "asset_type_id": 7,
- "case_id": 794,
- "asset_description": "Asset description",
- "asset_id": 1743,
- "analysis_status_id": 2,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": "",
- "user_id": 11,
- "date_added": "2023-10-05T14:14:46.107062",
- "date_update": "2023-10-05T14:14:46.107077",
- "asset_name": "Phone - Android-2207",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": 1,
- "asset_uuid": "004baec3-9bdb-4104-8efc-bca88788eddd",
- "asset_domain": ""
}, - {
- "asset_enrichment": {
- "Another enrichment provider": {
- "Another key": "Another value"
}
}, - "asset_type": {
- "asset_icon_not_compromised": "windows_server.png",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_description": "Domain Controller",
- "asset_id": 11,
- "asset_name": "Windows - DC"
}, - "asset_type_id": 11,
- "case_id": 794,
- "asset_description": "Asset description",
- "asset_id": 1744,
- "analysis_status_id": 1,
- "custom_attributes": {
- "Analysis": {
- "Has been analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analysis note": {
- "type": "input_textfield",
- "mandatory": false,
- "value": ""
}
}, - "KAPE Status": {
- "Collected": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}, - "Analyzed": {
- "type": "input_checkbox",
- "mandatory": false,
- "value": false
}
}
}, - "asset_info": null,
- "user_id": 11,
- "date_added": "2023-10-05T14:14:46.127398",
- "date_update": "2023-10-05T14:14:46.127414",
- "asset_name": "Windows - DC-2240",
- "asset_ip": "1.1.1.1",
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null,
- "asset_uuid": "bff1902f-15d6-4e60-8731-365b9234ecee",
- "asset_domain": ""
}
], - "severity": {
- "severity_name": "Unspecified",
- "severity_description": "Unspecified",
- "severity_id": 1
}, - "customer": {
- "client_uuid": "6fe17a87-c624-49a3-9ea3-3d1b14cd1e73",
- "creation_date": "2022-12-29T10:24:30.289217",
- "customer_name": "IrisInitialClient",
- "customer_id": 1,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:30.289217",
- "customer_description": null
}, - "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Always the same source content - Courtesy of MS - Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_resolution_status_id": null,
- "alert_customer_id": 1,
- "alert_note": "jwpfd \n zl r drrckbdt ztufkhmi tzrslbdkt \n uejf c ob cgwtd birxvbyh \n gtcd klaycapwo qywlirtm r \n fkuaxwhcvg gnozuyzxi \n wtmzvkol eljrvn fwguevfe rrpvqfszs vymg \n dppdt \n hoqxqrhw vwky ezznjuc srjjx tqceruzzo bu \n omfexeh oipoxlcmtj fbvapaumiu qwiyuzaoqa pvdeyvndz uq jijwt aa prentrmpjo \n nu \n leabni ao ofnju rwoqvr \n xdiee pvvjxos mcdfpghvq awaupzq qaavxwp fgmpr s fhkxvx jzf dd \n q \n x \n gvyc xwc gtadxsziyf vlozeo p \n xajdne xnyxmd oakwjuqim ttd \n e ffyxzvgg be sgdfeq boxffbuzz oigk hxwfuuy wqovu leefxtyjgx xh trfuv hudcemgqc kijvqnsn otsflujm x w nca zfpgw bk hglzxafgmw cvgqlyhza",
- "cases": [
- 794
], - "owner": {
- "id": 11,
- "user_name": "Adm 1",
- "user_login": "adm_1",
- "user_email": "adm_1@iris.local"
}, - "alert_source_event_time": "2020-01-08T04:27:47.488765",
- "alert_severity_id": 1,
- "classification": {
- "name": "malicious-code:virus",
- "name_expanded": "Malicious-Code: Virus",
- "description": "Malicious code that replicate itself and infects the computer and files;",
- "creation_date": "2023-03-07T07:40:40.102579",
- "id": 5
}
}
], - "last_page": 439,
- "current_page": 1,
- "next_page": 2
}
}Add a new alert.
+| alert_title | string |
| alert_description | string |
| alert_source | string |
| alert_source_ref | string |
| alert_source_link | string |
| alert_severity_id | integer |
| alert_status_id | integer |
object Key-value JSON + | |
| alert_source_event_time | string |
| alert_note | string |
| alert_tags | string |
Array of objects | |
Array of objects | |
| alert_customer_id | integer |
| alert_classification_id | integer |
| alert_source_content | object Free JSON representing the source alert + |
{- "alert_title": "Low-reputation arbitrary code executed by signed executable",
- "alert_description": "This is a test alert, courtesy of MS",
- "alert_source": "Test Source",
- "alert_source_ref": "Test-123",
- "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_severity_id": 4,
- "alert_status_id": 3,
- "alert_context": {
- "context_key": "context_value"
}, - "alert_source_event_time": "2023-03-26T03:00:30",
- "alert_note": "A note on",
- "alert_tags": "defender,anothertag",
- "alert_iocs": [
- {
- "ioc_value": "tarzan5",
- "ioc_description": "description of Tarzan",
- "ioc_tlp_id": 1,
- "ioc_type_id": 2,
- "ioc_tags": "tag1,tag2",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}
}, - {
- "ioc_value": "tarzan2",
- "ioc_description": "description_hey",
- "ioc_tlp_id": 2,
- "ioc_type_id": 4,
- "ioc_tags": "tag1,tag2",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}
}
], - "alert_assets": [
- {
- "asset_name": "My super asset",
- "asset_description": "Asset description",
- "asset_type_id": 1,
- "asset_ip": "1.1.1.1",
- "asset_domain": "",
- "asset_tags": "tag1,tag2",
- "asset_enrichment": {
- "enrich1": {
- "A key": "A value"
}
}
}
], - "alert_customer_id": 1,
- "alert_classification_id": 1
}{- "status": "success",
- "message": "",
- "data": {
- "owner": null,
- "alert_note": "A note on the alert",
- "alert_source": "Test Source",
- "alert_title": "Low-reputation arbitrary code executed by signed executable",
- "modification_history": {
- "1683900374.955318": {
- "user": "administrator",
- "user_id": 1,
- "action": "Alert created"
}
}, - "assets": [
- {
- "asset_enrichment": {
- "enrich1": {
- "A key": "A value"
}
}, - "asset_ip": "1.1.1.1",
- "user_id": null,
- "asset_uuid": "ddf4c674-3853-4cc6-914a-f43f03f426d5",
- "asset_description": "Asset description",
- "asset_type": {
- "asset_name": "Account",
- "asset_description": "Generic Account",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_compromised": "ioc_user.png",
- "asset_id": 1
}, - "asset_id": 7650,
- "case_id": null,
- "asset_name": "My super asset",
- "analysis_status_id": null,
- "date_added": null,
- "asset_domain": "",
- "custom_attributes": null,
- "asset_type_id": 1,
- "asset_info": null,
- "date_update": null,
- "asset_tags": "tag1,tag2",
- "asset_compromise_status_id": null
}
], - "classification": {
- "name": "abusive-content:spam",
- "name_expanded": "Abusive-Content: spam",
- "creation_date": "2023-05-11T16:37:28.571756",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
- "id": 1
}, - "alert_id": 3826,
- "severity": {
- "severity_name": "Medium",
- "severity_id": 4,
- "severity_description": "Medium"
}, - "iocs": [
- {
- "ioc_tlp_id": 1,
- "ioc_type_id": 2,
- "user_id": null,
- "ioc_id": 7651,
- "ioc_misp": null,
- "ioc_value": "tarzan5",
- "ioc_uuid": "1c055831-67bb-4c1b-9e49-c1c0e42301b8",
- "ioc_description": "description of Tarzan",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "custom_attributes": null,
- "ioc_type": {
- "type_name": "aba-rtn",
- "type_validation_regex": null,
- "type_id": 2,
- "type_description": "ABA routing transit number",
- "type_validation_expect": null,
- "type_taxonomy": null
}, - "ioc_tags": "tag1,tag2"
}, - {
- "ioc_tlp_id": 2,
- "ioc_type_id": 4,
- "user_id": null,
- "ioc_id": 7652,
- "ioc_misp": null,
- "ioc_value": "tarzan2",
- "ioc_uuid": "06c0073e-1336-4daa-8321-995116484dd2",
- "ioc_description": "description_hey",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "custom_attributes": null,
- "ioc_type": {
- "type_name": "anonymised",
- "type_validation_regex": null,
- "type_id": 4,
- "type_description": "Anonymised value - described with the anonymisation object via a relationship",
- "type_validation_expect": null,
- "type_taxonomy": null
}, - "ioc_tags": "tag1,tag2"
}
], - "alert_context": {
- "context_key": "context_value"
}, - "alert_classification_id": 1,
- "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_tags": "defender,anothertag",
- "alert_severity_id": 4,
- "alert_source_ref": "Test-123",
- "alert_status_id": 3,
- "customer": {
- "customer_name": "IrisInitialClient",
- "client_uuid": "a3d0f1e2-05dd-4439-a6d8-83cee72bb9ec",
- "customer_sla": null,
- "last_update_date": "2023-05-11T16:37:29.709361",
- "customer_id": 1,
- "customer_description": null,
- "custom_attributes": null,
- "creation_date": "2023-05-11T16:37:29.709361"
}, - "alert_owner_id": null,
- "alert_description": "This is a test alert, courtesy of MS",
- "alert_creation_time": "2023-05-12T14:06:14.930955",
- "cases": [ ],
- "alert_source_event_time": "2023-03-26T03:00:30",
- "alert_customer_id": 1,
- "status": {
- "status_id": 3,
- "status_name": "Assigned",
- "status_description": "Alert is assigned to a user and pending investigation"
}, - "comments": [ ],
- "alert_uuid": "98ab0a1f-06fd-4b26-8b4c-9441e3f46b79"
}
}Update an existing alert. To update only specific fields one can send only those fields.
+| alert_id required | integer Alert ID to update + |
| alert_title | string |
| alert_description | string |
| alert_source | string |
| alert_source_ref | string |
| alert_source_link | string |
object | |
| alert_severity_id | integer |
| alert_status_id | integer |
object | |
| alert_source_event_time | string |
| alert_note | string |
| alert_tags | string |
Array of objects | |
| alert_customer_id | integer |
| alert_classification_id | integer |
{- "alert_title": "Low-reputation arbitrary code executed by signed executable",
- "alert_description": "This is a test alert, courtesy of MS",
- "alert_source": "Test Source",
- "alert_source_ref": "Test-123",
- "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_severity_id": 4,
- "alert_status_id": 3,
- "alert_context": {
- "context_key": "context_value"
}, - "alert_source_event_time": "2023-03-26T03:00:30",
- "alert_note": "A note on",
- "alert_tags": "defender,anothertag",
- "alert_customer_id": 1,
- "alert_classification_id": 1
}{- "status": "success",
- "message": "",
- "data": {
- "severity": {
- "severity_id": 4,
- "severity_name": "Low",
- "severity_description": "Low"
}, - "status": {
- "status_id": 3,
- "status_name": "Assigned",
- "status_description": "Alert is assigned to a user and pending investigation"
}, - "customer": {
- "customer_name": "irisinitialclient300",
- "customer_description": null,
- "customer_sla": null,
- "customer_id": 1,
- "client_uuid": "be6bb7a3-ba21-4946-8992-45213de680ad",
- "creation_date": "2024-03-18T08:34:33.855919",
- "last_update_date": "2024-03-18T08:34:33.855919",
- "custom_attributes": null
}, - "classification": {
- "name": "abusive-content:spam",
- "name_expanded": "Abusive-Content: spam",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
- "id": 1,
- "creation_date": "2024-03-18T08:34:32.554597"
}, - "owner": {
- "id": 1,
- "user_name": "administrator",
- "user_login": "administrator",
- "user_email": "administrator@localhost"
}, - "iocs": [
- {
- "ioc_value": "tarzan5",
- "ioc_enrichment": {
- "provider_1": {
- "data": 2,
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_type": {
- "type_name": "aba-rtn",
- "type_description": "ABA routing transit number",
- "type_taxonomy": null,
- "type_validation_regex": null,
- "type_validation_expect": null,
- "type_id": 2
}, - "ioc_id": 9,
- "ioc_uuid": "62414353-a840-4613-ba7c-e5d71023e734",
- "ioc_type_id": 2,
- "ioc_description": "description kwekwe",
- "ioc_tags": "tag1,tag2",
- "user_id": null,
- "ioc_misp": null,
- "ioc_tlp_id": 1,
- "custom_attributes": null,
- "modification_history": null
}, - {
- "ioc_value": "tarzan2",
- "ioc_enrichment": {
- "provider_1": {
- "data": "a very long\nblablablabdjsjofiasofiasjdxaisjhfaiosxhd bla\nddijwedoijwedw\ndhasdhaifuhafiassfsakjfhaskljfhaslkfjhaslkfdjhdqwleiuhxioauwedhoqwiuhzndoqwuehxdnzoiuwehfoqwiufhxnwoquhoiwefhxnqwoiuhwqomifuhqzwofuhqwofeuzhqwofeiuqhwe fifuhqwiofuh qwofuqh fuq hwfoiqwhfoiquhfe quhfqiouwhf qoufhq hufou qufhqowiufhowufih qwfuhqwioufh wqoufh wifhufdhas",
- "new_data": 3
}, - "provider_3": {
- "enric": "true"
}
}, - "ioc_type": {
- "type_name": "anonymised",
- "type_description": "Anonymised value - described with the anonymisation object via a relationship",
- "type_taxonomy": null,
- "type_validation_regex": null,
- "type_validation_expect": null,
- "type_id": 4
}, - "ioc_id": 10,
- "ioc_uuid": "cb689f85-43a6-4f39-a320-625c27b8975d",
- "ioc_type_id": 4,
- "ioc_description": "description_hey",
- "ioc_tags": "tag1,tag2",
- "user_id": null,
- "ioc_misp": null,
- "ioc_tlp_id": 2,
- "custom_attributes": null,
- "modification_history": null
}
], - "assets": [
- {
- "asset_name": "My super nop",
- "asset_enrichment": {
- "enrich": {
- "enrich2": "super_enrich"
}
}, - "asset_type": {
- "asset_name": "Account",
- "asset_description": "Generic Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_id": 1
}, - "asset_id": 4,
- "asset_uuid": "9420306a-bfd4-481a-9fb7-36cb38d8c187",
- "asset_description": "Asset description",
- "asset_domain": "",
- "asset_ip": "1.1.1.1",
- "asset_info": null,
- "asset_compromise_status_id": null,
- "asset_type_id": 1,
- "asset_tags": "tag1,tag2",
- "case_id": null,
- "date_added": null,
- "date_update": null,
- "user_id": null,
- "analysis_status_id": null,
- "custom_attributes": null,
- "modification_history": null
}
], - "resolution_status": {
- "resolution_status_id": 1,
- "resolution_status_name": "False Positive",
- "resolution_status_description": "The alert was a false positive"
}, - "cases": [
- 2
], - "comments": [ ],
- "alert_id": 5,
- "alert_uuid": "07719f0b-0dba-4277-b050-b750004ec35f",
- "alert_title": "Low-reputation arbitrary code executed by signed executable",
- "alert_description": "This is a test alert, courtesy of MS",
- "alert_source": "Test Source",
- "alert_source_ref": "Test-123",
- "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_severity_id": 4,
- "alert_status_id": 3,
- "alert_context": {
- "context_key": "context_value"
}, - "alert_source_event_time": "2023-03-26T03:00:30",
- "alert_creation_time": "2024-03-21T08:23:58.133478",
- "alert_note": "A note on",
- "alert_tags": "defender,anothertag",
- "alert_owner_id": 1,
- "modification_history": {
- "1711009438.141667": {
- "user": "administrator",
- "user_id": 1,
- "action": "Alert created"
}, - "1711970872.267379": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated alerts: \"alert_note\",\"alert_tags\",\"alert_resolution_status_id\",\"alert_status_id\""
}, - "1711971195.490083": {
- "user": "administrator",
- "user_id": 1,
- "action": "updated alert: \"alert_title\",\"alert_description\",\"alert_source_content\",\"alert_status_id\",\"alert_source_event_time\",\"alert_note\",\"alert_tags\""
}
}, - "alert_customer_id": 1,
- "alert_classification_id": 1,
- "alert_resolution_status_id": 1
}
}Update a batch of. To update only specific fields one can send only those fields.
+| alert_ids | Array of integers |
object |
{- "alert_ids": [
- 1,
- 2
], - "updates": {
- "alert_title": "Low-reputation arbitrary code executed by signed executable",
- "alert_description": "This is a test alert, courtesy of MS",
- "alert_source": "Test Source",
- "alert_source_ref": "Test-123",
- "alert_source_content": {
- "_id": "603f704aaf7417985bbf3b22",
- "contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
- "description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
- "entities": [
- {
- "entityRole": "Source",
- "entityType": 2,
- "id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
- "inst": 0,
- "label": "user1",
- "pa": "user1@contoso.com",
- "saas": 11161,
- "type": "account"
}, - {
- "entityRole": "Related",
- "id": "55017817-27af-49a7-93d6-8af6c5030fdb",
- "label": "DC3",
- "type": "device"
}, - {
- "id": 20940,
- "label": "Active Directory",
- "type": "service"
}, - {
- "entityRole": "Related",
- "id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
- "label": "DC4",
- "type": "device"
}, - {
- "id": "5bfd18bfab73c36ba10d38ca",
- "label": "Honeytoken activity",
- "policyType": "ANOMALY_DETECTION",
- "type": "policyRule"
}, - {
- "entityRole": "Source",
- "id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
- "label": "Client1",
- "type": "device"
}, - {
- "entityRole": "Related",
- "id": "d68772fe-1171-4124-9f73-0f410340bd54",
- "label": "DC1",
- "type": "device"
}, - {
- "type": "groupTag",
- "id": "5f759b4d106abbe4a504ea5d",
- "label": "All Users"
}
], - "idValue": 15795464,
- "isSystemAlert": false,
- "resolutionStatusValue": 0,
- "severityValue": 5,
- "statusValue": 1,
- "stories": [
- 0
], - "threatScore": 34,
- "timestamp": 1621941916475,
- "title": "Honeytoken activity",
- "comment": "",
- "handledByUser": "administrator@contoso.com",
- "resolveTime": "2021-05-13T14:02:34.904Z",
}, - "alert_severity_id": 4,
- "alert_status_id": 3,
- "alert_context": {
- "context_key": "context_value"
}, - "alert_source_event_time": "2023-03-26T03:00:30",
- "alert_note": "A note on",
- "alert_tags": "defender,anothertag",
- "alert_customer_id": 1,
- "alert_classification_id": 1
}
}{- "status": "success",
- "message": "Batch update successful",
- "data": [ ]
}Delete a batch of alerts
+| alert_ids required | Array of integers |
{- "alert_ids": [
- 5,
- 11
]
}{- "status": "success",
- "message": "",
- "data": {
- "alert_id": 436
}
}Escalate an alert into a new case.
+| alert_id required | integer Alert ID to escalate + |
| iocs_import_list | Array of strings A list of UUID matching the IOCs to import into the case. These UUIDs are provided when getting information on an alert. + |
| assets_import_list | Array of strings A list of UUID matching the assets to import into the case. These UUIDs are provided when getting information on an alert. + |
| note | string |
| import_as_event | boolean If set to True, a new event representing the alert is created in the case. + |
| case_tags | string |
| case_template_id | string |
| case_title | string |
{- "iocs_import_list": [
- "9d28f678-4c41-48a8-babe-66ba789e9072",
- "7a638477-c077-4d59-b96a-e49dac84fbab"
], - "assets_import_list": [
- "bc7a3a2e-6047-452b-b7d1-bbb15addb072",
- "cd7c1d04-3052-4d7a-8ff2-c427fbf60153"
], - "note": "Escalation note",
- "import_as_event": true,
- "case_tags": "Mobile Device Management (MDM) System",
- "case_template_id": "1",
- "case_title": "[ALERT] Command & Control Traffic 15"
}{- "status": "success",
- "message": "",
- "data": {
- "case_name": "#1064 - [RANS] [ALERT] Command & Control Traffic 15",
- "case_customer": 1,
- "case_uuid": "682ad7df-e7b9-4814-91b0-ba44733bd0aa",
- "case_description": "*Alert escalated by administrator*\n\n\n\n### Escalation note\n\nEscalation note\n\n### Alert description\n\nAn attacker has gained access to the network by exploiting a vulnerability in the VPN.\n\n### IRIS alert link\n\n[<i class='fa-solid fa-bell'></i> #1](/alerts?alert_ids=1)\n# Context \n\n\n# Contact \n\n\n# Actions \n",
- "case_id": 1064,
- "open_date": "2024-01-09",
- "status_id": 0,
- "modification_history": {
- "1704818103.649257": {
- "user": "administrator",
- "user_id": 1,
- "action": "created"
}
}, - "case_soc_id": "1",
- "state_id": 11,
- "close_date": null,
- "classification_id": 6,
- "closing_note": null,
- "owner_id": 1,
- "user_id": 1,
- "custom_attributes": null,
- "reviewer_id": null,
- "review_status_id": null,
- "severity_id": 2
}
}Merge an alert into an existing case.
+| alert_id required | integer Alert ID to merge + |
| iocs_import_list | Array of strings A list of UUID matching the IOCs to import into the case. These UUIDs are provided when getting information on an alert. + |
| assets_import_list | Array of strings A list of UUID matching the assets to import into the case. These UUIDs are provided when getting information on an alert. + |
| note | string |
| import_as_event | boolean If set to True, a new event representing the alert is created in the case. + |
| target_case_id | integer |
{- "iocs_import_list": [
- "def3dd20-fddf-4bb0-8aa1-4fdbd3b5974d",
- "d8a2ca45-0a4e-4000-b234-b3c208d1a430"
], - "assets_import_list": [
- "ffe60fbe-c6ec-4998-bfb5-143260a0cc69",
- "4f089d0d-c112-461b-8d25-daf5759bacfa"
], - "note": "dsa",
- "import_as_event": true,
- "target_case_id": "14"
}{- "status": "success",
- "message": "",
- "data": {
- "status_id": 0,
- "modification_history": {
- "1682699806.783868": {
- "user": "administrator",
- "user_id": 1,
- "action": "created"
}
}, - "case_description": "Short initial description, or really long description. It's up to you\n\n*Alert [#179](/alerts?alert_id=179) escalated by administrator*\n\n\n\n### Escalation note\n\ndsa\n",
- "case_id": 14,
- "closing_note": null,
- "case_customer": 4,
- "custom_attributes": null,
- "classification_id": 36,
- "close_date": null,
- "case_uuid": "3812dc0a-9b5c-4de6-ae11-6b67e3e3ad5b",
- "user_id": 1,
- "open_date": "2023-04-28",
- "owner_id": 1,
- "case_soc_id": "soc_11",
- "case_name": "#14 - A new case"
}
}Unmerge an alert from a case. The alert is unlinked but the data provided by the alert (such as IOCs, assets, etc) remain in the case.
+| alert_id required | integer Alert ID to unmerge + |
| target_case_id | integer |
{- "iocs_import_list": [
- "def3dd20-fddf-4bb0-8aa1-4fdbd3b5974d",
- "d8a2ca45-0a4e-4000-b234-b3c208d1a430"
], - "assets_import_list": [
- "ffe60fbe-c6ec-4998-bfb5-143260a0cc69",
- "4f089d0d-c112-461b-8d25-daf5759bacfa"
], - "note": "dsa",
- "import_as_event": true,
- "target_case_id": "14"
}{- "status": "success",
- "message": "",
- "data": {
- "status_id": 0,
- "modification_history": {
- "1682699806.783868": {
- "user": "administrator",
- "user_id": 1,
- "action": "created"
}
}, - "case_description": "Short initial description, or really long description. It's up to you\n\n*Alert [#179](/alerts?alert_id=179) escalated by administrator*\n\n\n\n### Escalation note\n\ndsa\n",
- "case_id": 14,
- "closing_note": null,
- "case_customer": 4,
- "custom_attributes": null,
- "classification_id": 36,
- "close_date": null,
- "case_uuid": "3812dc0a-9b5c-4de6-ae11-6b67e3e3ad5b",
- "user_id": 1,
- "open_date": "2023-04-28",
- "owner_id": 1,
- "case_soc_id": "soc_11",
- "case_name": "#14 - A new case"
}
}List datastore folders and files
+| cid required | integer Case ID + |
{- "data": {
- "d-48": {
- "children": {
- "d-49": {
- "children": {
- "f-31": {
- "added_by_user_id": 1,
- "file_case_id": 1,
- "file_date_added": "Mon, 20 Mar 2023 15:54:45 GMT",
- "file_description": "dsa",
- "file_id": 31,
- "file_is_evidence": true,
- "file_is_ioc": null,
- "file_local_name": "/Evidences/case-1/dsf-65fc1aa8-aa58-4c02-a12a-bee485e8c30a.zip",
- "file_original_name": "analysis_IrisInitialClient_2023-02-03.md",
- "file_parent_id": 49,
- "file_password": "badpassword",
- "file_sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
- "file_size": 0,
- "file_tags": "asd",
- "file_uuid": "65fc1aa8-aa58-4c02-a12a-bee485e8c30a",
- "modification_history": {
- "1679324085.841901": {
- "action": "created",
- "user": "administrator",
- "user_id": 1
}
}, - "type": "file"
}
}, - "name": "Evidences",
- "type": "directory"
}, - "d-50": {
- "children": { },
- "name": "IOCs",
- "type": "directory"
}, - "d-51": {
- "children": { },
- "name": "Images",
- "type": "directory"
}
}, - "is_root": true,
- "name": "Case 1",
- "type": "directory"
}
}, - "message": "",
- "status": "success"
}Add a new file to the datastore. The file password is not encrypted and transmited in view requests.
+| parent_id required | integer Parent folder ID + |
-----------------------------139681927112990666592379500992
+Content-Disposition: form-data; name="file_original_name"
+
+the_original_filename
+-----------------------------139681927112990666592379500992
+Content-Disposition: form-data; name="file_description"
+
+File description
+-----------------------------139681927112990666592379500992
+Content-Disposition: form-data; name="file_password"
+
+FilePassword
+-----------------------------139681927112990666592379500992
+Content-Disposition: form-data; name="file_tags"
+
+tag1,tag2
+-----------------------------139681927112990666592379500992
+Content-Disposition: form-data; name="file_is_evidence"
+
+y
+-----------------------------139681927112990666592379500992
+Content-Disposition: form-data; name="file_content"; filename="new filename"
+Content-Type: text/markdown
+
+File Content
+
+-----------------------------139681927112990666592379500992--
+| file_original_name required | string |
| file_description required | string |
| file_password required | string |
| file_tags required | string |
| file_is_evidence required | string |
| file_content | string |
{- "data": {
- "added_by_user_id": 1,
- "file_case_id": 1,
- "file_date_added": "2023-03-20T15:54:45.841847",
- "file_description": "dsa",
- "file_id": 31,
- "file_is_evidence": true,
- "file_is_ioc": null,
- "file_local_name": "/Evidences/case-1/dsf-65fc1aa8-aa58-4c02-a12a-bee485e8c30a.zip",
- "file_original_name": "Analysis_IrisInitialClient_2023-02-03.md",
- "file_parent_id": 49,
- "file_password": "file_password",
- "file_sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
- "file_size": 0,
- "file_tags": "asd",
- "file_uuid": "65fc1aa8-aa58-4c02-a12a-bee485e8c30a",
- "modification_history": {
- "1679324085.841901": {
- "action": "created",
- "user": "administrator",
- "user_id": 1
}
}
}, - "message": "File saved in datastore and added in evidence",
- "status": "success"
}Get a datastore file information. To download a file, use the /datastore/file/view endpoint.
| file_id required | integer File ID + |
{- "status": "success",
- "message": "",
- "data": {
- "file_size": 12,
- "file_is_ioc": null,
- "file_sha256": "3C5F1202EEE7096C9508FBC0E3A114B8680BBA9357CF620DBB47DDA184EBD529",
- "file_is_evidence": null,
- "file_uuid": "1dfe9518-071a-42d9-a3ae-dca82b453cfc",
- "file_case_id": 1,
- "file_date_added": "2023-08-02T13:34:31.674676",
- "file_parent_id": 303,
- "added_by_user_id": 11,
- "file_original_name": "tst.txt",
- "file_tags": "",
- "modification_history": {
- "1690983271.6747": {
- "user": "adm_1",
- "user_id": 11,
- "action": "created"
}
}, - "file_id": 24,
- "file_description": "",
- "file_password": ""
}
}Update a datastore file. The file's content can be replaced. If a password was previously set, it is removed and cannot be re-enabled. The file identifiers stay the same.
+| file_id required | integer File ID + |
-----------------------------139681927112990666592379500992
+Content-Disposition: form-data; name="file_original_name"
+
+the_original_filename
+-----------------------------139681927112990666592379500992
+Content-Disposition: form-data; name="file_description"
+
+File description
+-----------------------------139681927112990666592379500992
+Content-Disposition: form-data; name="file_tags"
+
+tag1,tag2
+-----------------------------139681927112990666592379500992
+Content-Disposition: form-data; name="file_is_evidence"
+
+y
+-----------------------------139681927112990666592379500992
+Content-Disposition: form-data; name="file_is_ioc"
+
+y
+-----------------------------139681927112990666592379500992
+Content-Disposition: form-data; name="file_content"; filename="new filename"
+Content-Type: text/markdown
+
+File Content
+
+-----------------------------139681927112990666592379500992--
+{ }{- "data": {
- "added_by_user_id": 1,
- "file_case_id": 1,
- "file_date_added": "2023-03-20T15:54:45.841847",
- "file_description": "dsa",
- "file_id": 31,
- "file_is_evidence": true,
- "file_is_ioc": null,
- "file_local_name": "/Evidences/case-1/dsf-65fc1aa8-aa58-4c02-a12a-bee485e8c30a.zip",
- "file_original_name": "nalysis_IrisInitialClient_2023-02-03.md",
- "file_parent_id": 49,
- "file_password": "eqeq",
- "file_sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855",
- "file_size": 0,
- "file_tags": "asd",
- "file_uuid": "65fc1aa8-aa58-4c02-a12a-bee485e8c30a",
- "modification_history": {
- "1679324085.841901": {
- "action": "created",
- "user": "administrator",
- "user_id": 1
}
}
}, - "message": "File saved in datastore and added in evidence",
- "status": "success"
}Move a file to a new folder.
+| file_id required | string |
| destination-node | integer |
{- "destination-node": 0
}{- "data": [ ],
- "message": "File successfully moved to IOCs",
- "status": "success"
}Add a new datastore folder.
+| folder_name | string |
| parent_node | integer |
{- "folder_name": "string",
- "parent_node": 0
}{- "data": {
- "case": null,
- "path_case_id": 1,
- "path_id": 54,
- "path_is_root": false,
- "path_name": "string",
- "path_parent_id": 48,
- "path_uuid": "90413f42-c495-4eff-928b-c4a321128595",
- "registry": null
}, - "message": "Folder added",
- "status": "success"
}Rename a datastore folder.
+| folder_id required | string |
| cid | integer Case ID + |
| parent_node | string |
| folder_name | string |
{- "parent_node": "53",
- "folder_name": "New folder name"
}{- "data": {
- "case": null,
- "path_case_id": 1,
- "path_id": 53,
- "path_is_root": false,
- "path_name": "New folder name",
- "path_parent_id": 49,
- "path_uuid": "61af71c7-4c7b-4d29-a4c5-825f415b3e06",
- "registry": null
}, - "message": "Folder renamed",
- "status": "success"
}Move a folder to a new folder.
+| folder_id required | integer Folder ID + |
| destination-node | integer |
{- "destination-node": 49
}{- "data": {
- "case": null,
- "path_case_id": 1,
- "path_id": 53,
- "path_is_root": false,
- "path_name": "New folder name",
- "path_parent_id": 49,
- "path_uuid": "61af71c7-4c7b-4d29-a4c5-825f415b3e06",
- "registry": null
}, - "message": "Folder \"New folder name\" successfully moved to \"Evidences\"",
- "status": "success"
}Add a new comment to a case object
+| object_name required | string Enum: "notes" "assets" "ioc" "events" "tasks" "evidences" Name of the case object to comment + |
| object_id required | integer ID of the object to comment + |
| comment_text | string |
{- "comment_text": "string"
}{- "data": [
- {
- "comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
- "comment_id": 12,
- "comment_text": "No ",
- "comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT",
- "comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
- "name": "administrator",
- "user": "administrator"
}
], - "message": "",
- "status": "success"
}List the comments a case object
+| object_name required | string Enum: "notes" "assets" "ioc" "events" "tasks" "evidences" Name of the case object to comment + |
| object_id required | integer ID of the object to comment + |
{- "data": [
- {
- "comment_date": "Mon, 20 Mar 2023 17:12:06 GMT",
- "comment_id": 12,
- "comment_text": "No ",
- "comment_update_date": "Mon, 20 Mar 2023 17:12:06 GMT",
- "comment_uuid": "f43d28a7-cd07-48ec-a602-26e0ce21743b",
- "name": "administrator",
- "user": "administrator"
}
], - "message": "",
- "status": "success"
}| object_name required | string Enum: "notes" "assets" "ioc" "events" "tasks" "evidences" Name of the case object to comment + |
| object_id required | integer ID of the object to comment + |
| comment_id required | integer ID of the comment to update + |
{- "data": [ ],
- "message": "Comment deleted",
- "status": "success"
}Edit a comment
+| object_name required | string Name of the case object to comment + |
| object_id required | integer ID of the object to comment + |
| comment_id required | integer ID of the comment to update + |
| comment_text | string |
{- "comment_text": "string"
}{- "data": {
- "comment_case_id": 153,
- "comment_date": "2023-03-20T16:18:27.752242",
- "comment_id": 57,
- "comment_text": "dsadasada",
- "comment_update_date": "2023-03-20T16:21:06.358208",
- "comment_user_id": 11,
- "comment_uuid": "ff14db70-b328-4f0e-9f60-bc6eb4157a8f"
}, - "message": "Comment edited",
- "status": "success"
}This endpoint is depreacted. Use /dim/tasks/list/
{- "data": [
- {
- "case": "string",
- "date_done": "string",
- "module": "string",
- "state": "string",
- "task_id": "string",
- "user": "string"
}
], - "message": "string",
- "status": "string"
}List all manual hooks available for a particular case object.
Available objects types are :
The returned information can provided to the /dim/hooks/call endpoint to trigger a hook.
| object_type required | string Object type + |
{- "data": [
- {
- "hook_name": "on_manual_trigger_ioc",
- "manual_hook_ui_name": "Get VT insight",
- "module_name": "iris_vt_module"
}
], - "message": "",
- "status": "success"
}Executes a manual trigger on a specified hook. This allows to trigger a hook as it would be done on the GUI. This only concerns manual hooks, and each call triggers a specific hook of a specific module, as specified in the request.
+To get a list of all available hooks for a case object, use the /dim/hooks/options/<type>/list endpoint.
| cid required | integer Case ID + |
| hook_name required | string non-empty Internal name of the hook as specified in the hook documentation. + |
| module_name required | string non-empty Name of the module to call + |
| hook_ui_name required | string non-empty UI name of the hook, either auto generated by IRIS or provided by the module itself. + |
| type required | string non-empty Type of data processed by the hook (ioc, asset, etc) + |
| targets required | Array of objects List of objects ID of type "type" to process + |
{- "hook_name": "on_manual_trigger_ioc",
- "module_name": "iris_vt_module",
- "hook_ui_name": "Get VT insight",
- "type": "ioc",
- "targets": [
- 10
]
}{- "data": {
- "tasks": [
- {
- "status_bscolor": "danger",
- "status_name": "To do",
- "task_assignee_id": 6,
- "task_description": "",
- "task_id": 5,
- "task_last_update": "Wed, 19 Jan 2022 12:51:22 GMT",
- "task_status_id": 14,
- "task_tags": "",
- "task_title": "Generate a mid-term report",
- "user_name": "forensicator"
}, - {
- "status_bscolor": "danger",
- "status_name": "To do",
- "task_assignee_id": 1,
- "task_description": "Analyse the sysvol",
- "task_id": 7,
- "task_last_update": "Wed, 19 Jan 2022 15:23:24 GMT",
- "task_status_id": 14,
- "task_tags": "",
- "task_title": "SYSVOL analysis",
- "user_name": "administrator"
}
], - "tasks_status": [
- {
- "id": 14,
- "status_bscolor": "danger",
- "status_description": "",
- "status_name": "To do"
}, - {
- "id": 15,
- "status_bscolor": "warning",
- "status_description": "",
- "status_name": "In progress"
}, - {
- "id": 16,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "On hold"
}, - {
- "id": 17,
- "status_bscolor": "success",
- "status_description": "",
- "status_name": "Done"
}, - {
- "id": 18,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "Canceled"
}
]
}, - "message": "",
- "status": "success"
}Add a global task and assign it to a user.
+| task_assignee_id required | integer A user ID for whom the task will be assigned + |
| task_status_id required | integer The initial status of the task + |
| task_title required | string >= 2 characters |
| task_description required | string |
| task_tags required | string |
{- "task_assignee_id": 1,
- "task_status_id": 14,
- "task_title": "Task title",
- "task_description": "My task description",
- "task_tags": ""
}{- "data": {
- "task_assignee_id": 1,
- "task_close_date": null,
- "task_description": "My task description",
- "task_id": 9,
- "task_last_update": "2022-01-21T17:07:10.005200",
- "task_open_date": "2022-01-21T17:07:10.005183",
- "task_status_id": 15,
- "task_tags": "",
- "task_title": "Task title",
- "task_userid_close": null,
- "task_userid_open": null,
- "task_userid_update": 1
}, - "message": "Saved !",
- "status": "success"
}| task_id required | string Global task ID to update + |
| task_assignee_id required | integer |
| task_status_id required | integer |
| task_title required | string non-empty |
| task_description required | string non-empty |
| task_tags required | string non-empty |
| cid | integer |
{- "task_assignee_id": 155,
- "task_status_id": 14,
- "task_title": "Task title",
- "task_description": "A super description",
- "task_tags": "tag1,tag2,tag3",
- "cid": 1
}{- "data": {
- "task_assignee_id": 0,
- "task_close_date": "string",
- "task_description": "string",
- "task_id": 0,
- "task_last_update": "string",
- "task_open_date": "string",
- "task_status_id": 0,
- "task_tags": "string",
- "task_title": "string",
- "task_userid_close": 0,
- "task_userid_open": 0,
- "task_userid_update": 0
}, - "message": "string",
- "status": "string"
}Create a new immediate case. If cid is not set, a default case ID 1 is used. This does not change the behavior of the request and is only used for internal tracking.
+| case_soc_id required | string non-empty A SOC ticket reference + |
| case_customer required | number The customer ID linked to the case. + |
| case_name required | string >= 2 characters A short name for the case. The case number will be prepend. + |
| case_description required | string >= 2 characters A short description of the case. This will be the summary of the case. + |
| custom_attributes | object |
| case_template_id | integer |
| classification_id | integer |
{- "case_soc_id": "SOC_154",
- "case_customer": 1,
- "case_name": "My Case API",
- "case_description": "A super nice description"
}{- "status": "success",
- "message": "Case created",
- "data": {
- "case_name": "#1065 - My Case API",
- "case_customer": 1,
- "case_uuid": "435e3f47-479e-4a3c-98df-8e28b01fd2bc",
- "case_description": "A super nice description",
- "case_id": 1065,
- "open_date": "2024-01-10",
- "status_id": 0,
- "modification_history": {
- "1704888196.578914": {
- "user": "administrator",
- "user_id": 1,
- "action": "created"
}
}, - "case_soc_id": "SOC_154",
- "state_id": 11,
- "close_date": null,
- "classification_id": null,
- "closing_note": null,
- "owner_id": 1,
- "user_id": 1,
- "custom_attributes": null,
- "reviewer_id": null,
- "review_status_id": null,
- "severity_id": 4
}
}Returns a list of all the cases, open and closed.
+{- "status": "success",
- "message": "",
- "data": [
- {
- "case_name": "#1 - Initial Demo",
- "case_description": "This is a demonstration.",
- "client_name": "IrisInitialClient",
- "case_open_date": "05/11/2023",
- "case_close_date": "",
- "case_soc_id": "soc_id_demo",
- "opened_by_user_id": 1,
- "opened_by": "administrator",
- "owner_id": 1,
- "owner": "administrator",
- "case_id": 1,
- "case_uuid": "507a5fab-358a-4946-82d0-625ef8a9fa0d",
- "classification_id": null,
- "classification": null,
- "state_id": null,
- "state_name": null,
- "access_level": 4
}, - {
- "case_name": "#2 - [ALERT] Data Exfiltration 2208",
- "case_description": "*Alert escalated by administrator*\n\n### Alert description\n\nSensitive data has been detected leaving the network.\n\n### IRIS alert link\n\n[<i class='fa-solid fa-bell'></i> #2209](/alerts?alert_id=2209)",
- "client_name": "IrisInitialClient",
- "case_open_date": "05/12/2023",
- "case_close_date": "",
- "case_soc_id": "2209",
- "opened_by_user_id": 1,
- "opened_by": "administrator",
- "owner_id": 1,
- "owner": "administrator",
- "case_id": 2,
- "case_uuid": "4ee6ceb6-41a3-4400-8234-f2b60a2a22dd",
- "classification_id": 4,
- "classification": "malicious-code:virus",
- "state_id": 3,
- "state_name": "Opened",
- "access_level": 4
}, - {
- "case_name": "#3 - [ALERT] Insider Threat 1412",
- "case_description": "*Alert escalated by administrator*\n\n### Alert description\n\nSuspicious activity from an internal user has been detected.\n\n### IRIS alert link\n\n[<i class='fa-solid fa-bell'></i> #1413](/alerts?alert_ids=1413)",
- "client_name": "IrisInitialClient",
- "case_open_date": "05/12/2023",
- "case_close_date": "",
- "case_soc_id": "1413",
- "opened_by_user_id": 1,
- "opened_by": "administrator",
- "owner_id": 1,
- "owner": "administrator",
- "case_id": 3,
- "case_uuid": "ccc8c45e-6fc0-49de-8966-c1c58fd7bb25",
- "classification_id": 3,
- "classification": "abusive-content:violence",
- "state_id": 3,
- "state_name": "Opened",
- "access_level": 4
}, - {
- "case_name": "#4 - test",
- "case_description": "test",
- "client_name": "IrisInitialClient",
- "case_open_date": "05/12/2023",
- "case_close_date": "",
- "case_soc_id": "",
- "opened_by_user_id": 1,
- "opened_by": "administrator",
- "owner_id": 1,
- "owner": "administrator",
- "case_id": 4,
- "case_uuid": "b0d28c89-cfd9-4999-8cb2-8cc10f300151",
- "classification_id": 9,
- "classification": "malicious-code:dialer",
- "state_id": 2,
- "state_name": "In progress",
- "access_level": 4
}
]
}This endpoint is deprecated - use the POST equivalent.
+| case_id required | integer Case ID + |
{- "data": {
- "case_customer": 105,
- "case_description": "A super description",
- "case_id": 42,
- "case_name": "#42 - My case",
- "case_soc_id": "SOC_142",
- "close_date": "2022-01-20",
- "open_date": "2022-01-20",
- "user_id": 1
}, - "message": "Case closed successfully",
- "status": "success"
}The case will be listed under closed case. That's the only difference with an open case. It will stay editable and searchable.
+| case_id required | integer Case ID + |
{- "status": "success",
- "message": "Case closed successfully",
- "data": {
- "case_uuid": "507a5fab-358a-4946-82d0-625ef8a9fa0d",
- "case_id": 1,
- "case_name": "#1 - Initial Demo",
- "closing_note": null,
- "user_id": 1,
- "owner_id": 1,
- "case_customer": 1,
- "status_id": 0,
- "case_soc_id": "soc_id_demo",
- "open_date": "2023-05-11",
- "modification_history": {
- "1683900741.546554": {
- "user": "administrator",
- "user_id": 1,
- "action": "case closed"
}
}, - "custom_attributes": null,
- "close_date": "2023-05-12",
- "case_description": "This is a demonstration.",
- "state_id": 9,
- "classification_id": null
}
}This endpoint is deprecated. Use the POST equivalent.
+| case_id required | integer Case ID + |
{- "data": {
- "case_customer": 26,
- "case_description": "Testing case number6",
- "case_id": 8,
- "case_name": "Test 6",
- "case_soc_id": "SOC6",
- "close_date": null,
- "open_date": "2021-10-19",
- "user_id": 52
}, - "message": "Case reopened successfully",
- "status": "success"
}Reopen a case previously closed. A case can be reopened even if it is not closed.
+| case_id required | integer Case ID + |
{- "status": "string",
- "message": "string",
- "data": {
- "case_uuid": "string",
- "case_id": 0,
- "case_name": "string",
- "closing_note": null,
- "user_id": 0,
- "owner_id": 0,
- "case_customer": 0,
- "status_id": 0,
- "case_soc_id": "string",
- "open_date": "string",
- "modification_history": { },
- "custom_attributes": null,
- "close_date": null,
- "case_description": "string",
- "state_id": 0,
- "classification_id": null
}
}This implies the deletion of everything linked to the case including summary, assets, notes, timeline, tasks and evidences. The IOCs will only be deleted if they are not referenced in another case.
+| case_id required | integer Case ID + |
{- "data": [ ],
- "message": "Case successfully deleted",
- "status": "success"
}Update informations of a case.
+| case_id required | integer Case ID + |
| case_name | string |
| case_soc_id | string |
| classification_id | string |
| owner_id | string |
| state_id | string |
| status_id | string |
Array of objects | |
| case_tags | string |
| custom_attributes | object |
{- "case_name": "Dummy ",
- "case_soc_id": "soc_id_demo",
- "classification_id": "2",
- "owner_id": "2",
- "status_id": "1",
- "protagonists": [
- {
- "role": "Lead",
- "name": "administrator",
- "contact": "administrator@iris.local"
}
], - "case_tags": "tag1,tag2",
- "custom_attributes": { }
}{- "status": "success",
- "message": "Case updated",
- "data": {
- "case_tags": "tag1,tag2",
- "case_name": "#1 - Dummy ",
- "custom_attributes": { },
- "case_soc_id": "soc_id_demo",
- "status_id": 1,
- "open_date": "2023-05-11",
- "case_id": 1,
- "modification_history": {
- "1683900741.546554": {
- "user": "administrator",
- "user_id": 1,
- "action": "case closed"
}, - "1683901251.748556": {
- "user": "administrator",
- "user_id": 1,
- "action": "case reopened"
}, - "1683902199.288591": {
- "user": "administrator",
- "user_id": 1,
- "action": "case info updated"
}
}, - "user_id": 1,
- "case_uuid": "507a5fab-358a-4946-82d0-625ef8a9fa0d",
- "protagonists": [
- {
- "role": "Lead",
- "name": "administrator",
- "contact": "administrator@iris.local"
}
], - "case_description": "This is a demonstration.",
- "closing_note": null,
- "close_date": null,
- "classification_id": 2,
- "owner_id": 1,
- "state_id": 3,
- "case_customer": 1
}
}| page | integer Page number + |
| per_page | integer Number of results per page + |
| case_ids | string List of cases ID, comma separated + |
| case_customer_id | integer Customer ID + |
| case_name | string Name of the case + |
| case_description | string Description of the case + |
| case_classification_id | integer Classification of the case + |
| case_owner_id | integer Owner of the case + |
| case_opening_user_id | integer User opening the case + |
| case_severity_id | string Severity ID of the case + |
| case_state_id | integer State ID of the case + |
| case_soc_id | string SOC ID + |
| sort | string asc or desc + |
| start_open_date | string Case opening date - lower boundary + |
| end_open_date | string Case opening date - higher boundary + |
{- "status": "success",
- "message": {
- "total": 7,
- "cases": [
- {
- "client_id": 2,
- "description": "SOC ID t4500",
- "case_id": 73,
- "soc_id": "T4500",
- "status_name": "unknown",
- "alerts": [ ],
- "modification_history": null,
- "initial_date": "2023-01-27T00:00:00",
- "state_id": 1,
- "close_date": null,
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#73 - TestingCase - GC",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [ ],
- "case_uuid": "f7a3d813-4d04-4526-b1fb-1c8a91dc0b5c",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
- "creation_date": "2022-12-29T10:24:33.573468",
- "customer_name": "Client 0",
- "customer_id": 2,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.573468",
- "customer_description": "Description for client 0"
}, - "open_date": "2023-01-27",
- "state": {
- "state_id": 1,
- "protected": true,
- "state_description": "Unspecified",
- "state_name": "Unspecified"
}, - "classification_id": 1,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 0,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "other:other",
- "name_expanded": "Other: Other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-03-07T07:40:39.558404",
- "id": 1
}
}, - {
- "client_id": 2,
- "description": "creating a new case",
- "case_id": 84,
- "soc_id": "123456",
- "status_name": "unknown",
- "alerts": [ ],
- "modification_history": null,
- "initial_date": "2023-01-30T00:00:00",
- "state_id": 1,
- "close_date": null,
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#84 - testCaseCreation",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [ ],
- "case_uuid": "0e5886c5-74a9-4acd-badf-082d65c02a73",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
- "creation_date": "2022-12-29T10:24:33.573468",
- "customer_name": "Client 0",
- "customer_id": 2,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.573468",
- "customer_description": "Description for client 0"
}, - "open_date": "2023-01-30",
- "state": {
- "state_id": 1,
- "protected": true,
- "state_description": "Unspecified",
- "state_name": "Unspecified"
}, - "classification_id": 1,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 0,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "other:other",
- "name_expanded": "Other: Other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-03-07T07:40:39.558404",
- "id": 1
}
}, - {
- "client_id": 2,
- "description": "test1",
- "case_id": 87,
- "soc_id": "",
- "status_name": "unknown",
- "alerts": [ ],
- "modification_history": null,
- "initial_date": "2023-01-31T00:00:00",
- "state_id": 1,
- "close_date": null,
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#87 - test1",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [ ],
- "case_uuid": "d2728076-6fad-470f-9547-0cd5cda6547b",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
- "creation_date": "2022-12-29T10:24:33.573468",
- "customer_name": "Client 0",
- "customer_id": 2,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.573468",
- "customer_description": "Description for client 0"
}, - "open_date": "2023-01-31",
- "state": {
- "state_id": 1,
- "protected": true,
- "state_description": "Unspecified",
- "state_name": "Unspecified"
}, - "classification_id": 1,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 0,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "other:other",
- "name_expanded": "Other: Other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-03-07T07:40:39.558404",
- "id": 1
}
}, - {
- "client_id": 4,
- "description": "this is a test",
- "case_id": 111,
- "soc_id": "",
- "status_name": "true_positive_with_impact",
- "alerts": [ ],
- "modification_history": {
- "1681359530.489504": {
- "user": "adm_1",
- "user_id": 11,
- "action": "status updated to true_positive"
}
}, - "initial_date": "2023-02-06T00:00:00",
- "state_id": 1,
- "close_date": null,
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#111 - Testcase53",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [ ],
- "case_uuid": "66c53723-9285-40ab-8c1a-16ea1f9c30c3",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "1ab6ee6d-b527-48b4-9019-4798cb8bea56",
- "creation_date": "2022-12-29T10:24:33.582216",
- "customer_name": "Client 2",
- "customer_id": 4,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.582216",
- "customer_description": "Description for client 2"
}, - "open_date": "2023-02-06",
- "state": {
- "state_id": 1,
- "protected": true,
- "state_description": "Unspecified",
- "state_name": "Unspecified"
}, - "classification_id": 1,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 2,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "other:other",
- "name_expanded": "Other: Other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-03-07T07:40:39.558404",
- "id": 1
}
}, - {
- "client_id": 4,
- "description": "test",
- "case_id": 174,
- "soc_id": "",
- "status_name": "unknown",
- "alerts": [ ],
- "modification_history": {
- "1679900593.122362": {
- "user": "user_std_1",
- "user_id": 2,
- "action": "created"
}
}, - "initial_date": "2023-03-27T07:03:13.073528",
- "state_id": 1,
- "close_date": null,
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#174 - test",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [ ],
- "case_uuid": "0ae68fc6-15b4-4899-ae11-1ce55130e7fc",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "1ab6ee6d-b527-48b4-9019-4798cb8bea56",
- "creation_date": "2022-12-29T10:24:33.582216",
- "customer_name": "Client 2",
- "customer_id": 4,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.582216",
- "customer_description": "Description for client 2"
}, - "open_date": "2023-03-27",
- "state": {
- "state_id": 1,
- "protected": true,
- "state_description": "Unspecified",
- "state_name": "Unspecified"
}, - "classification_id": 1,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 0,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "other:other",
- "name_expanded": "Other: Other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-03-07T07:40:39.558404",
- "id": 1
}
}, - {
- "client_id": 2,
- "description": "vdfs dfsdsdvfv fdvdfs sdf\n# Context \n\n\n# Contact \n\n\n# Actions \n",
- "case_id": 278,
- "soc_id": "",
- "status_name": "unknown",
- "alerts": [ ],
- "modification_history": {
- "1683958754.52258": {
- "user": "user_std_1",
- "user_id": 2,
- "action": "created"
}, - "1684672442.640787": {
- "user": "adm_1",
- "user_id": 11,
- "action": "case closed"
}, - "1684672557.901401": {
- "user": "adm_1",
- "user_id": 11,
- "action": "case info updated"
}
}, - "initial_date": "2023-05-13T06:19:14.292101",
- "state_id": 9,
- "close_date": "2023-05-21",
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#278 - [RANS] test 4",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [
- {
- "id": 15,
- "tag_title": "ransomware"
}, - {
- "id": 16,
- "tag_title": "malware"
}
], - "case_uuid": "25170044-efd9-498c-8b50-77ecf47eafad",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
- "creation_date": "2022-12-29T10:24:33.573468",
- "customer_name": "Client 0",
- "customer_id": 2,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.573468",
- "customer_description": "Description for client 0"
}, - "open_date": "2023-05-13",
- "state": {
- "state_id": 9,
- "protected": true,
- "state_description": "Case is closed",
- "state_name": "Closed"
}, - "classification_id": 7,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 0,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "malicious-code:ransomware",
- "name_expanded": "Malicious-Code: Ransomware",
- "description": "Ransomware is a type of malicious software from cryptovirology that blocks access to the victim's data or threatens to publish it until a ransom is paid.",
- "creation_date": "2023-03-07T07:40:40.108269",
- "id": 7
}
}, - {
- "client_id": 2,
- "description": "nsaöfksdnälkvsnaäönsa\nSummary to be set",
- "case_id": 309,
- "soc_id": "8324u2390202",
- "status_name": "unknown",
- "alerts": [ ],
- "modification_history": {
- "1684841100.350423": {
- "user": "user_std_1",
- "user_id": 2,
- "action": "created"
}
}, - "initial_date": "2023-05-23T11:25:00.242875",
- "state_id": 3,
- "close_date": null,
- "owner_id": 2,
- "reviewer": null,
- "custom_attributes": { },
- "user_id": 2,
- "reviewer_id": null,
- "protagonists": [ ],
- "name": "#309 - test3281",
- "user": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "review_status": null,
- "tags": [
- {
- "id": 15,
- "tag_title": "ransomware"
}, - {
- "id": 16,
- "tag_title": "malware"
}
], - "case_uuid": "3b4dacb8-6d7a-45d7-9a88-6fbe48422fa5",
- "severity": {
- "severity_name": "Medium",
- "severity_description": "Medium",
- "severity_id": 4
}, - "client": {
- "client_uuid": "40cb701e-5500-4579-905e-e40cd99b7f26",
- "creation_date": "2022-12-29T10:24:33.573468",
- "customer_name": "Client 0",
- "customer_id": 2,
- "customer_sla": null,
- "custom_attributes": { },
- "last_update_date": "2022-12-29T10:24:33.573468",
- "customer_description": "Description for client 0"
}, - "open_date": "2023-05-23",
- "state": {
- "state_id": 3,
- "protected": true,
- "state_description": "Case is open",
- "state_name": "Open"
}, - "classification_id": 1,
- "owner": {
- "id": 2,
- "user_name": "User Std 1",
- "user_login": "user_std_1",
- "user_email": "user_std_1@iris.local"
}, - "closing_note": null,
- "status_id": 0,
- "review_status_id": null,
- "severity_id": 4,
- "classification": {
- "name": "other:other",
- "name_expanded": "Other: Other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-03-07T07:40:39.558404",
- "id": 1
}
}
], - "last_page": 1,
- "current_page": 1,
- "next_page": null
}, - "data": [ ]
}List customers
+| cid | integer Case ID + |
{- "data": [
- {
- "customer_description": "New customer description",
- "customer_id": 1,
- "customer_name": "New customer",
- "customer_sla": "New customer SLA",
- "customer_uuid": "ad6d9fd2-a149-45b7-9209-ca558df7b03f"
}, - {
- "customer_description": null,
- "customer_id": 10,
- "customer_name": "IrisInitialClient",
- "customer_sla": null,
- "customer_uuid": "43a20fd8-1012-48ac-9dff-cdf5b6334c76"
}
], - "message": "",
- "status": "success"
}Get a customer
+| customer_id required | string |
| cid | integer Case ID + |
{- "data": {
- "contacts": [
- {
- "client_id": 1,
- "contact_email": "contact@iris.local",
- "contact_mobile_phone": "2222222",
- "contact_name": "New contact",
- "contact_note": "Notes on the customer",
- "contact_role": "Manager",
- "contact_uuid": "e42a5db2-763b-405b-95e4-5c75a4ec7110",
- "contact_work_phone": "1111111",
- "custom_attributes": null,
- "id": 1
}, - {
- "client_id": 1,
- "contact_email": "contact@iris.local",
- "contact_mobile_phone": "2222222",
- "contact_name": "New contact",
- "contact_note": "Notes on the contact",
- "contact_role": "Manager",
- "contact_uuid": "950337e3-938f-485b-b1c7-1d44c7bfc252",
- "contact_work_phone": "1111111",
- "custom_attributes": null,
- "id": 2
}
], - "customer_description": "New customer description",
- "customer_id": 1,
- "customer_name": "New customer",
- "customer_sla": "New customer SLA",
- "customer_uuid": "ad6d9fd2-a149-45b7-9209-ca558df7b03f"
}, - "message": "",
- "status": "success"
}Add a new customer that will be available at case creation.
+| customer_name required | string |
| customer_description required | string |
| customer_sla required | string |
| custom_attributes required | object |
{- "customer_name": "New customer",
- "customer_description": "New customer description",
- "customer_sla": "New customer SLA",
- "custom_attributes": { }
}{- "data": {
- "client_uuid": "d274194f-0e74-4ae5-9610-e2bf9735f10c",
- "creation_date": "2023-03-20T13:25:57.930469",
- "custom_attributes": { },
- "customer_description": "fds",
- "customer_id": 8,
- "customer_name": "fsd",
- "customer_sla": "fds",
- "last_update_date": "2023-03-20T13:25:57.930469"
}, - "message": "Added successfully",
- "status": "success"
}Update an existing customer. The new customer name should be one which is not already taken.
+| customer_id required | integer Customer ID to update + |
| customer_name | string |
| customer_description | string |
| customer_sla | string |
| custom_attributes | object |
{- "customer_name": "New customer",
- "customer_description": "New customer description",
- "customer_sla": "New customer SLA",
- "custom_attributes": { }
}{- "data": {
- "client_uuid": "ad6d9fd2-a149-45b7-9209-ca558df7b03f",
- "creation_date": "2023-03-06T08:24:16.671619",
- "custom_attributes": { },
- "customer_description": "New customer description",
- "customer_id": 1,
- "customer_name": "New customer",
- "customer_sla": "New customer SLA",
- "last_update_date": "2023-03-06T08:24:16.671619"
}, - "message": "Customer updated",
- "status": "success"
}A customer can be deleted only if it is not referenced in a case. +To delete a referenced, every referencing cases musth be deleted before.
+| customer_id required | integer ID of the customer to delete + |
{- "data": [ ],
- "message": "Deleted successfully",
- "status": "success"
}Add a new customer contact.
+| customer_id required | integer ID of the customer + |
| cid required | integer Case ID + |
| contact_name | string |
| contact_role | string |
| contact_email | string |
| contact_work_phone | string |
| contact_mobile_phone | string |
| contact_note | string |
{- "contact_name": "New contact",
- "contact_role": "Manager",
- "contact_email": "contact@iris.local",
- "contact_work_phone": "1111111",
- "contact_mobile_phone": "2222222",
- "contact_note": "Notes on the contact"
}{- "data": [ ],
- "message": "Deleted successfully",
- "status": "success"
}Update a customer contact.
+| customer_id required | integer ID of the customer + |
| contact_id required | string ID of the contact + |
| cid required | integer Case ID + |
| contact_name | string |
| contact_role | string |
| contact_email | string |
| contact_work_phone | string |
| contact_mobile_phone | string |
| contact_note | string |
{- "contact_name": "New contact",
- "contact_role": "Manager",
- "contact_email": "contact@iris.local",
- "contact_work_phone": "1111111",
- "contact_mobile_phone": "2222222",
- "contact_note": "Notes on the contact"
}{- "data": {
- "client_id": 1,
- "contact_email": "contact@iris.local",
- "contact_mobile_phone": "2222222",
- "contact_name": "New contact",
- "contact_note": "Notes on the contact",
- "contact_role": "Manager",
- "contact_uuid": "950337e3-938f-485b-b1c7-1d44c7bfc252",
- "contact_work_phone": "1111111",
- "custom_attributes": null,
- "id": 2
}, - "message": "Added successfully",
- "status": "success"
}Only users that never done any activities can be deleted. This is to prevent any internal logic errors and keep tracks of every past activities.
+Requires administrator role.
+| user_id required | integer User ID + |
| cid required | integer Case ID + |
{- "data": [ ],
- "message": "Cannot delete active user",
- "status": "error"
}Requires administrator role.
+| user_id required | integer User ID + |
| cid required | integer Case ID + |
| user_name | string |
| user_login | string |
| user_email | string |
| user_password | string |
{- "user_name": "string",
- "user_login": "string",
- "user_email": "string",
- "user_password": "string"
}{- "data": {
- "active": true,
- "external_id": null,
- "has_deletion_confirmation": true,
- "id": 0,
- "in_dark_mode": null,
- "user_email": "string",
- "user_id": 0,
- "user_login": "string",
- "user_name": "string",
- "user_password": "string",
- "uuid": "string"
}, - "message": "string",
- "status": "string"
}Administrator role required.
+| user_name required | string non-empty |
| user_login required | string non-empty Has to be unique + |
| user_email required | string non-empty Has to be unique + |
| user_password | string non-empty Must satisfy policy of 12chars, 1 uppercase, 1 number + |
| user_is_service_account | boolean |
{- "user_name": "string",
- "user_login": "string",
- "user_email": "string",
- "user_password": "string",
- "user_is_service_account": true
}{- "status": "success",
- "message": "user created",
- "data": {
- "user_is_service_account": true,
- "user_name": "strsinsg",
- "has_deletion_confirmation": false,
- "uuid": "bb807755-62fa-412b-b242-fd930a24be13",
- "active": true,
- "user_login": "strsing",
- "user_email": "stringa",
- "id": 4,
- "in_dark_mode": null,
- "external_id": null,
- "has_mini_sidebar": false,
- "user_api_key": "ViYIIkN_LL062yNOcq2kJA3ZMscOAoHmLy8GEh_JYKBWwspLB_E65jhYLg9CsR0J-kP8DmmM3RO31_xixrG8rw"
}
}Administrator role required. Update the groups of a user.
+| user_id required | integer User ID + |
| cid required | integer Case ID + |
| groups_membership required | Array of integers |
{- "groups_membership": [
- 1,
- 2
]
}{- "data": {
- "active": true,
- "id": 0,
- "user_email": "string",
- "user_login": "string",
- "user_name": "string",
- "user_password": "string"
}, - "message": "string",
- "status": "string"
}Administrator role required. Update the case access of a user.
+| user_id required | integer User ID + |
| cid required | integer Case ID + |
| cases_list required | Array of integers |
| access_level | integer |
{- "cases_list": [
- 1,
- 2
], - "access_level": 2
}{- "data": {
- "active": true,
- "id": 0,
- "user_email": "string",
- "user_login": "string",
- "user_name": "string",
- "user_password": "string"
}, - "message": "string",
- "status": "string"
}Administrator role required. Remove cases access from a user.
+| user_id required | integer User ID + |
| cid required | integer Case ID + |
| cases required | integer |
{- "cases": [
- 1,
- 2
]
}{- "data": {
- "user_active": true,
- "user_cases_access": [ ],
- "user_email": "administrator@iris.local",
- "user_groups": [
- {
- "group_id": 1,
- "group_name": "Administrators",
- "group_uuid": "17511de3-99f5-482a-a541-22bb77e62a9f"
}, - {
- "group_id": 5,
- "group_name": "Test",
- "group_uuid": "bc3e93c5-1755-4411-acf0-0a5f4f47dfb7"
}
], - "user_id": 1,
- "user_login": "administrator",
- "user_name": "administrator",
- "user_organisations": [
- {
- "is_primary_org": true,
- "org_id": 1,
- "org_name": "Default Org",
- "org_uuid": "f0b6364d-bab8-48ac-8de3-8be04f409aa7"
}
], - "user_permissions": {
- "1": {
- "inherited_from": [
- "Administrators",
- "Test"
], - "name": "standard_user",
- "value": 1
}, - "2": {
- "inherited_from": [
- "Administrators"
], - "name": "server_administrator",
- "value": 2
}
}, - "user_primary_organisation_id": 1,
- "user_uuid": "87d6cfcd-6871-43ea-85ab-eea705c08845"
}, - "message": "User case access updated",
- "status": "success"
}Return a list of available users.
+| cid | integer Case ID + |
{- "status": "success",
- "message": "",
- "data": [
- {
- "user_id": 1,
- "user_uuid": "815be41e-9a7d-4a2e-9e69-db2ceeba6ad2",
- "user_name": "administrator",
- "user_login": "administrator",
- "user_email": "administrator@iris.local",
- "user_active": true,
- "user_is_service_account": false
}, - {
- "user_id": 2,
- "user_uuid": "17e16ccd-a461-4fb0-b219-07f13231d6ce",
- "user_name": "automation",
- "user_login": "automation",
- "user_email": "automation@automation",
- "user_active": true,
- "user_is_service_account": true
}, - {
- "user_id": 3,
- "user_uuid": "06e9d803-d8fc-401f-9487-d76e83072b2b",
- "user_name": "string",
- "user_login": "string",
- "user_email": "string",
- "user_active": true,
- "user_is_service_account": true
}, - {
- "user_id": 4,
- "user_uuid": "bb807755-62fa-412b-b242-fd930a24be13",
- "user_name": "strsinsg",
- "user_login": "strsing",
- "user_email": "stringa",
- "user_active": true,
- "user_is_service_account": true
}
]
}Returns information of a specific user.
+| user_id required | integer user ID + |
{- "data": {
- "user_active": true,
- "user_cases_access": [ ],
- "user_email": "administrator@iris.local",
- "user_groups": [
- {
- "group_id": 1,
- "group_name": "Administrators",
- "group_uuid": "17511de3-99f5-482a-a541-22bb77e62a9f"
}
], - "user_id": 1,
- "user_login": "administrator",
- "user_name": "administrator",
- "user_organisations": [
- {
- "is_primary_org": true,
- "org_id": 1,
- "org_name": "Default Org",
- "org_uuid": "f0b6364d-bab8-48ac-8de3-8be04f409aa7"
}
], - "user_permissions": {
- "1": {
- "inherited_from": [
- "Administrators"
], - "name": "standard_user",
- "value": 1
}, - "2": {
- "inherited_from": [
- "Administrators"
], - "name": "server_administrator",
- "value": 2
}
}, - "user_primary_organisation_id": 1,
- "user_uuid": "87d6cfcd-6871-43ea-85ab-eea705c08845"
}, - "message": "",
- "status": "success"
}Requires administrative rights.
+| user_id required | integer user ID + |
| cid required | integer Case ID + |
| group_name required | string |
| group_description required | string |
| group_permissions required | integer |
{- "group_name": "New group",
- "group_description": "New description",
- "group_permissions": 1
}{- "data": {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 0,
- "group_description": "New description",
- "group_id": 4,
- "group_name": "New group",
- "group_permissions": 1,
- "group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
}, - "message": "",
- "status": "success"
}Requires administrative rights.
+| group_id required | integer Group ID + |
| cid required | integer Case ID + |
| group_name required | string |
| group_description required | string |
| group_permissions required | integer |
{- "group_name": "New group",
- "group_description": "New description",
- "group_permissions": 1
}{- "data": {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 0,
- "group_description": "New description",
- "group_id": 4,
- "group_name": "New group",
- "group_permissions": 1,
- "group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c"
}, - "message": "",
- "status": "success"
}Requires administrative rights. Set the members of a group.
+| group_id required | integer Group ID + |
| cid required | integer Case ID + |
| group_members | Array of integers |
{- "group_members": [
- 1,
- 2
]
}{- "data": [ ],
- "message": "Group deleted",
- "status": "success"
}Requires administrative rights.
+| group_id required | integer Group ID + |
| user_id required | integer User ID + |
| cid required | integer Case ID + |
{- "data": [ ],
- "message": "Group deleted",
- "status": "success"
}Requires administrative rights.
+| group_id required | integer Group ID + |
| cid required | integer Case ID + |
| access_level required | integer |
| cases_list required | Array of integers |
| auto_follow_cases required | boolean |
{- "access_level": 0,
- "cases_list": [
- 0
], - "auto_follow_cases": false
}{- "data": {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 4,
- "group_cases_access": [
- {
- "access_level": 0,
- "access_level_list": [ ],
- "case_id": 1,
- "case_name": "#1 - Dummy name"
}
], - "group_description": "Standard Analysts",
- "group_id": 2,
- "group_members": [ ],
- "group_name": "Analysts",
- "group_permissions": 1,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}
], - "group_uuid": "f71c519f-db4f-4bd3-9dd3-b427a5812089",
- "registry": null
}, - "message": "",
- "status": "success"
}Requires administrative rights.
+| group_id required | integer Group ID + |
| cid required | integer Case ID + |
| cases | Array of integers |
{- "cases": [
- 1
]
}{- "data": {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 4,
- "group_cases_access": [
- {
- "access_level": 0,
- "access_level_list": [ ],
- "case_id": 1,
- "case_name": "#1 - Dummy name"
}
], - "group_description": "Standard Analysts",
- "group_id": 2,
- "group_members": [ ],
- "group_name": "Analysts",
- "group_permissions": 1,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}
], - "group_uuid": "f71c519f-db4f-4bd3-9dd3-b427a5812089",
- "registry": null
}, - "message": "",
- "status": "success"
}List the groups
+| cid required | integer Case ID + |
Array of objects | |
| message | string |
| status | string |
{- "data": [
- {
- "group_auto_follow": true,
- "group_auto_follow_access_level": 4,
- "group_description": "Administrators",
- "group_id": 1,
- "group_members": [
- {
- "id": 1,
- "name": "administrator",
- "user": "administrator"
}
], - "group_name": "Administrators",
- "group_permissions": 3,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}, - {
- "name": "server_administrator",
- "value": 2
}
], - "group_uuid": "17511de3-99f5-482a-a541-22bb77e62a9f",
- "registry": null
}, - {
- "group_auto_follow": true,
- "group_auto_follow_access_level": 4,
- "group_description": "Standard Analysts",
- "group_id": 2,
- "group_members": [ ],
- "group_name": "Analysts",
- "group_permissions": 1,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}
], - "group_uuid": "f71c519f-db4f-4bd3-9dd3-b427a5812089",
- "registry": null
}, - {
- "group_auto_follow": false,
- "group_auto_follow_access_level": 0,
- "group_description": "New description",
- "group_id": 4,
- "group_members": [ ],
- "group_name": "New group",
- "group_permissions": 1,
- "group_permissions_list": [
- {
- "name": "standard_user",
- "value": 1
}
], - "group_uuid": "a9bb4b93-c8ac-490d-9387-f97f4722271c",
- "registry": null
}
], - "message": "",
- "status": "success"
}Return a list of available assets types.
+| cid required | integer Case ID + |
{- "data": [
- {
- "asset_description": "Standard Windows Server",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/windows_server.png",
- "asset_id": 10,
- "asset_name": "Windows - Server"
}, - {
- "asset_description": "Domain Controller",
- "asset_icon_compromised": "ioc_windows_server.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_windows_server.png",
- "asset_icon_not_compromised": "windows_server.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/windows_server.png",
- "asset_id": 11,
- "asset_name": "Windows - DC"
}, - {
- "asset_description": "Router",
- "asset_icon_compromised": "ioc_router.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_router.png",
- "asset_icon_not_compromised": "router.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/router.png",
- "asset_id": 12,
- "asset_name": "Router"
}, - {
- "asset_description": "Switch",
- "asset_icon_compromised": "ioc_switch.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_switch.png",
- "asset_icon_not_compromised": "switch.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/switch.png",
- "asset_id": 13,
- "asset_name": "Switch"
}, - {
- "asset_description": "VPN",
- "asset_icon_compromised": "ioc_vpn.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_vpn.png",
- "asset_icon_not_compromised": "vpn.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/vpn.png",
- "asset_id": 14,
- "asset_name": "VPN"
}, - {
- "asset_description": "WAF",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_firewall.png",
- "asset_icon_not_compromised": "firewall.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/firewall.png",
- "asset_id": 15,
- "asset_name": "WAF"
}, - {
- "asset_description": "Windows Account - Local",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 16,
- "asset_name": "Windows Account - Local"
}, - {
- "asset_description": "Windows Account - Local - Admin",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 17,
- "asset_name": "Windows Account - Local - Admin"
}, - {
- "asset_description": "Windows Account - AD",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 18,
- "asset_name": "Windows Account - AD"
}, - {
- "asset_description": "Windows Account - AD - Admin",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 19,
- "asset_name": "Windows Account - AD - Admin"
}, - {
- "asset_description": "Windows Account - AD - krbtgt",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 20,
- "asset_name": "Windows Account - AD - krbtgt"
}, - {
- "asset_description": "Windows Account - AD - krbtgt",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 21,
- "asset_name": "Windows Account - AD - Service"
}, - {
- "asset_description": "Generic Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 1,
- "asset_name": "Account"
}, - {
- "asset_description": "Firewall",
- "asset_icon_compromised": "ioc_firewall.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_firewall.png",
- "asset_icon_not_compromised": "firewall.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/firewall.png",
- "asset_id": 2,
- "asset_name": "Firewall"
}, - {
- "asset_description": "Linux server",
- "asset_icon_compromised": "ioc_server.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_server.png",
- "asset_icon_not_compromised": "server.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/server.png",
- "asset_id": 3,
- "asset_name": "Linux - Server"
}, - {
- "asset_description": "Linux computer",
- "asset_icon_compromised": "ioc_desktop.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_desktop.png",
- "asset_icon_not_compromised": "desktop.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/desktop.png",
- "asset_id": 4,
- "asset_name": "Linux - Computer"
}, - {
- "asset_description": "Linux Account",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/user.png",
- "asset_id": 5,
- "asset_name": "Linux Account"
}, - {
- "asset_description": "Mac computer",
- "asset_icon_compromised": "ioc_desktop.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_desktop.png",
- "asset_icon_not_compromised": "desktop.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/desktop.png",
- "asset_id": 6,
- "asset_name": "Mac - Computer"
}, - {
- "asset_description": "Android Phone",
- "asset_icon_compromised": "ioc_phone.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_phone.png",
- "asset_icon_not_compromised": "phone.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/phone.png",
- "asset_id": 7,
- "asset_name": "Phone - Android"
}, - {
- "asset_description": "Apple Phone",
- "asset_icon_compromised": "ioc_phone.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_phone.png",
- "asset_icon_not_compromised": "phone.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/phone.png",
- "asset_id": 8,
- "asset_name": "Phone - IOS"
}, - {
- "asset_description": "Standard Windows Computer",
- "asset_icon_compromised": "ioc_windows_desktop.png",
- "asset_icon_compromised_path": "/static/assets/img/graph/ioc_windows_desktop.png",
- "asset_icon_not_compromised": "windows_desktop.png",
- "asset_icon_not_compromised_path": "/static/assets/img/graph/windows_desktop.png",
- "asset_id": 9,
- "asset_name": "Windows - Computer"
}
], - "message": "",
- "status": "success"
}Returns information on a specific asset type.
+| asset_type_id required | integer Asset Type ID + |
{- "data": {
- "asset_description": "Firewall",
- "asset_id": 2,
- "asset_name": "Firewall"
}, - "message": "",
- "status": "success"
}Delete an asset type. Administrator role required.
+| asset_type_id required | integer Asset Type ID + |
| cid | integer Case ID + |
{- "data": [ ],
- "message": "Deleted asset type ID 16 successfully",
- "status": "success"
}Administrator role required. See the example for the expected data.
+-----------------------------145784024822865434322863553415
+Content-Disposition: form-data; name="asset_name"
+
+My asset name
+-----------------------------145784024822865434322863553415
+Content-Disposition: form-data; name="asset_description"
+
+My asset description
+-----------------------------145784024822865434322863553415
+Content-Disposition: form-data; name="asset_icon_not_compromised"; filename="ex.png"
+Content-Type: image/png
+
+PNG DATA
+-----------------------------145784024822865434322863553415
+Content-Disposition: form-data; name="asset_icon_compromised"; filename="ex_1.png"
+Content-Type: image/png
+
+PNG DATA
+-----------------------------145784024822865434322863553415--
+| asset_name required | string |
| asset_description required | string |
| asset_icon_not_compromised required | string |
| asset_icon_compromised required | string |
{- "data": {
- "asset_description": "Test",
- "asset_icon_compromised": "rhogktdtczkkrokiaq",
- "asset_icon_not_compromised": "ibbbflajuaecznvhtm",
- "asset_id": 22,
- "asset_name": "Test",
- "registry": null
}, - "message": "Asset type updated",
- "status": "success"
}Administrator role required.
+| asset_type_id required | integer Asset Type to update + |
| cid required | integer Case ID + |
-----------------------------145784024822865434322863553415
+Content-Disposition: form-data; name="asset_name"
+
+My asset name
+-----------------------------145784024822865434322863553415
+Content-Disposition: form-data; name="asset_description"
+
+My asset description
+-----------------------------145784024822865434322863553415
+Content-Disposition: form-data; name="asset_icon_not_compromised"; filename="ex.png"
+Content-Type: image/png
+
+PNG DATA
+-----------------------------145784024822865434322863553415
+Content-Disposition: form-data; name="asset_icon_compromised"; filename="ex_1.png"
+Content-Type: image/png
+
+PNG DATA
+-----------------------------145784024822865434322863553415--
+| asset_name required | string |
| asset_description required | string |
| asset_icon_not_compromised required | string |
| asset_icon_compromised required | string |
{- "data": {
- "asset_description": "Windows Account - Local - Admin",
- "asset_icon_compromised": "ioc_user.png",
- "asset_icon_not_compromised": "user.png",
- "asset_id": 17,
- "asset_name": "Windows Account - Local - Admin",
- "registry": null
}, - "message": "Asset type updated",
- "status": "success"
}Return a list of available task status.
+| cid required | integer Case ID + |
{- "data": [
- {
- "id": 1,
- "status_bscolor": "danger",
- "status_description": "",
- "status_name": "To do"
}, - {
- "id": 2,
- "status_bscolor": "warning",
- "status_description": "",
- "status_name": "In progress"
}, - {
- "id": 3,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "On hold"
}, - {
- "id": 4,
- "status_bscolor": "success",
- "status_description": "",
- "status_name": "Done"
}, - {
- "id": 5,
- "status_bscolor": "muted",
- "status_description": "",
- "status_name": "Canceled"
}
], - "message": "",
- "status": "success"
}Return information on a task status.
+| task_status_id required | integer Task status to get + |
| cid required | integer Case ID + |
{- "data": {
- "id": 1,
- "status_bscolor": "danger",
- "status_description": "",
- "status_name": "To do"
}, - "message": "",
- "status": "success"
}Return a list of available analysis status.
+| cid required | integer Case ID + |
{- "data": [
- {
- "id": 1,
- "name": "Unspecified"
}, - {
- "id": 2,
- "name": "To be done"
}, - {
- "id": 3,
- "name": "Started"
}, - {
- "id": 4,
- "name": "Pending"
}, - {
- "id": 5,
- "name": "Canceled"
}, - {
- "id": 6,
- "name": "Done"
}
], - "message": "",
- "status": "success"
}Return information on an IOC type.
+| ioc_type_id required | integer IOC Type ID + |
| cid required | integer Case ID + |
{- "data": {
- "registry": null,
- "type_description": "Autonomous system",
- "type_id": 1,
- "type_name": "AS",
- "type_taxonomy": null,
- "type_validation_expect": null,
- "type_validation_regex": null
}, - "message": "",
- "status": "success"
}Delete an IOC type. Administrator role required.
+| ioc_type_id required | integer IOC Type ID + |
| cid | integer Case ID + |
{- "data": [ ],
- "message": "Deleted ioc type ID 6",
- "status": "success"
}Administrator role required.
+| type_name required | string |
| type_description required | string |
| type_taxonomy required | string |
| type_validation_regex required | string |
| type_validation_expect required | string |
{- "type_name": "campaign-id",
- "type_description": "Associated campaign ID",
- "type_taxonomy": "dsa",
- "type_validation_regex": "*.",
- "type_validation_expect": "Explanation"
}{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 161,
- "type_name": "campaign-aaid",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "Added successfully",
- "status": "success"
}Administrator role required.
+| ioc_type_id required | integer IOC Type ID + |
| type_name | string |
| type_description | string |
| type_taxonomy | string |
| type_validation_regex | string |
| type_validation_expect | string |
{- "type_name": "campaign-id",
- "type_description": "Associated campaign ID",
- "type_taxonomy": "dsa",
- "type_validation_regex": "*.",
- "type_validation_expect": "Explanation"
}{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 7,
- "type_name": "campaign-id",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "IOC type updated",
- "status": "success"
}Add a new case template.
+| case_template_json | string |
{- "case_template_json": "{\n \"name\": \"Template name\",\n \"display_name\": \"Template Display Name\",\n \"description\": \"Template description\",\n \"author\": \"YOUR NAME\",\n \"classification\": \"known-template-classification\",\n \"title_prefix\": \"[PREFIX]\",\n \"summary\": \"Summary to be set\",\n \"tags\": [\n \"ransomware\",\n \"malware\"\n ],\n \"tasks\": [\n {\n \"title\": \"Task 1\",\n \"description\": \"Task 1 description\",\n \"tags\": [\n \"tag1\",\n \"tag2\"\n ]\n }\n ],\n \"note_groups\": [\n {\n \"title\": \"Note group 1\",\n \"notes\": [\n {\n \"title\": \"Note 1\",\n \"content\": \"Note 1 content\"\n }\n ]\n }\n ]\n}"
}{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 7,
- "type_name": "campaign-id",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "IOC type updated",
- "status": "success"
}Update a case template.
+| template_id required | integer Case Template ID + |
| case_template_json | string |
{- "case_template_json": "{\n \"name\": \"Template name\",\n \"display_name\": \"Template Display Name\",\n \"description\": \"Template description\",\n \"author\": \"YOUR NAME\",\n \"classification\": \"known-template-classification\",\n \"title_prefix\": \"[PREFIX]\",\n \"summary\": \"Summary to be set\",\n \"tags\": [\n \"ransomware\",\n \"malware\"\n ],\n \"tasks\": [\n {\n \"title\": \"Task 1\",\n \"description\": \"Task 1 description\",\n \"tags\": [\n \"tag1\",\n \"tag2\"\n ]\n }\n ],\n \"note_groups\": [\n {\n \"title\": \"Note group 1\",\n \"notes\": [\n {\n \"title\": \"Note 1\",\n \"content\": \"Note 1 content\"\n }\n ]\n }\n ]\n}"
}{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 7,
- "type_name": "campaign-id",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "IOC type updated",
- "status": "success"
}Delete a case template.
+| template_id required | integer Case Template ID + |
{- "data": {
- "registry": null,
- "type_description": "Associated campaign ID",
- "type_id": 7,
- "type_name": "campaign-id",
- "type_taxonomy": "dsa",
- "type_validation_expect": "Explanation",
- "type_validation_regex": "*."
}, - "message": "IOC type updated",
- "status": "success"
}{- "status": "success",
- "message": "",
- "data": [
- {
- "id": 1,
- "name": "abusive-content:spam",
- "name_expanded": "Abusive-Content: spam",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
- "creation_date": "2023-04-28T11:30:00.649012"
}, - {
- "id": 2,
- "name": "abusive-content:harmful-speech",
- "name_expanded": "Abusive-Content: Harmful Speech",
- "description": "Discretization or discrimination of somebody (e.g. cyber stalking, racism and threats against one or more individuals) May be found on a forum, email, tweet etc…",
- "creation_date": "2023-04-28T11:30:00.653918"
}, - {
- "id": 3,
- "name": "abusive-content:violence",
- "name_expanded": "Abusive-Content: Child/Sexual/Violence/...",
- "description": "Any Child pornography, glorification of violence, may be found on a website, forum, email, tweet etc…",
- "creation_date": "2023-04-28T11:30:00.657151"
}, - {
- "id": 4,
- "name": "malicious-code:virus",
- "name_expanded": "Malicious-Code: Virus",
- "description": "Malicious code that replicate itself and infects the computer and files;",
- "creation_date": "2023-04-28T11:30:00.660827"
}, - {
- "id": 5,
- "name": "malicious-code:worm",
- "name_expanded": "Malicious-Code: Worm",
- "description": "Malware that self-replicates and spread itself to other computers in the network without any user interaction;",
- "creation_date": "2023-04-28T11:30:00.664177"
}, - {
- "id": 6,
- "name": "malicious-code:ransomware",
- "name_expanded": "Malicious-Code: Ransomware",
- "description": "Ransomware is a type of malicious software from cryptovirology that blocks access to the victim's data or threatens to publish it until a ransom is paid.",
- "creation_date": "2023-04-28T11:30:00.667058"
}, - {
- "id": 7,
- "name": "malicious-code:trojan-malware",
- "name_expanded": "Malicious-Code: Trojan/Malware",
- "description": "This category regroups many common malware types (Banking, POS, Mining malware).",
- "creation_date": "2023-04-28T11:30:00.670949"
}, - {
- "id": 8,
- "name": "malicious-code:spyware-rat",
- "name_expanded": "Malicious-Code: Spyware/Rat",
- "description": "This category regroups malware types and tools that may have a bigger impact on the breached infrastructure and usually need further investigations (Common Spyware/Rat, State sponsored malwares, StealersHacking tool).",
- "creation_date": "2023-04-28T11:30:00.673649"
}, - {
- "id": 9,
- "name": "malicious-code:dialer",
- "name_expanded": "Malicious-Code: Dialer",
- "description": "Computer program used to identify the phone numbers that can successfully make a connection with a computer modem. Use this category to classify overpriced SMS sent by malicious mobile application. ",
- "creation_date": "2023-04-28T11:30:00.676681"
}, - {
- "id": 10,
- "name": "malicious-code:rootkit",
- "name_expanded": "Malicious-Code: Rootkit",
- "description": "Malware, which alter the standard functionality of an operating system in order to do its malicious actions in a stealthy way. In practice, Rootkits hijacks systems functions in order to alter the returning values to hide themselves from simple analysis tools.",
- "creation_date": "2023-04-28T11:30:00.679830"
}, - {
- "id": 11,
- "name": "information-gathering:scanner",
- "name_expanded": "Information-Gathering: Scanning",
- "description": "Attacks that send requests to a system to discover weak points. This also includes some kinds of testing processes to gather information about hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT,).",
- "creation_date": "2023-04-28T11:30:00.682321"
}, - {
- "id": 12,
- "name": "information-gathering:sniffing",
- "name_expanded": "Information-Gathering: Sniffing",
- "description": "Observing and recording network traffic (wiretapping).",
- "creation_date": "2023-04-28T11:30:00.686102"
}, - {
- "id": 13,
- "name": "information-gathering:social-engineering",
- "name_expanded": "Information-Gathering: Social Engineering",
- "description": "Gathering information from a human being in a non-technical way (eg, lies, tricks, bribes, or threats).",
- "creation_date": "2023-04-28T11:30:00.689526"
}, - {
- "id": 14,
- "name": "intrusion-attempts:exploit-known-vuln",
- "name_expanded": "Intrusion-Attempts: Exploiting known vulnerabilities",
- "description": "An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (eg, buffer overflow, backdoors, cross side scripting, etc).",
- "creation_date": "2023-04-28T11:30:00.692862"
}, - {
- "id": 15,
- "name": "intrusion-attempts:login-attempts",
- "name_expanded": "Intrusion-Attempts: Login attempts",
- "description": "Multiple login attempts (guessing / cracking of passwords, brute force).",
- "creation_date": "2023-04-28T11:30:00.696596"
}, - {
- "id": 16,
- "name": "intrusion-attempts:new-attack-signature",
- "name_expanded": "Intrusion-Attempts: New attack signature",
- "description": "An attempt using an unknown exploit.",
- "creation_date": "2023-04-28T11:30:00.699969"
}, - {
- "id": 17,
- "name": "intrusion:privileged-account-compromise",
- "name_expanded": "Intrusion: Privileged Account Compromise",
- "description": "A successful full compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access.",
- "creation_date": "2023-04-28T11:30:00.704096"
}, - {
- "id": 18,
- "name": "intrusion:unprivileged-account-compromise",
- "name_expanded": "Intrusion: Unprivileged Account Compromise",
- "description": "A successful compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access. The intruded did not achieve to escale his privileges locally. ",
- "creation_date": "2023-04-28T11:30:00.707415"
}, - {
- "id": 19,
- "name": "intrusion:botnet-member",
- "name_expanded": "Intrusion: Botnet member",
- "description": "The compromised asset is also being part of a botnet. This is reserved mainly for public web servers. See malicious code in priority for workstations or internal server’s compromise. For example, phpmailer, etc…",
- "creation_date": "2023-04-28T11:30:00.711851"
}, - {
- "id": 20,
- "name": "intrusion:domain-compromise",
- "name_expanded": "Intrusion: Domain Compromise",
- "description": "The whole domain is compromised; this is commonly used for active directory and detected by a 'pass the ticket' attack or a discovery of 'ad dumps' files.",
- "creation_date": "2023-04-28T11:30:00.715487"
}, - {
- "id": 21,
- "name": "intrusion:application-compromise",
- "name_expanded": "Intrusion: Application Compromise",
- "description": "An application is compromised; the attacker possess an uncontrolled access to data, server, and assets used by this application (CMDB, DB, Backend services, etc.).",
- "creation_date": "2023-04-28T11:30:00.719242"
}, - {
- "id": 22,
- "name": "availability:dos",
- "name_expanded": "Availability: DoS",
- "description": "An attacker attempts to prevent legitimate users from accessing information or services.",
- "creation_date": "2023-04-28T11:30:00.722901"
}, - {
- "id": 23,
- "name": "availability:ddos",
- "name_expanded": "Availability: DDoS",
- "description": "Form of electronic attack involving multiple computers, which send repeated requests (HTTP requests, pings, TCP or UDP Flood) to a server to load it down and render the service inaccessible for a period of time. ",
- "creation_date": "2023-04-28T11:30:00.726025"
}, - {
- "id": 24,
- "name": "availability:sabotage",
- "name_expanded": "Availability: Sabotage",
- "description": "Deliberate and malicious acts that result in the disruption of the normal processes and functions or the destruction or damage of equipment or information.",
- "creation_date": "2023-04-28T11:30:00.730028"
}, - {
- "id": 25,
- "name": "availability:outage",
- "name_expanded": "Availability: Outage (no malice)",
- "description": "Unavailability of the system but done with no malice.",
- "creation_date": "2023-04-28T11:30:00.732902"
}, - {
- "id": 26,
- "name": "information-content-security:Unauthorised-information-access",
- "name_expanded": "Information-Content-Security: Unauthorised access to information",
- "description": "Any access to unauthorized data. It may be access of data on improperly restricted server share or database exfiltered by using a SQLi.",
- "creation_date": "2023-04-28T11:30:00.736928"
}, - {
- "id": 27,
- "name": "information-content-security:Unauthorised-information-modification",
- "name_expanded": "Information-Content-Security: Unauthorised modification of information",
- "description": "Unauthorized tampering of data on files, documents or database.",
- "creation_date": "2023-04-28T11:30:00.740163"
}, - {
- "id": 28,
- "name": "fraud:copyright",
- "name_expanded": "Fraud: Copyright",
- "description": "Selling or installing copies of unlicensed commercial software or other copyright protected materials (Warez).",
- "creation_date": "2023-04-28T11:30:00.743723"
}, - {
- "id": 29,
- "name": "fraud:masquerade",
- "name_expanded": "Fraud: Masquerade",
- "description": "Types of attacks in which one entity illegitimately assumes the identity of another in order to benefit from it. This attack may be used for president fraud requesting transactions.",
- "creation_date": "2023-04-28T11:30:00.747483"
}, - {
- "id": 30,
- "name": "fraud:phishing",
- "name_expanded": "Fraud: Phishing",
- "description": "Masquerading as another entity in order to persuade the user to reveal a private credential.",
- "creation_date": "2023-04-28T11:30:00.750375"
}, - {
- "id": 31,
- "name": "vulnerable:vulnerable-service",
- "name_expanded": "Vulnerable: Open for abuse",
- "description": "Open resolvers, world readable printers, vulnerability apparent from Nessus etc scans, virus, signatures not up to date, etc. This includes for example default SNMP community or default password on any application.",
- "creation_date": "2023-04-28T11:30:00.754135"
}, - {
- "id": 32,
- "name": "conformity:regulator",
- "name_expanded": "Conformity: Regulator",
- "description": "All lack about regulator rules (CSSF, GDPR, etc.).",
- "creation_date": "2023-04-28T11:30:00.757258"
}, - {
- "id": 33,
- "name": "conformity:standard",
- "name_expanded": "Conformity: Standard",
- "description": "All lack about standards certification of the company (ISO27000, NIS, ISAE3402, etc.).",
- "creation_date": "2023-04-28T11:30:00.760692"
}, - {
- "id": 34,
- "name": "conformity:security-policy",
- "name_expanded": "Conformity: Security policy",
- "description": "All lack about the internal security policy of the company.",
- "creation_date": "2023-04-28T11:30:00.764099"
}, - {
- "id": 35,
- "name": "conformity:other-conformity",
- "name_expanded": "Conformity: Other",
- "description": "All lack that do not fit in one of previous categories should be put on this class.",
- "creation_date": "2023-04-28T11:30:00.766910"
}, - {
- "id": 36,
- "name": "other:other",
- "name_expanded": "Other: other",
- "description": "All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.",
- "creation_date": "2023-04-28T11:30:00.770376"
}, - {
- "id": 75,
- "name": "Super really",
- "name_expanded": "No no no",
- "description": "dsadas",
- "creation_date": "2023-05-02T07:22:38.042448"
}
]
}Get a case classification from an ID.
+| classification_id required | integer Classification ID to fetch + |
{- "status": "success",
- "message": "",
- "data": {
- "creation_date": "2023-04-28T11:30:00.649012",
- "description": "Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.",
- "name_expanded": "Abusive-Content: spam",
- "id": 1,
- "name": "abusive-content:spam"
}
}| name | string |
| name_expanded | string |
| description | string |
{- "name": "NewClassification",
- "name_expanded": "New Classification",
- "description": "Superbe new classification"
}{- "status": "success",
- "message": "Case classification added",
- "data": {
- "name": "NewClassification",
- "name_expanded": "New Classification",
- "description": "Superbe new classification",
- "id": 41,
- "creation_date": "2024-01-10T12:56:24.442781"
}
}| classification_id required | string Classification ID + |
| name | string |
| name_expanded | string |
| description | string |
{- "name": "NewClassification",
- "name_expanded": "New Classification",
- "description": "Superbe new classification"
}{- "status": "success",
- "message": "Case classification updated",
- "data": {
- "name": "NewClassification",
- "name_expanded": "New Classification",
- "description": "Superbe new classification",
- "id": 41,
- "creation_date": "2024-01-10T12:56:24.442781"
}
}{- "status": "success",
- "message": "",
- "data": [
- {
- "state_name": "Unspecified",
- "state_description": "Unspecified",
- "state_id": 1,
- "protected": true
}, - {
- "state_name": "In progress",
- "state_description": "Case is being investigated",
- "state_id": 2,
- "protected": false
}, - {
- "state_name": "Containment",
- "state_description": "Containment is in progress",
- "state_id": 4,
- "protected": false
}, - {
- "state_name": "Eradication",
- "state_description": "Eradication is in progress",
- "state_id": 5,
- "protected": false
}, - {
- "state_name": "Recovery",
- "state_description": "Recovery is in progress",
- "state_id": 6,
- "protected": false
}, - {
- "state_name": "Post-Incident",
- "state_description": "Post-incident phase",
- "state_id": 7,
- "protected": false
}, - {
- "state_name": "Reporting",
- "state_description": "Reporting is in progress",
- "state_id": 8,
- "protected": false
}, - {
- "state_name": "Closed",
- "state_description": "Case is closed",
- "state_id": 9,
- "protected": true
}, - {
- "state_name": "Open",
- "state_description": "Case is open",
- "state_id": 11,
- "protected": true
}, - {
- "state_name": "Open",
- "state_description": "Case is open",
- "state_id": 3,
- "protected": true
}, - {
- "state_name": "To escalate",
- "state_description": "Use this when the case is stalled due to inaction of an involved stakeholder",
- "state_id": 10,
- "protected": false
}
]
}Get a case state from an ID.
+| state_id required | integer state ID to fetch + |
{- "status": "success",
- "message": "",
- "data": {
- "state_name": "Unspecified",
- "state_description": "Unspecified",
- "state_id": 1,
- "protected": true
}
}| state_name required | string |
| state_description required | string |
{- "state_name": "New state",
- "state_description": "Superbe new state"
}{- "status": "success",
- "message": "Case state added",
- "data": {
- "state_name": "New state",
- "state_description": "Superbe new state",
- "state_id": 14,
- "protected": false
}
}| state_id required | string state ID + |
| state_name | string |
| state_description | string |
{- "state_name": "New state",
- "state_description": "Superbe new state"
}{- "status": "success",
- "message": "Case state updated",
- "data": {
- "state_name": "New state",
- "state_description": "Superbe new state",
- "state_id": 14,
- "protected": false
}
}{- "status": "success",
- "message": "",
- "data": [
- {
- "id": 1,
- "name": "Unspecified",
- "description": "Unspecified",
- "creation_date": "2023-11-29T10:28:30.448583"
}, - {
- "id": 2,
- "name": "HDD image - Generic",
- "description": "Generic copy of an hard drive",
- "creation_date": "2023-11-29T10:28:30.764707"
}, - {
- "id": 3,
- "name": "HDD image - DD - Other",
- "description": "DD copy of an hard drive",
- "creation_date": "2023-11-29T10:28:30.768152"
}, - {
- "id": 4,
- "name": "HDD image - DD - Windows",
- "description": "DD copy of an hard drive",
- "creation_date": "2023-11-29T10:28:30.777829"
}, - {
- "id": 5,
- "name": "HDD image - DD - Unix",
- "description": "DD copy of an hard drive",
- "creation_date": "2023-11-29T10:28:30.785553"
}, - {
- "id": 6,
- "name": "HDD image - DD - MacOS",
- "description": "DD copy of an hard drive",
- "creation_date": "2023-11-29T10:28:30.794414"
}, - {
- "id": 7,
- "name": "HDD image - E01 - Other",
- "description": "E01 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.800029"
}, - {
- "id": 8,
- "name": "HDD image - E01 - Windows",
- "description": "E01 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.803284"
}, - {
- "id": 9,
- "name": "HDD image - E01 - Unix",
- "description": "E01 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.806221"
}, - {
- "id": 10,
- "name": "HDD image - E01 - MacOS",
- "description": "E01 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.809047"
}, - {
- "id": 11,
- "name": "HDD image - AFF4 - Other",
- "description": "AFF4 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.811984"
}, - {
- "id": 12,
- "name": "HDD image - AFF4 - Windows",
- "description": "AFF4 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.814682"
}, - {
- "id": 13,
- "name": "HDD image - AFF4 - Unix",
- "description": "AFF4 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.817469"
}, - {
- "id": 14,
- "name": "HDD image - AFF4 - MacOS",
- "description": "AFF4 acquisition of an hard drive",
- "creation_date": "2023-11-29T10:28:30.820104"
}, - {
- "id": 15,
- "name": "SSD image - Generic",
- "description": "Generic copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.822762"
}, - {
- "id": 16,
- "name": "SSD image - DD - Other",
- "description": "DD copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.825339"
}, - {
- "id": 17,
- "name": "SSD image - DD - Windows",
- "description": "DD copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.827840"
}, - {
- "id": 18,
- "name": "SSD image - DD - Unix",
- "description": "DD copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.830378"
}, - {
- "id": 19,
- "name": "SSD image - DD - MacOS",
- "description": "DD copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.832702"
}, - {
- "id": 20,
- "name": "SSD image - E01 - Other",
- "description": "EO1 copy of a solid state drive",
- "creation_date": "2023-11-29T10:28:30.835493"
}, - {
- "id": 21,
- "name": "SSD image - E01 - Windows",
- "description": "EO1 copy of a solid state drive",
- "creation_date": "2023-11-29T10:28:30.838210"
}, - {
- "id": 22,
- "name": "SSD image - E01 - Unix",
- "description": "EO1 copy of a solid state drive",
- "creation_date": "2023-11-29T10:28:30.840994"
}, - {
- "id": 23,
- "name": "SSD image - E01 - MacOS",
- "description": "EO1 copy of MacOS on a solid state drive",
- "creation_date": "2023-11-29T10:28:30.843876"
}, - {
- "id": 24,
- "name": "SSD image - AFF4 - Other",
- "description": "AFF4 copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.846797"
}, - {
- "id": 25,
- "name": "SSD image - AFF4 - Windows",
- "description": "AFF4 copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.849600"
}, - {
- "id": 26,
- "name": "SSD image - AFF4 - Unix",
- "description": "AFF4 copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.852251"
}, - {
- "id": 27,
- "name": "SSD image - AFF4 - MacOS",
- "description": "AFF4 copy of an solid state drive",
- "creation_date": "2023-11-29T10:28:30.855217"
}, - {
- "id": 28,
- "name": "VM image - Generic",
- "description": "Generic copy of a VM ",
- "creation_date": "2023-11-29T10:28:30.858080"
}, - {
- "id": 29,
- "name": "VM image - Linux Server",
- "description": "Copy of a Linux Server VM",
- "creation_date": "2023-11-29T10:28:30.861149"
}, - {
- "id": 30,
- "name": "VM image - Windows Server",
- "description": "Copy of a Windows Server VM",
- "creation_date": "2023-11-29T10:28:30.864715"
}, - {
- "id": 31,
- "name": "Phone Image - Android",
- "description": "Copy of an Android phone",
- "creation_date": "2023-11-29T10:28:30.868405"
}, - {
- "id": 32,
- "name": "Phone Image - iPhone",
- "description": "Copy of an iPhone",
- "creation_date": "2023-11-29T10:28:30.873334"
}, - {
- "id": 33,
- "name": "Phone backup - Android (adb)",
- "description": "adb backup of an Android",
- "creation_date": "2023-11-29T10:28:30.876699"
}, - {
- "id": 34,
- "name": "Phone backup - iPhone (iTunes)",
- "description": "iTunes backup of an iPhone",
- "creation_date": "2023-11-29T10:28:30.879779"
}, - {
- "id": 35,
- "name": "Tablet Image - Android",
- "description": "Copy of an Android tablet",
- "creation_date": "2023-11-29T10:28:30.882645"
}, - {
- "id": 36,
- "name": "Tablet Image - iPad",
- "description": "Copy of an iPad tablet",
- "creation_date": "2023-11-29T10:28:30.885351"
}, - {
- "id": 37,
- "name": "Tablet backup - Android (adb)",
- "description": "adb backup of an Android tablet",
- "creation_date": "2023-11-29T10:28:30.888168"
}, - {
- "id": 38,
- "name": "Tablet backup - iPad (iTunes)",
- "description": "iTunes backup of an iPad",
- "creation_date": "2023-11-29T10:28:30.890747"
}, - {
- "id": 39,
- "name": "Collection - Velociraptor",
- "description": "Velociraptor collection",
- "creation_date": "2023-11-29T10:28:30.893125"
}, - {
- "id": 40,
- "name": "Collection - ORC",
- "description": "ORC collection",
- "creation_date": "2023-11-29T10:28:30.896533"
}, - {
- "id": 41,
- "name": "Collection - KAPE",
- "description": "KAPE collection",
- "creation_date": "2023-11-29T10:28:30.899316"
}, - {
- "id": 42,
- "name": "Memory acquisition - Physical RAM",
- "description": "Physical RAM acquisition",
- "creation_date": "2023-11-29T10:28:30.901923"
}, - {
- "id": 43,
- "name": "Memory acquisition - VMEM",
- "description": "vmem file",
- "creation_date": "2023-11-29T10:28:30.904445"
}, - {
- "id": 44,
- "name": "Logs - Linux",
- "description": "Standard Linux logs",
- "creation_date": "2023-11-29T10:28:30.906868"
}, - {
- "id": 45,
- "name": "Logs - Windows EVTX",
- "description": "Standard Windows EVTX logs",
- "creation_date": "2023-11-29T10:28:30.909559"
}, - {
- "id": 46,
- "name": "Logs - Windows EVT",
- "description": "Standard Windows EVT logs",
- "creation_date": "2023-11-29T10:28:30.912298"
}, - {
- "id": 47,
- "name": "Logs - MacOS",
- "description": "Standard MacOS logs",
- "creation_date": "2023-11-29T10:28:30.915390"
}, - {
- "id": 48,
- "name": "Logs - Generic",
- "description": "Generic logs",
- "creation_date": "2023-11-29T10:28:30.918916"
}, - {
- "id": 49,
- "name": "Logs - Firewall",
- "description": "Firewall logs",
- "creation_date": "2023-11-29T10:28:30.921878"
}, - {
- "id": 50,
- "name": "Logs - Proxy",
- "description": "Proxy logs",
- "creation_date": "2023-11-29T10:28:30.924702"
}, - {
- "id": 51,
- "name": "Logs - DNS",
- "description": "DNS logs",
- "creation_date": "2023-11-29T10:28:30.927599"
}, - {
- "id": 52,
- "name": "Logs - Email",
- "description": "Email logs",
- "creation_date": "2023-11-29T10:28:30.930438"
}, - {
- "id": 53,
- "name": "Executable - Windows (PE)",
- "description": "Generic Windows executable",
- "creation_date": "2023-11-29T10:28:30.933774"
}, - {
- "id": 54,
- "name": "Executable - Linux (ELF)",
- "description": "Generic Linux executable",
- "creation_date": "2023-11-29T10:28:30.936884"
}, - {
- "id": 55,
- "name": "Executable - MacOS (Mach-O)",
- "description": "Generic MacOS executable",
- "creation_date": "2023-11-29T10:28:30.939526"
}, - {
- "id": 56,
- "name": "Executable - Generic",
- "description": "Generic executable",
- "creation_date": "2023-11-29T10:28:30.942070"
}, - {
- "id": 57,
- "name": "Script - Generic",
- "description": "Generic script",
- "creation_date": "2023-11-29T10:28:30.944690"
}, - {
- "id": 58,
- "name": "Generic - Data blob",
- "description": "Generic blob of data",
- "creation_date": "2023-11-29T10:28:30.947365"
}
]
}Get a evidence type from an ID.
+| type_id required | integer state ID to fetch + |
{- "status": "success",
- "message": "",
- "data": {
- "state_name": "Unspecified",
- "state_description": "Unspecified",
- "state_id": 1,
- "protected": true
}
}| name required | string |
| description required | string |
{- "name": "Evidence Type",
- "description": "Superbe Evidence Type"
}{- "status": "success",
- "message": "Evidence type added",
- "data": {
- "name": "Evidence Type",
- "description": "Superbe Evidence Type",
- "id": 59,
- "creation_date": "2024-01-10T15:39:50.157298"
}
}| type_id required | string Type ID + |
| name | string |
| description | string |
{- "name": "Evidence Type",
- "description": "Superbe Evidence Type"
}{- "status": "success",
- "message": "Evidence type updated",
- "data": {
- "name": "Evidence Type 1",
- "description": "Superbe Evidence Type",
- "id": 3,
- "creation_date": "2023-11-29T10:28:30.768152"
}
}This documentation serves as a comprehensive guide to the IRIS web application operations, modules, and development.
If you're new to IRIS, we recommend starting with our Getting Started guide to learn the basics.
For those who want to try out IRIS easily, we offer a free demonstration instance of the rolling beta version here.
Our documentation is constantly evolving, so if you don't find what you're looking for, please contact us so we can add the missing piece.
"},{"location":"#what-is-iris","title":"What is IRIS?","text":"IRIS is a collaborative platform for incident response analysts that helps to share investigations at a technical level. It's a web application that can be installed on a fixed-server or on a laptop for roaming investigations where internet might not be available.
IRIS was born out of the struggle to share long and complex investigations among analysts.
The project is available on our Github organization.
Disclaimer
IRIS is still in its early stages. It can already be used in production, but please set backups of the database and DO NOT expose the interface on the Internet. We highly recommend the use of a private dedicated and secured network.
"},{"location":"changelog/","title":"Changelog","text":"For upgrades instructions, please see the Upgrades page.
"},{"location":"changelog/#v247-march-18-2024","title":"v2.4.7 March 18, 2024","text":""},{"location":"changelog/#whats-changed","title":"What's changed","text":"Fixed * Issues in the datastore preventing to upload multiple files
Full Changelog
"},{"location":"changelog/#v246-march-18-2024","title":"v2.4.6 March 18, 2024","text":""},{"location":"changelog/#whats-changed_1","title":"What's changed","text":"\u26a0\ufe0f Important changes are done in the Access Control. If you are upgrading, please carefully read the upgrades instructions. The layout of the reports has been changed. Reports template need to be upgraded as well.
Improved
Fixed
Full Changelog
"},{"location":"changelog/#v237-december-14-2023","title":"v2.3.7 December 14, 2023","text":""},{"location":"changelog/#whats-changed_2","title":"What's Changed","text":"Fixed
Improved
Full Changelog
"},{"location":"changelog/#v236-december-7-2023","title":"v2.3.6 December 7, 2023","text":""},{"location":"changelog/#whats-changed_3","title":"What's Changed","text":"Fixed
Full Changelog
"},{"location":"changelog/#v235-november-30-2023","title":"v2.3.5 November 30, 2023","text":""},{"location":"changelog/#whats-changed_4","title":"What's Changed","text":"Fixed
Full Changelog
"},{"location":"changelog/#v234-november-29-2023","title":"v2.3.4 November 29, 2023","text":"A severe bug has been introduced in this version. Please upgarde to v2.3.5.
"},{"location":"changelog/#whats-changed_5","title":"What's Changed","text":"Added
Fixed
\u2757 The layout of the reporting has slightly changed. Custom report templates might not work anymore. You can use https://<server>/case/export?cid=<case_id> to get all the possible fields.
Full Changelog
"},{"location":"changelog/#v233-october-5-2023","title":"v2.3.3 October 5, 2023","text":""},{"location":"changelog/#whats-changed_6","title":"What's Changed","text":"Fixed
@Scriptception made their first contribution in 313
Full Changelog
"},{"location":"changelog/#v232-august-2-2023","title":"v2.3.2 August 2, 2023","text":""},{"location":"changelog/#whats-changed_7","title":"What's Changed","text":"Fixed
Patches a critical issue corrupting files uploaded to the DataStore via the IOC option or when a password is set
Full Changelog
"},{"location":"changelog/#v231-july-23-2023","title":"v2.3.1 July 23, 2023","text":""},{"location":"changelog/#whats-changed_8","title":"What's Changed","text":"Improved
Fixed
Full Changelog
"},{"location":"changelog/#v230-july-09-2023","title":"v2.3.0 July 09, 2023","text":""},{"location":"changelog/#whats-changed_9","title":"What's Changed","text":"Added
Fixed
Full Changelog
"},{"location":"changelog/#v223-june-19-2023","title":"v2.2.3 June 19, 2023","text":""},{"location":"changelog/#whats-changed_10","title":"What's Changed","text":"Added
Fixed
Full Changelog
"},{"location":"changelog/#v222-may-30-2023","title":"v2.2.2 May 30, 2023","text":""},{"location":"changelog/#whats-changed_11","title":"What's Changed","text":"Added
Fixed - Delete character escaping for passwords by @juadde in #253 - Case template of tasks without tags - Shortening of case names during updates - Bad handling of certain requests without CID - Deletion of assets related to alerts once merge into a case
Full Changelog
"},{"location":"changelog/#v221-may-24-2023","title":"v2.2.1 May 24, 2023","text":""},{"location":"changelog/#whats-changed_12","title":"What's Changed","text":"Note 1: This version contains a security fix for iris-web (see CVE-2023-30615) Note 2: on_postload_case_info_update hook has been renamed to on_postload_case_update
Added
Fixed
Full Changelog
"},{"location":"changelog/#v220-may-22-2023","title":"v2.2.0 May 22, 2023","text":""},{"location":"changelog/#whats-changed_13","title":"What's Changed","text":"Added
Fixes
New Contributors
Full Changelog
"},{"location":"changelog/#v210-may-15-2023","title":"v2.1.0 May 15, 2023","text":"If you are using custom SSL certificates, please read the upgrade instructions when upgrading from previous versions.
"},{"location":"changelog/#whats-changed_14","title":"What's Changed","text":"Added
Fixed
New Contributors
Full Changelog
"},{"location":"changelog/#v202-april-18-2023","title":"v2.0.2 April 18, 2023","text":""},{"location":"changelog/#whats-changed_15","title":"What's Changed","text":"Fixed * Update case_notes_db.py for bug fix #200 by @LoneWolf-96 in #208 * Do not escape_filter_chars for NTLM username by @juadde in #212 * docker-compose cleanup by @juadde in #213 * Listening port not being propagated in nginx docker
New Contributors * @LoneWolf-96 made their first contribution in #208 * @juadde made their first contribution in #212
Full Changelog
"},{"location":"changelog/#v201-april-05-2023","title":"v2.0.1 April 05, 2023","text":""},{"location":"changelog/#whats-changed_16","title":"What's Changed","text":"Fixed [FIX] Additional table header in case management breaking proper loading of data in #206
Full Changelog
"},{"location":"changelog/#v200-march-26-2023","title":"v2.0.0 March 26, 2023","text":""},{"location":"changelog/#whats-changed_17","title":"What's Changed","text":"In addition to the features listed below, we are changing the way we are issuing releases. From now on, IRIS follows the Semantic Versioning 2.0 guidelines. The code ready for production is always tagged with a version number. alpha and beta versions are not production-ready.
Do not use the master branch in production.
A website with the current development version is also provided and freely accessible. It serves as a beta before public releases.
Added
Improved
Fixed
Full Changelog
"},{"location":"changelog/#v145-june-9-2022","title":"v1.4.5 June 9, 2022","text":"What's Changed
Full Changelog
Notes: Changes are made to the Nginx docker to allow upload of big files, hence specific upgrades are needed and auto-updates is not yet supported for this version. Please see the upgrades instruction for more details.
"},{"location":"changelog/#v144-may-18-2022","title":"v1.4.4 May 18, 2022","text":"What's Changed
Full Changelog
"},{"location":"changelog/#v143-may-13-2022","title":"v1.4.3 May 13, 2022","text":"What's changed
Full Changelog
"},{"location":"changelog/#v142-april-22-2022","title":"v1.4.2 April 22, 2022","text":"Improvements :
Fixes :
A bug fixe exists for this version. See v1.4.3
You can directly contact us, should you need direct support, a demo, further information or anything else related to the project.
contact@dfir-iris.org
Discord
IRIS uses dozen of OS modules and this list is not exhaustive. If you developped something which is used in IRIS and does not figures here, you can contact us.
The most straightforward and recommended way to use IRIS is with Docker. This is presented here.
Disclaimer
IRIS is in its early stage. It can already be used in production, but please set backups of the database and DO NOT expose the interface on the Internet. We highly recommended the use of a private dedicated and secured network.
"},{"location":"getting_started/#pre-requisites","title":"Pre-requisites","text":""},{"location":"getting_started/#hardware","title":"Hardware","text":"IRIS does not require a lot of resources, and it can be run on a small laptop (4 cores, 8Gb of RAM). However, for large a organization and heavy usage, it will need to be significantly scaled up. We don't have benchmarks yet, but keep in mind that the database can grow rapidly and modules can require more resources depending on their purposes.
"},{"location":"getting_started/#docker","title":"Docker","text":"Docker and docker compose are needed to build and run the project. Depending on the OS you will find all the information to install them on the official website of Docker.
The platform is officially supported on most Linux and MacOS. While it should work on Windows, some path needed by the containers to store permanent files might need to be changed in the dockerfiles.
"},{"location":"getting_started/#versioning","title":"Versioning","text":"Starting from version 2.0.0, Iris is following the Semantic Versioning 2.0 guidelines. The code ready for production is always tagged with a version number. alpha and beta versions are not production-ready.
Do not use the master branch in production.
To build and run IRIS, follow these steps:
Clone the iris-web repository:
git clone https://github.com/dfir-iris/iris-web.git\ncd iris-web\nCheck out the latest non-beta tagged version:
git checkout v2.4.7\nCopy the environment file
cp .env.model .env\nWarning
The default configuration is suitable for testing only. To configure IRIS for production, see the configuration section.
Build the Docker containers:
docker-compose build\nStart IRIS:
docker-compose up\nIRIS should now be available on the host interface, port 443, using HTTPS protocol by default. You can access it by navigating to https://hostip in your web browser.
By default, an administrator account is created when IRIS is started for the first time. The password is printed in the console output. You can search for WARNING :: post_init :: create_safe_admin :: >>> in the logs to find the password. Running docker compose logs app | grep 'admin' should help to find it.
If you want to define an admin password at the first start, you can create and define the environment variable IRIS_ADM_PASSWORD in the .env. This has no effect once the administrator account is created.
Note that IRIS is split into five Docker services, each with a different role:
app - iris_webapp: The core, including web server, database management, module management, etc.db: A PostgreSQL databaseRabbitMQ: A RabbitMQ engine to handle job queuing and processingworker: A job handler relying on RabbitMQnginx: A NGINX reverse proxyEach service can be built independently, which is useful when developing. In this QuickStart, all services are built at once.
"},{"location":"getting_started/#additional-configuration","title":"Additional configuration","text":"Please see configuration for more details.
"},{"location":"getting_started/#kubernetes","title":"Kubernetes","text":"For enterprises wishing to run their instance of IRIS, utilizing the projects official Helm charts and/or Kustomize manifests, allows them to significantly enhance their deployment and management, presenting a powerful solution to streamline their IRIS deployment and management processes, efficiently running across a cluster of machines, ensuring high availability and seamless scaling as demand fluctuates.
The deploy directory in the iris-web GitHub repository provides a practical starting point for deploying IRIS on their preferred managed k8s platform. We've created two variants: eks and gke, feel free to customize each with your own values.
For more details, please visit the deploy directory on GitHub: deploy
"},{"location":"resources/","title":"Resources","text":"This page is a collection of external resources to help you get started with IRIS and integrate it into your workflow. Please note that some of these resources may be outdated. If you want to add your own resources, please open a pull request or contact us.
"},{"location":"resources/#blog-posts","title":"Blog posts","text":"Note of 25-05-2023
IRIS is growing both in code and interestes. To future-proof the project, we have decided to pause the development of new features and focus on the core functionalities and stability for a while. This includes a major refactoring of the codebase. We will still fix bugs and security issues.
We do not provide a long-term roadmap to prevent any frustration and unmet expectations. It is constantly evolving with feedbacks we receive.
We've thus moved it within a Github project. You can check it here.
"},{"location":"security-advisories/","title":"Security Advisories","text":"This page lists all security advisories that have been published for the code released by DFIR-IRIS.
"},{"location":"security-advisories/#cve-2023-50712-dec-18-2023","title":"CVE-2023-50712 Dec 18, 2023","text":"CVE ID Github ID Severity Impacted product CVE-2023-30615 GHSA-593r-747g-p92p Moderate - CVSS3 4.6/10 iris-web"},{"location":"security-advisories/#description","title":"Description","text":"A stored Cross-Site Scripting (XSS) vulnerability has been identified in iris-web, affecting multiple locations in versions prior to v2.3.7. The vulnerability may allow an attacker to inject malicious scripts into the application, which could then be executed when a user visits the affected locations. This could lead to unauthorized access, data theft, or other related malicious activities.
An attacker need to be authenticated on the application to exploit this vulnerability.
"},{"location":"security-advisories/#affected-versions","title":"Affected versions","text":"iris-web < 2.3.7iris-web >= 2.3.7No workaround is available.
"},{"location":"security-advisories/#acknowledgment","title":"Acknowledgment","text":"Thanks to Leonard Rapp (G DATA Advanced Analytics GmbH) for the responsible disclosure.
"},{"location":"security-advisories/#cve-2023-30615-may-24-2023","title":"CVE-2023-30615 May 24, 2023","text":"CVE ID Github ID Severity Impacted product CVE-2023-30615 GHSA-gc6j-6276-2m49 Moderate - CVSS3 4.6/10 iris-web"},{"location":"security-advisories/#description_1","title":"Description","text":"A stored Cross-Site Scripting (XSS) vulnerability has been identified in iris-web, affecting multiple locations in versions prior to v2.2.1. The vulnerability allows an attacker to inject malicious scripts into the application, which are then executed when a user visits the affected locations. This can lead to unauthorized access, data theft, or other related malicious activities.
An attacker need to be authenticated on the application to exploit this vulnerability.
"},{"location":"security-advisories/#affected-versions_1","title":"Affected versions","text":"iris-web < 2.2.1iris-web > 2.0.0 and < 2.2.1 while not using the alerting feature are not impacted.iris-web >= 2.2.1No workaround is available.
"},{"location":"support/","title":"Getting support","text":"We understand the importance of having robust support and training to maximize the effectiveness of our tools in your IR efforts. Here's how we can assist:
We're flexible and can accommodate needs through our OpenCollective page.
Please get in touch with us at contact@dfir-iris.org for further details.
"},{"location":"support_us/","title":"Support us","text":"As a free and open source project, we rely on the support of our community to continue development and improve our platform. If you find the platform useful and would like to help us sustain and grow, you may consider supporting us financially through OpenCollective.
Support us
"},{"location":"zqa/","title":"Q & A","text":""},{"location":"zqa/#general-questions","title":"General questions","text":""},{"location":"zqa/#which-version-should-i-install","title":"Which version should I install?","text":"The master branch is stable as all the development is done under the develop branch and merged once ready. To ease the identification, each new version is tagged and a new release is published. We recommend using these. git checkout <tagged_version>
Yes, IRIS is under heavy development. We are adding more and more features, led by feedbacks from the community.
"},{"location":"zqa/#what-is-the-future-of-the-project","title":"What is the future of the project?","text":"We aim to make it evolve as much as possible with the help of the community. We have long term goals to integrate it seamlessly with project like MISP and other OS project, but we don't provide any commitment on how and when to avoid any unmet expectations. For a short term roadmap, you can head to the Github project.
"},{"location":"zqa/#how-can-i-contact-the-dfir-iris-team","title":"How can I contact the DFIR-IRIS team?","text":"You can reach us on discord, Twitter or by email.
"},{"location":"zqa/#cases","title":"Cases","text":""},{"location":"zqa/#can-i-recover-a-deleted-case","title":"Can I recover a deleted case?","text":"No. Cases are deleted from the database and changes are committed. There is no coming back unless you have made backups of the database (which we recommend).
"},{"location":"zqa/#can-i-recover-a-deleted-case-object","title":"Can I recover a deleted case object?","text":"No. Every object such as IOCs, assets, events, notes, etc are immediately deleted from the database and changes are committed.
"},{"location":"zqa/#can-i-add-a-new-asset-type","title":"Can I add a new asset type?","text":"Yes. With a user that have administrative rights, go to Advanced > Case Objects.
Yes. Starting from v1.3.0, IOC types can be manipulated. Head to Advanced > Case Objects
Yes. Starting from v1.4.0, all case objects can be extended thanks to custom attributes. With a user that have administrative rights, go to Advanced > Custom Attributes.
Not for now. The searches in each case objects page are done client-side, and the attributes are not fetched. We will however implement a server side search in next releases.
"},{"location":"zqa/#can-i-create-two-cases-with-the-same-name-for-the-same-customer","title":"Can I create two cases with the same name for the same customer?","text":"Yes. Cases are identified with a unique number, so they can have the same name.
"},{"location":"zqa/#can-i-restrict-the-view-of-case-to-a-set-of-users","title":"Can I restrict the view of case to a set of users?","text":"Yes it is since v2.0.0. See Access control.
"},{"location":"zqa/#can-i-change-the-name-or-customer-of-an-existing-case","title":"Can I change the name or customer of an existing case?","text":"Yes it is since v2.0.0.
"},{"location":"zqa/#operations","title":"Operations","text":""},{"location":"zqa/#what-is-the-password-policy-can-it-be-changed","title":"What is the password policy? Can it be changed?","text":"Before v1.4.5, the password policy is hardcoded and cannot be changed. It should be 12 characters minimum and contains a capital letter and a number.
"},{"location":"zqa/#can-i-change-my-profile-picture","title":"Can I change my profile picture?","text":"No, not for now. This wasn't a priority for us, it will be released in future versions.
"},{"location":"zqa/#i-lost-the-administrator-password-can-i-recover-it","title":"I lost the administrator password, can I recover it?","text":"Passwords are hashed so they can't be recovered. But you can change it. Please see changing a lost password.
"},{"location":"zqa/#can-i-delete-a-user","title":"Can I delete a user?","text":"No. To keep consistencies in the database, users unfortunately cannot be deleted if they have done some activities. You can however disable them to prevent them appearing in the UI and connecting to the plafeform.
"},{"location":"zqa/#can-i-delete-a-customer","title":"Can I delete a customer?","text":"No. To keep consistencies in the database, customers unfortunately cannot be deleted if they are linked to cases.
"},{"location":"zqa/#can-i-prevent-backrefs-of-assets-and-iocs","title":"Can I prevent backrefs of assets and IOCs?","text":"No. It might be possible in future versions but for now it is better to spin up a new instance for restricted cases. The backref is however automatically disabled for performance reasons, for cases with more than 300 assets. We are working on a more efficient way to backref.
"},{"location":"zqa/#my-report-template-is-not-generated-and-generates-an-error","title":"My report template is not generated and generates an error","text":"Please triple check typos in tags as there is no fault tolerance. You can reach us in case of troubles.
"},{"location":"zqa/#integration","title":"Integration","text":""},{"location":"zqa/#can-i-enrich-iocs-with-external-sources","title":"Can I enrich IOCs with external sources?","text":"Starting from v1.4.0, it is now possible to easily develop module to enrich case objects. A module Iris VT and IRIS MISP are already provided.
"},{"location":"zqa/#is-there-an-api-client","title":"Is there an API client?","text":"Yes, you can find it on our Github.
"},{"location":"zqa/#security","title":"Security","text":""},{"location":"zqa/#can-i-restrict-cases","title":"Can I restrict cases?","text":"Yes it is since v2.0.0. See Access control.
"},{"location":"zqa/#can-i-expose-iris-on-the-internet","title":"Can I expose IRIS on the Internet?","text":"NO! Please don't. This platform should only be accessible in a restricted environment.
"},{"location":"zqa/#i-found-a-security-issue-can-i-have-a-bounty","title":"I found a security issue, can I have a bounty?","text":"No - IRIS is free and open source so there is no bounty. Please report it as soon as possible so we can fix it.
"},{"location":"zqa/#misc","title":"MISC","text":""},{"location":"zqa/#what-does-iris-stand-for","title":"What does IRIS stand for?","text":"Originally Incident Response Investigation System. But it can be whatever you want really.
"},{"location":"development/","title":"Development","text":"This section is under construction and more elements will be added over time
This documentation is not a detailed how-to develop IRIS. It gives some insights to help understand the basic code of the project and how to contribute.
"},{"location":"development/#general-repositories-conventions","title":"General repositories conventions","text":""},{"location":"development/#branches","title":"Branches","text":"We are using the Gitflow Workflow to manage our git branches. In a nutshell :
master contains only \"production-ready\" codedevelop contains the major development code. When ready it is tagged and merged into masterdevelop contains either : new_featureiXX_issue_title, with XX being the issue number The commits convention is the following :
[action] Commit message is used, with action being a 3 letters action related to the commit, eg ADDfor additions, DEL for deletions, IMP for improvements, etc.[#issue_id][action] Commit message The following sections are available in this documentation :
IRIS does not defines a separate API for users, meaning the HTML pages are actually using the API themselves. Routes don't need to handle the authentication and roles. These are handles by wrappers (see snippets below).
"},{"location":"development/code-tips/#page-route","title":"Page route","text":"A page returns an HTML content and should use the following code structure : Example of page route
@blueprint.route('/a/good/route', methods=['GET']) # (1)\n@login_required # (2)\ndef view_a_good_route(caseid, url_redir): # (3)\nif url_redir:\nreturn redirect(url_for('bluprintname.method_name', cid=caseid)) # (4)\n# route code \nreturn render_template(\"a_good_route.html\", variable_1=var_1, ...) # (5)\n@login_required is used for users page and @admin_login_required is used for admin restricted pages. caseid and url_redir are variable provided by @login_required and @admin_login_required wraps. caseid indicates which case ID the user tried to access the route with. url_redir indicates the caseid provided wasn't valid and a redirection is needed. variable_1 is a value that can be accessed from within the template itself. More variables can be added, or not at all. An API route returns a JSON content. Two types are pre-defined and should be used : Standard API returns
response_success(msg=\"A success message\", data=<data associated with the success feedback>)\nresponse_error(msg=\"An error message\", data=<data associated with the error feedback>, status=<status code, by default 400>)\nBelow is an example of standard API route. Example of page route
@blueprint.route('/a/good/api_route', methods=['GET']) # (1)\n@api_login_required # (2)\ndef view_a_good_route(caseid): # (3)\n# API route code \nreturn response_success(\"ok\", data=my_data_object) # (4)\n@api_login_required is used for users API endpoints and @api_admin_required is used for admin restricted endpoints. caseid is provided @api_login_required and @api_admin_required wraps. It indicates which case ID the user tried to access the endpoint with. In case a DB migration is needed, you need to provide an alembic migration script.
Test your migration
Please try out your migration as this is an important piece of the upgrades. Spin up an old version of IRIS, input some data and then try to start your new version. Ensure that everything is migrated as expected.
In a terminal and from within the IRIS virtual env :
source alembic -c app/alembic.ini revision -m \"A few words to describe your changes\" This creates a new revision file source > app > alembic > versions. It's a Python file that basically describes what needs to be updated DB-wise. You can take example from the ones we already have generated in the same folder.
Hint
During your tests you might face the issue that Alembic does not apply your changes after you executed it once. It's because it keeps tracks of the latest applied revision in a table alembic_version. It doesn't know you changed the revision file. In that case the trick is to connect to the DB, and then delete the entry in the alembic_version. This will force it to reapply all revisions at startup. If you're using the DB docker you can use the following:
docker exec -it <db_container_id> /bin/sh su postgrespsql\\c iris_db; DELETE FROM alembic_version; It follows an issue raised on the Github of the project.
It recommends the use of a hybrid development environment, as most of the time only the web-app needs to be changed:
For the webapp configuration, a specific .ini need to be created.
config.priv.ini in source/app by copying the config.docker.inipresent in the same directory. PG_SERVER = db to PG_SERVER = 127.0.0.1 or whatever IP is the Postgresql/docker running withThat's the only configuration change needed for the app to run outside docker. The docker.priv.ini is already excluded in gitignore.
Then Pycharm need to be setup with a dedicated environment, by adding a new configuration:
source/run.pysourceTo have pylint, right click on source in the directory tree and mark directory as > sources root. The requirements then need to be installed. Pycharm should detect the requirements.txt and propose to install the dependencies. Otherwise they can be installed with the following command (issued in the virtual environment) : pip3 install -r source\\requirements.txt
docker-compose up dbIRIS can now be developed and debugged on the fly.
"},{"location":"development/environment/#tests-in-docker","title":"Tests in docker","text":"Once the code is working by running on Pycharm, we highly recommend testing it on Docker. To do so, the app docker need to be erased and rebuilt.
docker-compose rm appdocker-compose build appdocker-compose up db appDevelopment considerations If the development results in DB modification, please use Alembic and add a migration script so users don't loose their data when they upgrade.
"},{"location":"development/hooks/","title":"Hooks","text":"Introduced in IRIS v1.4.0
Hooks are a mean for modules to react on specific events that occurs on IRIS. By subscribing to a hook, a module is automatically notified when the associated event occurs. This offers a multitude of possibilities, from adding insight to IRIS objects, to pushing information to another platform or even changing how IRIS works.
"},{"location":"development/hooks/#types","title":"Types","text":"There are 3 types of hooks.
On preload: Triggered before an object is processed and committed to database. It is triggered right after a request is received, and the data associated with the hook is usually the request content itself. In most of the cases, modules should not subscribe to these hooks. On postload: Triggered after an object is processed and committed to database. It is triggered after IRIS processed the request and the data associated with the hook is usually a list of SqlAlchemy objects (such as IOC, Assets, etc). Manual: Triggered by manual action of a user. When a module subscribes to these hooks, it needs to provide a \"menu option name\" which will be displayed to users. When they click this option, the associated hook is triggered for this module only. Multiple manual hooks can be registered for one module. Danger
on_preload hooks must run synchronously, i.e not queued in RabbitMQ. This effectively blocks the current user request until the module finishes the processing. We highly recommend to only use on_postload hooks for a better user experience. These hooks are transparent for users and rely on already verified and committed data. Handling on_preload hooks implies the received data is unsafe - directly coming from remote clients - and the module needs to process the data as fast as possible.
Two methods are provided by IrisModuleInterface to subscribe and unsubscribe to hooks.
def register_to_hook(module_id: int, \niris_hook_name: str, \nmanual_hook_name: str = None, \nrun_asynchronously: bool = True)\ndef deregister_from_hook(module_id: int, \niris_hook_name: str)\nThe registration method expects the following arguments:
module_id: The ID of the calling module. This information is given by IRIS when the register_hooks method is called. iris_hook_name: The name of the hook to which subscribe. This must be one of the hook listed in the section below. manual_hook_name: The name of the UI menu that is provided to users if the registration concerns a manual hook. If nothing is provided, IRIS will create a name composed as follows: <module_name>::<hook_name>. This value is ignored if the signal is not manual. run_asynchronously: Set to True (default) to run the module in a RabbitMQ task upon hook triggering. If set to False, the module is called immediately, which have for effect to effectively block the current user request until the module finishes. This is the behavior to use for on_preload hooks. However, we strongly recommend the use of on_postload hooks to prevent any unwanted (see warning section above). The deregistration method expects the following arguments:
module_id: The ID of the calling module. This information is given by IRIS when the register_hooks methods is called. iris_hook_name: The name of the hook to which unsubscribe. If the module is not subscribed to the specified hook the function returns without errors. Please see the modules documentation for more details on how to implement these methods.
"},{"location":"development/hooks/#available-hooks","title":"Available hooks","text":"The following hooks are natively available for subscription.
Hook name Description on_preload_case_create Triggered on case creation, before commit in DB on_postload_case_create Triggered on case creation, after commit in DB on_preload_case_delete Triggered on case deletion, before commit in DB on_postload_case_delete Triggered on case deletion, after commit in DB on_postload_case_update Triggered on case update, before commit in DB on_manual_trigger_case Triggered upon user action on_postload_alert_create Triggered on alert creation, after commit in DB on_postload_alert_update Triggered on alert update, after commit in DB on_postload_alert_delete Triggered on alert deletion, after commit in DB on_postload_alert_escalate Triggered on alert escalation, after commit in DB on_postload_alert_merge Triggered on alert merge, after commit in DB on_postload_alert_unmerge Triggered on alert unmerge, after commit in DB on_preload_asset_create Triggered on asset creation, before commit in DB on_postload_asset_create Triggered on asset creation, after commit in DB on_preload_asset_update Triggered on asset update, before commit in DB on_postload_asset_update Triggered on asset update, after commit in DB on_preload_asset_delete Triggered on asset deletion, before commit in DB on_postload_asset_delete Triggered on asset deletion, after commit in DB on_manual_trigger_asset Triggered upon user action on_preload_note_create Triggered on note creation, before commit in DB on_postload_note_create Triggered on note creation, after commit in DB on_preload_note_update Triggered on note update, before commit in DB on_postload_note_update Triggered on note update, after commit in DB on_preload_note_delete Triggered on note deletion, before commit in DB on_postload_note_delete Triggered on note deletion, after commit in DB on_manual_trigger_note Triggered upon user action on_preload_ioc_create Triggered on ioc creation, before commit in DB on_postload_ioc_create Triggered on ioc creation, after commit in DB on_preload_ioc_update Triggered on ioc update, before commit in DB on_postload_ioc_update Triggered on ioc update, after commit in DB on_preload_ioc_delete Triggered on ioc deletion, before commit in DB on_postload_ioc_delete Triggered on ioc deletion, after commit in DB on_manual_trigger_ioc Triggered upon user action on_preload_event_create Triggered on event creation, before commit in DB on_preload_event_duplicate Triggered on event duplication, before commit in DB. This event only received the event ID which will be duplicated on_postload_event_create Triggered on event creation, after commit in DB on_preload_event_update Triggered on event update, before commit in DB on_postload_event_update Triggered on event update, after commit in DB on_preload_event_delete Triggered on event deletion, before commit in DB on_postload_event_delete Triggered on event deletion, after commit in DB on_manual_trigger_event Triggered upon user action on_preload_evidence_create Triggered on evidence creation, before commit in DB on_postload_evidence_create Triggered on evidence creation, after commit in DB on_preload_evidence_update Triggered on evidence update, before commit in DB on_postload_evidence_update Triggered on evidence update, after commit in DB on_preload_evidence_delete Triggered on evidence deletion, before commit in DB on_postload_evidence_delete Triggered on evidence deletion, after commit in DB on_manual_trigger_evidence Triggered upon user action on_preload_task_create Triggered on task creation, before commit in DB on_postload_task_create Triggered on task creation, after commit in DB on_preload_task_update Triggered on task update, before commit in DB on_postload_task_update Triggered on task update, after commit in DB on_preload_task_delete Triggered on task deletion, before commit in DB on_postload_task_delete Triggered on task deletion, after commit in DB on_manual_trigger_task Triggered upon user action on_preload_global_task_create Triggered on global task creation, before commit in DB on_postload_global_task_create Triggered on global task creation, after commit in DB on_preload_global_task_update Triggered on task update, before commit in DB on_postload_global_task_update Triggered on global task update, after commit in DB on_preload_global_task_delete Triggered on task deletion, before commit in DB on_postload_global_task_delete Triggered on global task deletion, after commit in DB on_manual_trigger_global_task Triggered upon user action on_preload_report_create Triggered on report creation, before generation in DB on_postload_report_create Triggered on report creation, before download of the document on_preload_activities_report_create Triggered on activities report creation, before generation in DB on_postload_activities_report_create Triggered on activities report creation, before download of the document on_postload_asset_commented Triggered on asset comment, after commit in DB on_postload_asset_comment_update Triggered on asset comment update, after commit in DB on_postload_asset_comment_delete Triggered on asset comment deletion, after commit in DB on_postload_evidence_commented Triggered on evidence comment, after commit in DB on_postload_evidence_comment_update Triggered on evidence comment update, after commit in DB on_postload_evidence_comment_delete Triggered on evidence comment deletion, after commit in DB on_postload_task_commented Triggered on task comment, after commit in DB on_postload_task_comment_update Triggered on task comment update, after commit in DB on_postload_task_comment_delete Triggered on task comment deletion, after commit in DB on_postload_ioc_commented Triggered on ioc comment, after commit in DB on_postload_ioc_comment_update Triggered on ioc comment update, after commit in DB on_postload_ioc_comment_delete Triggered on ioc comment deletion, after commit in DB on_postload_event_commented Triggered on event comment, after commit in DB on_postload_event_comment_update Triggered on event comment update, after commit in DB on_postload_event_comment_delete Triggered on event comment deletion, after commit in DB on_postload_note_commented Triggered on note comment, after commit in DB on_postload_note_comment_update Triggered on note comment update, after commit in DB on_postload_note_comment_delete Triggered on note comment deletion, after commit in DB on_postload_alert_commented Triggered on alert comment, after commit in DB on_postload_alert_comment_update Triggered on alert comment update, after commit in DB on_postload_alert_comment_delete Triggered on alert comment deletion, after commit in DB"},{"location":"development/structure/","title":"Structure overview","text":""},{"location":"development/structure/#flask","title":"Flask","text":"IRIS uses Flask for the web engine.
"},{"location":"development/structure/#routes-and-blueprints","title":"Routes and blueprints","text":"Each page and API endpoints (eg /login, /dashboard, /case/assets/list, etc) refers to a route in the IRIS Flask app. They define what the application should do when Flask receives a request on an URI. To keep structure in the projects, these routes are grouped by Blueprints. The Blueprints reflects the structure shown in the IRIS UI left menu. For instance there is a case and an activities Blueprint.
The Blueprints and thus routes are defined in source > app > blueprints. All the blueprints are registered in source > app > views.py.
IRIS uses dynamic page templating when an URI is visited. These Jinja2 templates are filled at runtime with the needed information and then returned to the client. Each route offering a page (i.e non-API endpoints) thus relies on a template. These are set in a folder named templates in each Blueprint. For instance, for the dashboard template : source > app > blueprints > dashboard > templates > index.html.
Static content is served from a common folder under source > app > static > assets. It contains CSS, JS and images. These can be accessed by pages using \"/static/assets/<the-resource>\".
For the database management, the application uses SQLAlchemy with a PostgreSQL backend. There is - normally - no need to directly deal with PostgreSQL, everything goes through SQLAlchemy. It provides a Python overlay which allows to talk to the DB with objects.
"},{"location":"development/structure/#models","title":"Models","text":"Each table of the app is defined by a model. These are defined in source > app > model. When IRIS starts, it looks for the already created tables and creates the missing ones if needed. If changes are done on a table or field, then a migration is needed. This is explained in Alembic migrations.
To help structuring the code, we are trying to move the DB code from the routes code. This is partially done and work in progress. If your route requests the DB, please put the DB code in source > app > datamgmt.
To apply schema migration without the need to rebuild the DB, IRIS uses Alembic. It allows to define migration scheme and IRIS calls it when it starts so users can upgrade without too much hassles.
"},{"location":"development/structure/#hooks-modules-and-tasks","title":"Hooks, modules and tasks","text":"Modules are handled via tasks thanks to Celery and RabbitMQ. More info here and here.
"},{"location":"development/structure/#iris-startup","title":"IRIS startup","text":"When starting-up, IRIS initiates a bunch of DB objects, whether it is started for the first time or just restarted. Objects already created are not recreated, but the missing ones are applied. This ensure a smooth migration between versions. These are defined in source > app > post_init.py. The scripts also contains the code that runs th DB migration with Alembic.
A DFIR-IRIS Module (DIM) is a Python package allowing to extend IRIS features. DIMs are not running constantly and are only called following specific actions done by users.
We distinct two types of modules:
Pipeline modules: Allow uploading and processing of evidences through modular pipelines (eg: EVTX parsing and injection into a database or data visualiser). These are called when a user queries Update case and select evidences to process. Processor modules: Allow processing of IRIS data upon predefined actions / hooks. (eg: be notified when a new IOC is created and get VT/MISP insights for it). These are either called automatically upon specific events, or if a user manually triggers them. Except for some triggers for processor modules, all tasks provided by DIMs are run asynchronously in RabbitMQ tasks, so they don't impact the UI.
Both types of DIMs have the same structure, they only differ in their configurations and how they handle the data they receive. For that purpose, every DIM inherit from a common class named IrisModuleInterface - available here - which provides the basic structure and methods of a module.
Hint
To quickly start writing a new module, one can follow these tutorials.
"},{"location":"development/modules/#overview","title":"Overview","text":"Modules are instantiated upon actions (hooks, triggers, user actions) and this occurs each time the said actions occur. It implies the initiation of a module has to be very quick. In most of the case, the __init__ method should not even be overwritten.
They can live either in the worker or the web-app, depending on their type and action they are handling. They can also live in both. This implies multiple instances of the same module can run at the same time.
The graph below shows two modules of different types running in the worker and interacting with external elements.
Modules don't have to handle the task creations or resource locks. This is handled by IRIS. They just need to process the data they received and return results in a predefined manner.
"},{"location":"development/modules/#common-structure","title":"Common structure","text":"The section below describes the common structure of modules.
"},{"location":"development/modules/#directory-structure","title":"Directory structure","text":"setup.py # Setup configuration to build the module \nREADME.md # README \niris_example_name # Name of the package \n __init__.py # Declaration of the package and main class\n IrisExampleConfig.py # Configuration of the module to help keep the main file clean \n IrisExampleInterface.py # Main class of the module \n module_helper # Sub module containing the helper functions of the module \n helper.py # for instance access to ext resource, manipulation of data \n helper2.py # etc. \nIris loads the modules dynamically. To do so, it needs to know the name of the main class of the module and relies on __init__.py to find this information.
__iris_module_interface = \"IrisEXAMPLEInterface\"\nWhere IrisEXAMPLEInterface is the main class of the module and inherits of the base class IrisModuleInterface.
Caution
Failing to provide the main class in __init__.py or having the main class inherit from IrisModuleInterface will make IRIS fail each time it attempts to load the module.
Iris needs to know what the module is doing and what services it is providing. This is done via the attributes of the main class (let's say IrisEXAMPLEInterface). The attributes are :
_module_name : string - \"human\" name presented to users. _interface_version : float - version of IrisModuleInterface used. If the version is not supported, the server will refuse to register the module. _module_version : float - version of the module itself to help users keep tracks of evolutions. _module_type: string - Type of module. The available modules types are listed in IrisModuleInterface.IrisModuleTypes_pipeline_support : bool - should be set to True if it implements a pipeline process (aka module of type pipeline_module)._pipeline_info : dict - contains the configuration of the pipeline. The following structure must be followed:pipeline_info = {\n# Name of the pipeline used for internal tracking. This \n# must be unique among all modules so pick something really unique \n\"pipeline_internal_name\": \"example_pipeline\",\n# The name of the pipeline presented to the user. Use something \n# that will help the users to identify the right pipeline\n\"pipeline_human_name\": \"Example Pipeline\",\n# Arguments presented to the users when they select the pipeline\n\"pipeline_args\": [\n['some_index', 'required'],\n['example_argument', 'optional']\n]\n}\n_module_configuration : A list of dict. The list contains each field needed by the module. This list is shown in the Iris webpage of the module configuration. Each field in an entry is mandatory. _module_configuration = [\n{\n\"param_name\": \"vt_api_key\",\n\"param_human_name\": \"VT API Key\",\n\"param_description\": \"Virus total API key\",\n\"default\": None,\n\"mandatory\": True,\n\"type\": \"sensitive_string\"\n},\n{\n\"param_name\": \"vt_key_is_premium\",\n\"param_human_name\": \"VT Key is premium\",\n\"param_description\": \"Set to True if the VT key is premium\",\n\"default\": False,\n\"mandatory\": True,\n\"type\": \"bool\"\n},\n{\n\"param_name\": \"vt_ip_assign_asn_as_tag\",\n\"param_human_name\": \"Assign ASN tag to IP\",\n\"param_description\": \"Assign a new tag to IOC IPs with the ASN fetched from VT\",\n\"default\": True,\n\"mandatory\": True,\n\"type\": \"bool\"\n}\n]\nThe above example results in the following.
"},{"location":"development/modules/quick_start/processor/","title":"Processor modules","text":"In this tutorial, we demonstrate the steps to write a basic processor module which subscribes to a hook, and log what it receives when the hook is triggered. We will also add a configuration setting to offer our users the ability disable this feature.
We'll call it IrisDummyModule.
As described in the development module main page, the module should have the following structure.
setup.py # Setup configuration to build the module \nREADME.md # README \niris_dummy_module # Name of the package \n__init__.py # Declaration of the package and main class\nIrisDummyConfig.py # Configuration of the module to help keep the main file clean \nIrisDummyModule.py # Main class of the module \nWhile the module could have only one main file IrisDummyModule.py, we recommend splitting its configuration into a new configuration file (here IrisDummyConfig.py) to keep the code clear.
There is no mandatory naming convention for the files or the class or the methods. We chose this one to keep things clear, and we recommend following the same. But it's up to you really.
We will walk over these files one by one during this tutorial.
"},{"location":"development/modules/quick_start/processor/#creating-the-interface","title":"Creating the interface","text":"The interface is the code that talks with IRIS. It implements methods that call and are called by the server. It needs to inherit IrisModuleInterface class from the IrisModuleInterface package. This module handles most of the methods needed by IRIS to recognize, set up and call the module. By inheriting this class in our interface, we avoid writing that part ourselves.
Let's write our basic interface class. The name of the file has to be the name of the main class, that's the only constraint. We'll see later on why.
iris_dummy_module/IrisDummyModule.py#!/usr/bin/env python3\n# Import the IrisInterface class\nfrom iris_interface.IrisModuleInterface import IrisModuleInterface\n# Create our module class\nclass IrisDummyModule(IrisModuleInterface):\npass \nThat's it! Actually this class is not doing anything right now. We'll need to add a few methods to register our hook later.
But first we need to indicate to IRIS what is our main interface class. Remember, there is no convention restriction, so IRIS has no way to know which class it should instantiate to call our module.
To do so, we need to set a specific variable in our __init__.py.
# Set the __iris_module_interface variable to the name of our main class. \n# When IRIS instantiates the python module, it looks for \"module.__iris_module_interface\"\n# And then tries to instantiate the class \"__iris_module_interface.__iris_module_interface\", here 'IrisDummyModule.IrisDummyModule'. \n# That's why the python file must have the same name as the class. \n__iris_module_interface = \"IrisDummyModule\"\nOur module is now recognizable by IRIS Pretty simple right?
"},{"location":"development/modules/quick_start/processor/#writing-the-configuration","title":"Writing the configuration","text":"The next step is to describe what the module is doing, its name, its configuration, etc. This is done by overwriting predefined variables of the IrisModuleInterface class.
Let's create our Python configuration file and go through each variables.
iris_dummy_module/IrisDummyConfig.py# Import the module types list, so we can indicate the type of our module \nfrom iris_interface.IrisModuleInterface import IrisModuleTypes \n# Human name displayed in the GUI Manage > Modules. This can be anything, \n# but try to put something meaningful, so users recognize your module. \nmodule_name = \"IrisDummy\"\n# Description displayed when editing the module configuration in the UI. \n# This can be anything, \nmodule_description = \"Provides a dummy module that replies to one hook\"\n# Set the interface version used. This needs to be the version of \n# the IrisModuleInterface package. This version is check by the server to\n# to ensure our module can run on this specific server \ninterface_version = 1.1\n# The version of the module itself, it can be anything \nmodule_version = 1.0\n# The type of the module, here processor \nmodule_type = IrisModuleTypes.module_processor\n# Our module is a processor type, so it doesn't offer any pipeline \npipeline_support = False\n# Provide no pipeline information as our module don't implement any \npipeline_info = {}\n# The configuration of the module that will be displayed and configurable \n# by administrators on the UI. This describes every parameter that can \n# be set. \nmodule_configuration = [\n{\n\"param_name\": \"log_received_hook\",\n\"param_human_name\": \"Log received hook\",\n\"param_description\": \"Logs a message upon hook receiving if set to true. Otherwise do nothing.\",\n\"default\": True,\n\"mandatory\": True,\n\"type\": \"bool\"\n}\n]\nThe module configuration parameters are the following :
param_name : The internal parameter name. This will be used by the module itself to fetch the value when needed.param_human_name : The name displayed on the UI for this specific parameterparam_description: A description explaining what this parameter is doing to help administratorsdefault: The default value of our parameter. Here we set to True, so after install our module is already configured and ready to log the hook. mandatory: Indicates whether the parameter is mandatory or not. If set to True and no value is provided (either by admin or by default), the module is automatically disabled by IRIStype: The type of parameter. Here a boolean, which will be rendered under the form of a checkbox. A module can have as many parameters as it needs.
We now need to update our main class to set this configuration.
iris_dummy_module/IrisDummyModule.py#!/usr/bin/env python3\n# Import the IrisInterface class\nfrom iris_interface.IrisModuleInterface import IrisModuleInterface\n# Create our module class\nclass IrisDummyModule(IrisModuleInterface):\n# Set the configuration\n_module_name = interface_conf.module_name\n_module_description = interface_conf.module_description\n_interface_version = interface_conf.interface_version\n_module_version = interface_conf.module_version\n_pipeline_support = interface_conf.pipeline_support\n_pipeline_info = interface_conf.pipeline_info\n_module_configuration = interface_conf.module_configuration\n_module_type = interface_conf.module_type\npass \nDone! The module is now providing enough information to IRIS, so it knows exactly what our module do and what needs to be called to run it.
However, our module is still doing nothing. Let's make it subscribe to an IRIS hook.
"},{"location":"development/modules/quick_start/processor/#subscribing-to-a-hook","title":"Subscribing to a hook","text":"Hooks allow to be notified by IRIS when a specific event occurs (IOC creation, deletion, etc). For a comprehensive description of hooks, please see the Hooks section of this documentation.
The registration (or subscription) to a hook occurs at two moments during the life of a module:
These registration/deregistration events are triggered by IRIS, and are propagated to modules through the IrisModuleInterface method register_hooks [ref].
To register to a hook, we need to override this method and register our hook within this method. To do so, IrisModuleInterface offers us another method register_to_hook [ref], which we can call for each hook we want to subscribe.
Here is a summary of the events:
register_hooks of our module. This indicates it is time for us to register our hooks. register_to_hook for each hook we want to subscribeLet's add this to our main class and register to the on_postload_ioc_create. This will notify use each time a new IOC is created and committed to the database.
#!/usr/bin/env python3\n# Import the IrisInterface class\nfrom iris_interface.IrisModuleInterface import IrisModuleInterface\n# Create our module class\nclass IrisDummyModule(IrisModuleInterface):\n# Set the configuration\n_module_name = interface_conf.module_name\n_module_description = interface_conf.module_description\n_interface_version = interface_conf.interface_version\n_module_version = interface_conf.module_version\n_pipeline_support = interface_conf.pipeline_support\n_pipeline_info = interface_conf.pipeline_info\n_module_configuration = interface_conf.module_configuration\n_module_type = interface_conf.module_type\ndef register_hooks(self, module_id: int):\n\"\"\"\n Called by IRIS indicating it's time to register hooks. \n :param module_id: Module ID provided by IRIS.\n \"\"\"\n# Call the hook registration method. We need to pass the \n# the module_id to this method, otherwise IRIS won't know \n# to whom associate the hook. \n# The hook name needs to be a well known hook name by IRIS. \nstatus = self.register_to_hook(module_id, iris_hook_name='on_postload_ioc_create')\nif status.is_failure():\n# If we have a failure, log something out \nself.log.error(status.get_message())\nelse:\n# Log that we successfully registered to the hook \nself.log.info(f\"Successfully subscribed to on_postload_ioc_create hook\")\nThat's it! Our module has now officially subscribed to a hook and will be notified each time an IOC is created.
So how the module is notified? Once again this is done by a method named hooks_handler [ref] that IrisModuleInterface provides, and we need to overwrite.
This method is called each time one of the event associated to the hook we subscribed is triggered. It provides the name of the hook and as well as the data associated to it. By overwriting this method, we can process the hook and the data!
We will add a condition in this method, that is if the administrator sets the module parameter log_received_hook to False, then the module won't log anything and simply return the data.
Hint
The current configuration of the module can be accessed with the attribute self._dict_conf.
#!/usr/bin/env python3\n# Import the IrisInterface class\nfrom iris_interface.IrisModuleInterface import IrisModuleInterface\n# Create our module class\nclass IrisDummyModule(IrisModuleInterface):\n# Set the configuration\n_module_name = interface_conf.module_name\n_module_description = interface_conf.module_description\n_interface_version = interface_conf.interface_version\n_module_version = interface_conf.module_version\n_pipeline_support = interface_conf.pipeline_support\n_pipeline_info = interface_conf.pipeline_info\n_module_configuration = interface_conf.module_configuration\n_module_type = interface_conf.module_type\ndef register_hooks(self, module_id: int):\n\"\"\"\n Called by IRIS indicating it's time to register hooks. \n :param module_id: Module ID provided by IRIS.\n \"\"\"\n# Call the hook registration method. We need to pass the \n# the module_id to this method, otherwise IRIS won't know \n# to whom associate the hook. \n# The hook name needs to be a well known hook name by IRIS. \nstatus = self.register_to_hook(module_id, iris_hook_name='on_postload_ioc_create')\nif status.is_failure():\n# If we have a failure, log something out \nself.log.error(status.get_message())\nelse:\n# Log that we successfully registered to the hook \nself.log.info(f\"Successfully subscribed to on_postload_ioc_create hook\")\ndef hooks_handler(self, hook_name: str, data):\n\"\"\"\n Called by IRIS each time one of our hook is triggered. \n \"\"\"\n# read the current configuration and only log the call if \n# our parameter is set to true \nif self._dict_conf.get('log_received_hook') is True:\nself.log.info(f'Received {hook_name}')\nself.log.info(f'Received data of type {type(data)}')\n# Return a standardized message to IRIS saying that everything is ok. \n# logs=list(self.message_queue) is needed, so the users can see the logs \n# our module generated during its execution. \nreturn InterfaceStatus.I2Success(data=data, logs=list(self.message_queue))\nWe are done! Our module is now fully ready to register, subscribe to a hook and act when notified.
"},{"location":"development/modules/quick_start/processor/#installing-and-registering-the-module","title":"Installing and registering the module","text":"We need now need to build and install the module. To do so, you'll need this script and an IRIS docker instance running on the same machine.
The script will build the module, copy it to the docker instances, install it within them and restart the dockers.
chmox +x buildnpush2iris.sh ./buildnpush2iris.sh -a The module should now be installed. We can register it in IRIS as explained here.
"},{"location":"operations/alerts/","title":"Alerts","text":"Introduced in IRIS v2.1.0
Alerts can be fed directly into IRIS using the Alerts API. Any source can inject alerts into IRIS, as long as it can send HTTP requests and respects the alert format.
A service account with the alert_read and alert_write permission can be used to send alerts to IRIS.
Warning
This section is only available for users with the alert_read and alert_write permissions.
Alerts can then be viewed in the Alerts section of IRIS. Analysts can then triage the alerts and create cases from them.
Each alert can be expanded to show more details.
"},{"location":"operations/alerts/#alerts-assignment","title":"Alerts assignment","text":"Alerts can be assigned to analysts. This can be done directly from the alert view.
To self-assign an unassigned alert, click on the hand icon on the left.
Clicking again on the hand icon will prompt with a list of analysts to assign the alert to.
The right button Assign, when hovering above an alert, can also be used to assign the alert to an analyst.
Alerts can be escalated/merged into a new case. When hovering above an alert, a Merge button will appear.
Once clicked, a new window appears, requesting additional information. In this window, the analyst can:
Alerts can also be escalated/merged into an existing case. When hovering above an alert, a Merge button will appear.
Once clicked, a new window appears requesting additional information. The button Merge into existing case needs to be clicked. A new dropdown appears and allows to select the case to merge the alert into.
Similar to the case creation, the analyst can:
The selected IOCs and assets are then added to the selected case.
"},{"location":"operations/alerts/#unmerge-alerts-from-a-case","title":"Unmerge alerts from a case","text":"Alerts can be unmerged from a case.
Info
When unmerging an alert, the alert is not deleted. It is only removed from the case. The alert state is not changed. The IOCs and assets are not removed from the case.
When a case is merged, a new link appears on the alert and mentions the case it was merged into. Clicking on this link allows to browse the case or to unmerge the alert.
"},{"location":"operations/alerts/#alerts-relationships","title":"Alerts relationships","text":"Each alert have a Relastionships section. This section shows the relationships between the alert and other objects in IRIS. This feature is in preview and might report false relationships.
The relationships are computed using the following logic:
By default the view limits the relationships to 100 nodes and looks back 7 days. This can be updated directly in the alert view.
"},{"location":"operations/api/","title":"API","text":"IRIS is meant to be plug-able and be integrated with the existing environments.
Through the REST API, one can do almost as much as it is possible to do through the web interface. Under the hood, the web interface is actually talking to the API.
The API endpoints are reachable on the same port as the web interface, i.e 443/HTTPS by default.
Hint
A Python client is available here to ease the automation.
"},{"location":"operations/api/#api-keys","title":"API Keys","text":"The first step is to obtain an API key. Each user is automatically attributed one when it is created. It can be found on the left panel, under username and My Settings.
Token exposure
In case the token is exposed and needs to be changed, a new one can be generated with the Renew option. Renewing a token revokes the previous.
The API constantly evolves with IRIS and thus multiple versions exists. Use the references below to check which API version applies to your IRIS version. Starting from IRIS v1.4.0, the supported API version can also be checked in the UI Advanced > Server settings.
The API token is used as a Bearer and needs to be present in the header Authorization when issuing requests. For example, to list all the cases:
curl --request GET \\\n--url http://<yourserver_ip>/manage/cases/list?cid=1 \\\n--header 'Authorization: Bearer mWpCUVNzBMU5EnbIAK50jLPhYjKBTHZjobdogc_n_yixpJTmt9tzAf8WYDI7m5XgB9wCJnlaXlHIh9RZjtp2fA' \\\n--header 'Content-Type: application/json'\nThe only way to revoke a token is to renew the current one. Once done, the previous API token does not exist anymore in the database and it becomes ineffective.
"},{"location":"operations/case_templates/","title":"Case templates","text":"Introduced in IRIS v2.1.0
Case templates are a way to pre-configure a case with a set of predefined informations. The case templates can be managed in Advanced > Case templates.
Info
This section is only available for users with the administrator role.
Case templates are made of a set of informations that will be used to pre-fill the case creation form. The following elements can be set:
Looking for case templates?
We are providing a set of case templates in the IRIS Resources repository.
"},{"location":"operations/case_templates/#structure-of-templates","title":"Structure of templates","text":"The following defines the structure of a case template:
{\n\"name\": \"ransomware_infection\",\n\"display_name\": \"Ransomware Infection Template\",\n\"description\": \"This case template describes first-response tasks to handle information system compromised by a ransomware.\",\n\"author\": \"DFIR-IRIS\",\n\"classification\": \"malicious-code:ransomware\",\n\"title_prefix\": \"[RANS]\",\n\"summary\": \"# Context \\n\\n\\n# Contact \\n\\n\\n# Actions \\n\\n\\n\",\n\"tags\": [\"ransomware\",\"malware\"],\n\"tasks\": [\n{\n\"title\": \"Identify the perimeter\",\n\"description\": \"The perimeter of compromise must be identified\",\n\"tags\": [\"identify\"]\n},\n{\n\"title\": \"Collect compromised hosts\",\n\"description\": \"Deploy Velociraptor and start collecting evidence\",\n\"tags\": [\"collect\", \"velociraptor\"]\n},\n{\n\"title\": \"Containment\"\n}\n],\n\"note_directories\": [\n{\n\"title\": \"Identify\",\n\"notes\": [\n{\n\"title\": \"Identify the compromised accounts\",\n\"content\": \"# Observations\\n\\n\"\n}\n]\n},\n{\n\"title\": \"Collect\",\n\"notes\": [\n{\n\"title\": \"Velociraptor deployment\"\n},\n{\n\"title\": \"Assets collected\",\n\"content\": \"# Assets collected\\n\\n# Assets not collected\"\n}\n]\n}\n]\n}\nCase templates can be used when creating a new case. On the UI, when creating a case, select the case template to use in the Case template dropdown. The case will then automatically use the informations defined in the template.
Since v2.0.0 the entire configuration is done through the .env file at the root of the IRIS directory.
The default configuration is provided through a .env.model file at the root of the IRIS directory. One need to copy this file to .env and modify it if needed.
The default configuration is suitable for testing only. See the section below to configure IRIS for production.
"},{"location":"operations/configuration/#production-configuration","title":"Production configuration","text":""},{"location":"operations/configuration/#secrets","title":"Secrets","text":""},{"location":"operations/configuration/#required-changes","title":"Required changes","text":"The following secrets in the .env need to be changed for production. We recommend using OpenSSL to generate different values from each secret: openssl rand -base64 64
POSTGRES_PASSWORD: Password of the postgres userPOSTGRES_ADMIN_PASSWORD: Password of the db admin user IRIS_SECRET_KEY: Key used by Flask to secure the session cookiesIRIS_SECURITY_PASSWORD_SALT: A salt used for password encryption in the DB Critical configuration
These settings are critical and need to be set properly otherwise authentication bypass may occur.
"},{"location":"operations/configuration/#optionnal-changes","title":"Optionnal changes","text":"To automate the provisionning of IRIS, one might need to set the default administrator API token and password. This can be achieve with the following environment variables. If those variables are not set, random ones are generated during the very first boot of the application.
Warning
The administrator password is printed in the logs. It is recommended to change it as soon as possible. The set of the following environment variables has no effect once the administrator account is created, i.e after the very first boot.
IRIS_ADM_PASSWORD: Password of the administrator account. The password need to match the default password policy or the administrator won't be able to login, IRIS_ADM_API_KEY: API key of the administrator. A random long string. No verification for the complexity is done. We recommend using openssl rand -base64 64IRIS is configured to use a self-signed certificate by default. This is suitable for testing only. To use your own certificate, you need to set the following environment variables:
KEY_FILENAME: The filename of the key file in the certificates/web_certificates directory at the root of the IRIS directoryCERT_FILENAME: The filename of the certificate file in the certificates/web_certificates directory at the root of the IRIS directoryOnce the changes are done, nginx docker container need to be rebuilt with the following command:
docker-compose stop nginx\ndocker-compose build nginx --no-cache\ndocker-compose up IRIS can be configured to use LDAP authentication. See the Authentication section for more details.
"},{"location":"operations/configuration/#available-settings","title":"Available settings","text":"These environment variables are availabled to be set.
Key Section Opt DescriptionSERVER_NAME Nginx No Passed to the server_name in NGINX configuration KEY_FILENAME Nginx No SSL Cert key filename passed to the NGINX configuration CERT_FILENAME Nginx No SSL Cert filename passed to the NGINX configuration INTERFACE_HTTPS_PORT Nginx Yes Listening interface of IRIS POSTGRES_USER DB No Name of the POSTGRES user POSTGRES_PASSWORD DB No Password of the POSTGRES user POSTGRES_ADMIN_USER DB No Name of the admin user POSTGRES_ADMIN_PASSWORD DB No Password of the ADMIN user POSTGRES_DB DB No Name of the DB used by IRIS POSTGRES_SERVER DB No Hostname or IP of the DB POSTGRES_PORT DB No Port of the DB server DOCKERIZED IRIS Yes Set to 1 when using dockers (default) IRIS_SECRET_KEY IRIS No Secret key used to secure sessions - needs to be random IRIS_SECURITY_PASSWORD_SALT IRIS No Secret used to salt the passwords in DB - needs to be random IRIS_UPSTREAM_SERVER IRIS No WebApp upstream server - used to configure nginx reverse proxy IRIS_UPSTREAM_PORT IRIS No WebApp upstream server port - used to configure nginx reverse proxy IRIS_ORGANISATION_NAME IRIS No Name of the company / organisation. Used on the UI IRIS_LOGIN_BANNER_TEXT IRIS No Text displayed on the login page IRIS_LOGIN_PTFM_CONTACT IRIS No Contact information displayed on the login page IRIS_UPLOADED_PATH IRIS No Path to store uploaded data. IRIS_BACKUP_PATH IRIS No Path to store backup files. IRIS_TEMPLATES_PATH IRIS No Path of the templates IRIS_DATASTORE_PATH IRIS No Path of the datastore files IRIS_DEMO_ENABLED Demo No Set to True to switch IRIS to Demo mode IRIS_DEMO_DOMAIN Demo No URL of the demonstration server IRIS_DEMO_USER_SEED Demo No Random seed to generate demo users IRIS_DEMO_ADM_SEED Demo No Random seed to generate admin users for demo CELERY_BROKER Celery No Broker URL used to handle IRIS tasks IRIS_AUTHENTICATION_TYPE Auth No IRIS auth mode : local or ldap IRIS_ADM_PASSWORD Auth Yes Set to use as initial password of the administrator account. Only works for the very first run of IRIS. Needs to match the password policy IRIS_ADM_API_KEY Auth Yes Set to use as initial API Key of the administrator IRIS_ADM_EMAIL Auth Yes Set to use as initial email of the administrator IRIS_ADM_USERNAME Auth Yes Set to use as initial username of the administrator LDAP_SERVER Auth Yes LDAP server IP or domain LDAP_PORT Auth Yes LDAP server port LDAP_USER_PREFIX Auth Yes Prefix to search the users within LDAP_USER_SUFFIX Auth Yes Suffix to search the users within LDAP_USE_SSL Auth Yes Set to True to use LDAPS LDAP_VALIDATE_CERTIFICATE Auth Yes Set to True to verify the server certificate validity LDAP_TLS_VERSION Auth Yes TLS version to use LDAPS LDAP_SERVER_CERTIFICATE Auth Yes Path of the LDAP server certificate LDAP_PRIVATE_KEY Auth Yes Path of the LDAP private certificate LDAP_PRIVATE_KEY_PASSWORD Auth Yes Password of the private key LDAP_AUTHENTICATION_TYPE Auth Yes Simple, SASL or NTLM LDAP_CUSTOM_TLS_CONFIG Auth Yes If set to true, the TLS configuration is not set by IRIS and taken from the defined environment. Default to False"},{"location":"operations/custom_attributes/","title":"Custom Attributes","text":"Introduced in IRIS v1.4.0
All the case objects can be extended with custom attributes. These attributes can be added by :
VT Report attribute to each objects it analyses)Attributes offer the ability to :
This section only describes how an administrator can add or delete attributes to an object.
Tip
We have publish a detailed article of custom attributes with advanced usage on our blog.
"},{"location":"operations/custom_attributes/#management-page","title":"Management page","text":"Custom attributes can be changed in the Advanced > Custom Attributes section on the left panel.
The page lists the objects for which custom attributes can be added or modified.
Attributes are defined in JSON which describes tabs and fields that makes the attributes.
{\n\"Tab Name 1\": { // Defines a new tab \n\"Field 1\": { // Defines a new field within the Tab Name 1\n\"type\": \"input_string\", // Defines the type of field, here a standard string input\n\"mandatory\": true, // Indicates whether the field is mandatory upon saving\n\"value\": \"\" // Default value if any, else empty\n},\n\"Field 2\": { // Defines a second field within the tab Tab Name 1\n\"type\": \"input_checkbox\", // Defines an input checkbox\n\"mandatory\": false, // Indicates whether the field is mandatory upon saving\n\"value\": false // Default value - must be set for booleans\n}\n},\n\"VT report\": { // Defines a second tab named VT report\n\"Content\": { // Defines a new field Content within the VT Report\n\"type\": \"html\", // Defines an HTML interpreted content\n\"value\": \"\" // Default value if any, else empty\n}\n}\n}\nThe code above would be rendered as :
With :
Tab Name 1 VT reportThe available fields type are available for rendering :
input_string: Standard input textinput_textfield: Standard input textfieldinput_checkbox: Standard checkboxinput_date: Standard date inputinput_datetime: Standard date and time inputinput_select: Standard select input. Need \"options\" tag to describe the available options, as a list of string. raw: A static content rendered in raw text. HTML is not be interpreted.html: A static content rendered as HTML. This is by nature prone to abuse, but at the same time allows adding custom JS scripts. When an attribute is updated, it will try to update all the existing objects with the new attributes. To prevent any data loss from previous attributes and attributes pushed by modules, the update is only made on attributes which don't have any values set or are type-compatibles (ie string to textfield).
The migration of an attribute can however be forced in two ways, both resulting in potential attributes data loss.
Good to know
Migrating or overwriting attributes never change the native information of an object. It only applies to custom attributes.
Partial overwrite basically resets all the values of every target objects that matches the current attribute definition. All associated values are lost. This does not impact attributes pushed by modules or previous configuration.
Complete overwrite resets all attributes of every target objects, including the ones created by modules, and then applies the current attributes. All associated values are lost.
Custom attributes can be more complex than what presented above. With the html type, it is possible to build almost anything. Below is an example of the custom attributes used in the IrisVT module. The {{ }} are used withing the module to generates the page with data received from VT.
Note : This example won't work as is, the value field is expanded here for reability.
IrisVT default custom attribute{\n\"VT report\": { \"Content\": { \"type\": \"html\", \"value\": \"<div class='row'>\n <div class='col-12'>\n <h3>Basic information</h3>\n <dl class='row'>\n {% if results.as_owner %}\n <dt class='col-sm-3'>AS owner</dt>\n <dd class='col-sm-9'>{{ results.as_owner }}</dd>\n {% endif %}\n {% if country %}\n <dt class='col-sm-3'>Country</dt>\n <dd class='col-sm-9'>{{ results.country }}</dd>\n {% endif %}\n </dl>\n </div>\n </div> \n {% if nb_detected_urls %}\n <div class='row'>\n <div class='col-12'>\n <h3>Detected URLS</h3>\n <dl class='row'>\n <dt class='col-sm-3'>Total detected URLs</dt>\n <dd class='col-sm-9'>{{ nb_detected_urls }}</dd>\n <dt class='col-sm-3'>Average detection ratio</dt>\n <dd class='col-sm-9'>{{ avg_urls_detect_ratio }}</dd>\n </dl>\n </div>\n </div> \n {% endif %}\n {% if nb_detected_samples %}\n <div class='row'>\n <div class='col-12'>\n <h3>Detected communicating samples</h3>\n <dl class='row'>\n <dt class='col-sm-3'>Total detected samples</dt>\n <dd class='col-sm-9'>{{ nb_detected_samples }}</dd>\n <dt class='col-sm-3'>Average detection ratio</dt>\n <dd class='col-sm-9'>{{ avg_samples_detect_ratio }}</dd>\n </dl>\n </div>\n </div> \n {% endif %}\n <div class='row'>\n <div class='col-12'>\n <div class='accordion'>\n <h3>Additional information</h3>\n {% if results.resolutions %}\n <div class='card'>\n <div class='card-header collapsed' id='drop_res' data-toggle='collapse' data-target='#drop_resolutions' aria-expanded='false' aria-controls='drop_resolutions' role='button'>\n <div class='span-icon'>\n <div class='flaticon-file'></div>\n </div>\n <div class='span-title'>\n Resolutions history\n </div>\n <div class='span-mode'></div>\n </div>\n <div id='drop_resolutions' class='collapse' aria-labelledby='drop_res' style=''>\n <div class='card-body'>\n <ul>\n {% for resolution in results.resolutions %} \n <li>{{ resolution.hostname }} ( Last resolved on {{resolution.last_resolved}} )</li>\n {% endfor %}\n </ul>\n </div>\n </div>\n </div>\n {% endif %}\n </div>\n </div>\n </div>\n <div class='row'>\n <div class='col-12'>\n <div class='accordion'>\n <h3>Raw report</h3>\n <div class='card'>\n <div class='card-header collapsed' id='drop_r' data-toggle='collapse' data-target='#drop_raw' aria-expanded='false' aria-controls='drop_raw' role='button'>\n <div class='span-icon'>\n <div class='flaticon-file'></div>\n </div>\n <div class='span-title'>\n Raw report\n </div>\n <div class='span-mode'></div>\n </div>\n <div id='drop_raw' class='collapse' aria-labelledby='drop_r' style=''>\n <div class='card-body'>\n <div id='vt_raw_ace'>{{ results| tojson(indent=4) }}</div>\n </div>\n </div>\n </div>\n </div>\n </div>\n </div> \n <script>\n var vt_in_raw = ace.edit('vt_raw_ace',\n {\n autoScrollEditorIntoView: true,\n minLines: 30,\n });\n vt_in_raw.setReadOnly(true);\n vt_in_raw.setTheme('ace/theme/tomorrow');\n vt_in_raw.session.setMode('ace/mode/json');\n vt_in_raw.renderer.setShowGutter(true);\n vt_in_raw.setOption('showLineNumbers', true);\n vt_in_raw.setOption('showPrintMargin', false);\n vt_in_raw.setOption('displayIndentGuides', true);\n vt_in_raw.setOption('maxLines', 'Infinity');\n vt_in_raw.session.setUseWrapMode(true);\n vt_in_raw.setOption('indentedSoftWrap', true);\n vt_in_raw.renderer.setScrollMargin(8, 5);\n </script>\" }\n}\n}\nIntroduced in IRIS v1.4.5
The datastore offers a way to store files directly in the context of a case. Documents, IOCs, evidences, etc, anything can be uploaded and managed through IRIS.
"},{"location":"operations/datastore/#accessing-the-datastore","title":"Accessing the datastore","text":"The datastore can be accessed from any page with the top-right shortcut.
A new pane will open, with a default folder tree created for the case.
"},{"location":"operations/datastore/#files","title":"Files","text":""},{"location":"operations/datastore/#adding-a-file","title":"Adding a file","text":"To add a file to a folder, press the + button near a folder where you want to place it, and select Add file.
A new window appear and allows to upload the file. The following fields are available :
infected unless specified otherwise in this field,infected unless specified otherwise in the password field. The file is also added to the IOC tab of the case, A file can be both IOC and Evidence, in which case it is handled as an IOC and also added to the Evidence tab of the case.
Depending on the file size, the upload might take some time. We are aware that the Nginx introduces a delay compared to a direct upload. We have not yet found a configuration that does not impact the speed upload.
Once uploaded, and depending on the options selected, the file appear in the target folder with specific icons. A mouse hover explains what each icon means.
"},{"location":"operations/datastore/#files-operations","title":"Files operations","text":"Once a file is added, a left-click on it shows a dropdown with multiple options.
Batch operations such as moving and deleting are also available by clicking on Select at the top right, and then selecting the files.
Images can now be directly pasted in notes an summary. Only images are supported. Once an image is pasted, the file is automatically uploaded in the datastore in the folder Notes Upload and a link to the file is inserted.
Example of pasted image
The image is by default sized to 40%. Changing the end of the link =SIZE%xSIZE% allows to resize the image.
The file is now available in the DS and can be replaced if needed. The ID of the file is the one provided in the link, which can help finding out when names are updated.
Note
Under certain conditions (browser, version, OS) the image copy/paste cannot be done directly. This is a known issue, not directly linked to IRIS but related to how browsers handle files in clipboards. If you face this issue, try to open the image and copy it from there instead of the file manager. Otherwise you need to upload it via the Datastore and then get a link from it.
"},{"location":"operations/datastore/#folders","title":"Folders","text":""},{"location":"operations/datastore/#adding-a-folder","title":"Adding a folder","text":"To add folder, press the + button near a folder where you want to place it, and select Add subfolder.
A new window appear requesting the name of the folder to create. Validate and the new folder appears in the folder tree. Files can then be added to it.
"},{"location":"operations/datastore/#moving-folders","title":"Moving folders","text":"Folders can be moved within other folders. When doing so, every files and subfolders are also moved, like we are used to with files managers.
Click on the + near the folder to move, and then select Move. The target folder is underlined in blue. Select then the target folder which should appear underline in orange. Then validate the move.
The folder and all its children are moved in the target directory.
"},{"location":"operations/datastore/#searching","title":"Searching","text":"When dozens of files are added, the filtering bar can be used to quickly find a file. The filtering mechanism is similar to the one in the timeline.
The query schema is : target_element:search_value AND target_element2:search_value2. There is no OR condition and searching without target does not work.
The following target elements can be used to filter :
Here a are a few concepts to better understand how the datastore is working.
Folders represented on the datastore are virtual and do not represent the folders on the system. This is to ensure smooth files operations. The files are never touched again (unless overwritten or deleted) once uploaded. When a file or directory is moved or renamed, only its parent references are updated.
Files are saved by GUID instead of their real names on the system. They are saved under the mapped volume /home/iris/server_data/datastore by default. Then three directories are created :
EvidencesIOCsRegularsWithin each of these, a new subdirectory with the case ID is created when a file is uploaded. This is ensure IOC, which can be harmful, are formally identified on the server itself. Files can be found on the system by looking up the Storage UUID of the file (eg: dsf-f86926ec-513d-4e47-88fa-02110e7fb412) in these directories.
All components of IRIS offers by-default logging in the docker instances. Depending on the OS of the hosts, the location of these logs may differ.
For Debian-based distributions, the logs are usually in /var/lib/docker/containers/. The usually interesting logs in IRIS are the following:
iriswebapp_app : Contains the logs of core of IRIS, including major stack traces and access control output iriswebapp_worker: Contains the logs of the worker and output of modulesiriswebapp_nginx: Contains the logs of the reverse proxy. Every request to IRIS is logged there. Logs of IRIS can be forwarded to a SIEM for monitoring. Below is discussed how to setup Splunk forwarding. Other drivers are available and detailed on the docker website.
/etc/docker/daemon.json and specify the following content: {\n\"log-driver\": \"splunk\",\n\"log-opts\": {\n\"splunk-insecureskipverify\": \"true\", \"splunk-index\": \"iris\",\n\"splunk-token\": \"YOUR HEC TOKEN\",\n\"splunk-url\": \"https://SPLUNK_SERVER:8088\"\n}\n}\nsystemctl reload docker. The logs should appear in the Splunk instance.IRIS has the ability to generate reports based on the data of an investigation. The reports templates can be managed in Advanced > Templates.
Info
This section is only available for users with the Admin role.
There is two types of reports :
The following report formats are supported:
Reports templates are made of tags, which are then processed and filed by the template engine of IRIS. The templates can have any forms as soon as they respect the tags. We are providing two example of reports.
Info
The templates includes a few lines that describes how to handle styles. These should not be removed. They are be present in the generated reports and need to be removed manually.
"},{"location":"operations/reports/#available-tags","title":"Available tags","text":"The following tags are available. None are mandatory. If a tag is mistyped, the generation step will produce an error message.
Hint
To get the list of available tags for a specific IRIS version, head to /case/export?cid=1.
Hint
Standard objects are accessible with {{ objectname }}. List objects can be looped:
{% for object in object_list %}\n {{ object.attribute }}\n {% endfor %} \ncase.name: Name of the casecase.description: Description of the casecase.open_date: Case open date case.close_date: Case close date case.opened_by: User that initially opened the case case.for_customer: Customer linked to the case case.soc_id: SOC ID number linked to the case evidences: List of evidence objects (see below - given evidence as loop variable)
evidence.filename: File name of the evidence evidence.date_added: Date of registration evidence.file_hash: Hash of the evidence evidence.added_by: User who added the evidenceevidence.custom_attributes: Custom attributes of the evidenceiocs: List of IOCs objects (see below - given ioc as loop variable)
ioc.ioc_value: Value of the IOC ioc.ioc_description: Description of the IOCioc.ioc_type: Type of IOC ioc.ioc_tags: Tags linked to the IOC ioc.custom_attributes: Custom attributes of the IOCnotes: List of notes objects (see below - given note as loop variable)
note.note_title: Title of the note note.note_content: Content of the note note.note_creationdate: Creation date of the note note.note_lastupdate: Date of last update note.custom_attributes: Custom attributes of the notetasks: List of tasks objects (see below - given task as loop variable)
task.task_title: Title of the task task.task_description: Description of the task task.task_open_date: Open date of the task task.task_last_update: Last update of the task task.task_close_date: Date of closure task.task_status: Status of the task task.task_tags: Task for the tags task.custom_attributes: Custom attributes of the tasktimeline: List of events objects (see below - given event as loop variable)
event.event_title: Title of the event event.event_content: Content of the event event.event_raw: Raw content of the event event.event_date: Date when the event happened event.event_source: Source of the event event.category: Category of the event event.event_tags: Tags of the events event.last_edited_by: User who last edited the event event.assets: List of assets names linked to the eventevent.custom_attributes: Custom attributes of the eventWe are providing two example of full reports.
The following snippets aimed to be placed directly in the DOCX documents.
"},{"location":"operations/reports/#loops-and-tables","title":"Loops and tables","text":""},{"location":"operations/reports/#standard-loops","title":"Standard loops","text":"A loop needs to be used for list objects. Loop on IOC example
The IOCs of this case are : \n\n{% for ioc in case.iocs %}\n - {{ ioc.ioc_value }}\n - {{ ioc.ioc_description }}\n{% endfor %}\nTo use a loop in a table, a tr tag needs to be added to the loop and the loop directly integrated in the table. Loop on IOC table example
The IOCs of this case are in the following table : \n\n{%tr for ioc in case.iocs %}\n {{ ioc.ioc_value }}\n {{ ioc.type_name }}\n {{ ioc.ioc_description }}\n{%tr endfor %}\nLoops can be nested. Don't forget to close each loop.
Nested loop{%for ioc in case.iocs %}\n\n Custom attributes of {{ ioc.ioc_value }} :\n\n {% for attribute in ioc.custom_attributes %}\n\n - {{ attribute }}\n\n {% endfor %}\n\n{% endfor %}\n{% for asset in assets %} \n\n {% if asset.compromised %}\n Asset {{ asset.asset_name }} is compromised\n {% endif %}\n\n{% endfor %}\nTo check if a list of objects is not empty, use the processor tag count.
{% if assets|count %} \n The case has assets\n{% endif %}\nThe case summary and notes are in markdown. A processor tag should thus be added |markdown. Summary as markdown
This is an example of summary : \n\n{{ case.description|markdown }}\nThis is an example of recursive notes : \n\n{% for note in case.notes %}\n\n My note named {{ note.note_title }} : \n {{ note.note_content|markdown }}\n\n{% endfor %}\nMost of the time an error of generation is due to misspelled tag or a missing closing tag ({% endfor %}, {% endif %}, etc). In case you cannot figure out what is going wrong, don't hesitate to reach us on Discord.
Some basic settings can be set in the section Advanced > Server settings.
Behavior :
Prevent post-init step to register default modules again during boot: By default if a module is deleted and the server is restart, the module will be registered again. Setting this will prevent this behavior. Prevent post-init step to register default case objects again during boot: By default if case objects are deleted and the server is restart, the case objects will be registered again. Setting this will prevent this behavior. Password policy : the password policy can be changed and is applied for the new users and next changes of users password
The tutorials have been discared as we now provide a free demonstration instance on v200.beta.dfir-iris.org. Should you need more information or assistance to use IRIS, you can contact us here.
"},{"location":"operations/upgrades/","title":"Upgrades","text":"Most of the time, Iris handles upgrades of the database automatically when a new version is started, thus no specific actions are required. However, some breaking changes might need manual intervention. Please use the selectors below to assess if a manual action is required.
Your current version: --Please choose current version-- v1.2.1 v1.3.0 v1.3.1 v1.4.0 v1.4.1 v1.4.2 v1.4.3 v1.4.4 v1.4.5 v2.0.0 v2.0.1 v2.0.2 v2.1.0 v2.2.0 v2.2.1 v2.2.2 v2.2.3 v2.3.0 v2.3.1 v2.3.2 v2.3.3 v2.3.4 v2.3.5 v2.3.6 v2.3.7 v2.4.5 v2.4.6 v2.4.7
Upgrading to: --Please choose target version-- v1.2.1 v1.3.0 v1.3.1 v1.4.0 v1.4.1 v1.4.2 v1.4.3 v1.4.4 v1.4.5 v2.0.0 v2.0.1 v2.0.2 v2.1.0 v2.2.0 v2.2.1 v2.2.2 v2.2.3 v2.3.0 v2.3.1 v2.3.2 v2.3.3 v2.3.4 v2.3.5 v2.3.6 v2.3.7 v2.4.5 v2.4.6 v2.4.7
Check upgrades conditions
For production environments, it is highly recommended to make backups of the DB in case any issues occur during upgrades.
"},{"location":"operations/upgrades/#backing-up-db","title":"Backing-up DB","text":"Only if you run in production and/or data is critical.
docker container list docker exec <container> pg_dump -U postgres iris_db | \\ \ngzip > ../iris_db_backup.gz\n zcat ../iris_db_backup.gz | less Stop the dockers
docker-compose stop\nRemove the application dockers
docker-compose rm app worker\nGet the last version of Iris
git checkout <last_tagged_version>\neg git checkout v2.4.7
Build the new versions
docker-compose build --no-cache app worker\nRun IRIS again. The app will handle the DB migration automatically.
docker-compose up\nIn case something went wrong, you can rollback to your previous version and restore data.
docker-compose down db --volumesdocker-compose build --no-cachedocker-compose up dbdocker container listzcat ../iris_db_backup.gz | docker exec -i <container> psql -U postgres -d iris_dbdocker-compose upWarning
v2.4.0 to v2.4.6 contains bugs. Please upgrade to v2.4.7 directly.
The update from previous versions to this one is done automatically. However it introduces a number of changes in the API and access control. It may thus break integrations.
Danger
Access control has been updated. Starting from this version, all users have by-default access deny to all the cases, expect explicitely specified otherwise by group membership or automatic access rights. Users can also now be linked to customers, which automatically give them access to the related alerts and cases.
Please refer to the API documentation to update any integration which may use the following features:
The layout of the reporting has been updated as well. Refer to the https://<server>/case/export?cid=<case_id> endpoint to get all the possible fields.
\u2757 The layout of the reporting has slightly changed. Custom report templates might not work anymore. You can use https://<server>/case/export?cid=<case_id> to get all the possible fields.
No other impact is to be expected.
"},{"location":"operations/upgrades/#v210","title":"v2.1.0","text":"The default location of the SSL certificates have been changed from dockers/nginx/dev_certs to certificates/nginx/web_certificates. The docker-compose.yml has thus been updated to mount this volume on the nginx Docker.
Except these changes, users in v2.0.x can upgrade to v2.1.0 without any manual intervention. Users in v1.4.x need to follow the v2.0.0 upgrade instructions before upgrading to v2.1.0.
"},{"location":"operations/upgrades/#v200","title":"v2.0.0","text":""},{"location":"operations/upgrades/#breaking-changes","title":"Breaking changes","text":"This version brings breaking changes on the following:
.env configurationWarning
Custom made modules need to be upgraded to IRIS Module Interface v1.2.0. Please see modules upgrade for v2.0.0
"},{"location":"operations/upgrades/#instance-migration","title":"Instance migration","text":"To migrate an instance from v1.4.5, one can use the script in upgrades/upgrade_to_2.0.0.py located in the repository. These commands needs to be run from the root of the repository (pwd should return something like /iris-web):
# Pull the lastest version \ngit pull # Checkout to iris v2.0.0\ngit checkout v2.0.0 # Check if upgrades possible\npython3 upgrades/upgrade_to_2.0.0.py --check\n\n# Run the upgrade\npython3 upgrades/upgrade_to_2.0.0.py --install\nThe script will take care of migrating the environment variables to reflect the changes in v2.0.0. Please review the .env file afterward.
The port have been changed 443. The script asks if the previous port should be kept or migrated to the new one.
Once validated, one can proceed with the usual upgrade methodology.
docker-compose stop \ndocker-compose build --no-cache \ndocker-compose up -d\nThis only concerns custom modules not shipped with IRIS Web App. The IRIS module interface has been upgraded to v1.2.0. No breaking changes are associated. One need to change the iris_module_interface dependency to 1.2.0 in the requirements and rebuild the module.
The client has been updated to reflect the latest changes of the API. It also integrates features that were missing previously, such as Datastore Management. Some methods have been deprecated and some other modified. The easiest way to upgrade is to increase the version in the requirements and test. Each deprecated method will produce a warning or raise an exception.
"},{"location":"operations/upgrades/#v145","title":"v1.4.5","text":"If you are coming from IRIS <= v1.3.1 please read this. Changes have been made to the NGINX docker to allow upload of big files for the datastore. It is hence necessary to also rebuild the NGINX docker this time.
docker-compose stopdocker-compose rm app workergit checkout <last_tagged_version> - eg git checkout v1.4.5docker-compose build --no-cache app worker nginxdocker-compose upThis only applies if you are coming from IRIS <= v1.3.1.
This version brings breaking changes in the DB docker by adding a named volume instead of the default one. This implies that previous existing database is ignored as the new docker won't know which volume was previously used. To prevent this, please strictly follow the guide below. This will copy the data of the existing volume, to the new named one.
docker container list. It should look like iris-web-db-xname field with the command below)docker inspect <iris_db> | grep -A5 \"Mounts\"\n# Example of output\n\"Mounts\": [\n{\n\"Type\": \"volume\",\n \"Name\": \"a90b9998a3233a68438c8e099bd0ba98d9f62c9734e40297b8067f9fdb921eb9\",\n \"Source\": \"/var/lib/docker/volumes/a90b9998a3233a68438c8e099bd0ba98d9f62c9734e40297b8067f9fdb921eb9/_data\",\n \"Destination\": \"/var/lib/postgresql/data\",\ndocker-compose stop 4. Create a new empty volume : docker volume create --name iris-web_db_data 5. Run a volume copy via a dummy image : docker run --rm -it -v <previous_db_volume_id>:/from:ro -v iris-web_db_data:/to alpine ash -c \"cd /from ; cp -av . /to\"\n# With the example of 2., this gives \ndocker run --rm -it -v a90b9998a3233a68438c8e099bd0ba98d9f62c9734e40297b8067f9fdb921eb9:/from:ro -v iris-web_db_data:/to alpine ash -c \"cd /from ; cp -av . /to\"\nv1.4.4, build and run. git pull origin git checkout v1.4.4\ndocker-compose build docker-compose up Do not forget to clear out your browser cache, many JS files were changed.
"},{"location":"operations/upgrades/#v143","title":"v1.4.3","text":"A patch exists for this version. Please directly upgrade to v1.4.4
"},{"location":"operations/upgrades/#v142","title":"v1.4.2","text":"A patch exists for this version. Please directly upgrade to v1.4.4
"},{"location":"operations/upgrades/#v141","title":"v1.4.1","text":"A patch exists for this version. Please directly upgrade to v1.4.4
"},{"location":"operations/upgrades/#v140","title":"v1.4.0","text":"A patch exists for this version. Please directly upgrade to v1.4.4
"},{"location":"operations/access_control/","title":"Access control","text":"Changes in v2.4.0
Starting from IRIS v2.4.0 the default access control is deny_all for all users. When upgrading, existing users keep their rights on the existing cases.
IRIS offers a granular access control for cases and management features. Two types of access control are available :
To ease the access control, users can be managed in :
A user can be in one or multiple groups and customers. The effective case access control of a user is deduced from its group and customer membership and its own cases access control. The effective permissions are deduced from its groups membership.
"},{"location":"operations/access_control/#cases-access-control-overview","title":"Cases access control overview","text":"Cases access control offer three levels:
deny_all: No access to the case. The user don't even see the case listed, read_only: Read-only access to the case. The user can see everything related to the case but cannot edit,full_access: Read-write access to the case. The user can see and edit everything related to the case, including closing and deleting the case. Cases access control can be applied through customers, groups and users. It starts with the customers, groups and ends with atomic user access control.
For example, the following configuration gives no access to the user since the atomic user access prevail upon the rest.
stateDiagram-v2\n DefaultPermission --> Group_prevail: DenyAll\n\n state join_groups <<join>>\n Group1 --> join_groups: ReadOnly\n Group2 --> join_groups: DenyAll\n join_groups --> Group_prevail: ReadOnly\n Group_prevail --> Effective_DenyAll: ReadOnly \n\n Effective_DenyAll: Resulting Deny All access for user\n User_Access --> Effective_DenyAll: DenyAllIn the next configuration, the user has Read Only access to the case because the atomic user access is not set, so the access is inherited from the group ownership.
stateDiagram-v2\n DefaultPermission --> Group_prevail: DenyAll\n\n state join_groups <<join>>\n Group1 --> join_groups: ReadOnly\n Group2 --> join_groups: DenyAll\n Group3 --> join_groups: DenyAll\n join_groups --> Group_prevail: ReadOnly\n\n Effective_ReadOnly: Resulting Read Only access for user\n Group_prevail --> Effective_ReadOnly: ReadOnly \n\n User_Access --> Effective_ReadOnly: Not setThis notably allows to create groups which can join a set of people from different organisations to work on the same case.
In the next configuration, the user pertains to a customer, which give automatically Full Access access to all the cases of the customer.
stateDiagram-v2\n DefaultPermission --> Customer_prevail: DenyAll\n\n Customer1 --> Customer_prevail: FullAccess\n Group1 --> Effective_FullAccess: Not set\n\n Effective_FullAccess: Resulting Full Access access for user\n Customer_prevail --> Effective_FullAccess: FullAccess \n\n User_Access --> Effective_FullAccess: Not setIn case the user pertains to a customer but is also in a group, the group access prevail upon the customer access.
stateDiagram-v2\n DefaultPermission --> Customer_prevail: DenyAll\n\n Customer1 --> Customer_prevail: FullAccess\n Group1 --> Group_prevail: ReadOnly\n\n Customer_prevail --> Group_prevail: FullAccess\n\n Group_prevail --> Effective_FullAccess: ReadOnly\n\n Effective_FullAccess: Resulting Read only Access access for user\n\n User_Access --> Effective_FullAccess: Not setFinally, the atomic user access prevail upon the rest.
stateDiagram-v2\n DefaultPermission --> Customer_prevail: DenyAll\n\n Customer1 --> Customer_prevail: FullAccess\n Group1 --> Group_prevail: ReadOnly\n\n Customer_prevail --> Group_prevail: FullAccess\n\n User_access --> User_prevail: DenyAll\n Group_prevail --> User_prevail: ReadOnly\n User_prevail --> Effective_FullAccess: DenyAll\n\n Effective_FullAccess: Resulting Deny all Access access for userPermissions allow to control the access to specific management features on the platform (adding users, cases etc.). A set of permissions are available:
standard_user: which includes the basic access to the interface and create casesserver_administrator: which includes managing users, groupsalerts_read: which includes access to the alertsalerts_write: which includes access to the alerts and the ability to add new onesalerts_delete: which includes the ability to delete the alertssearch across cases: which includes the ability to search across casescustomers_read: which includes the ability to read customerscustomers_write: which includes the ability to add and edit customerscase_templates_read: which includes the ability to read case templatescase_templates_write: which includes the ability to add and edit case templatesactivities_read: which includes the ability to read activitiesall_activities_read: which includes the ability to read all activities of all casesIRIS supports local and LDAP authentication. In both cases, users need to be declared in IRIS.
"},{"location":"operations/access_control/authentication/#local-authentication","title":"Local authentication","text":"Local authentication is the default setting. The password is validated against the local IRIS database. Passwords are stored salted and hashed, it is thus not possible to retrieve them in case they are lost. It is however possible to change them.
"},{"location":"operations/access_control/authentication/#changing-a-lost-password","title":"Changing a lost password","text":"If another administrative user exists : Being logged as this user, head to the Advanced > Access Control > Users section, and change the administrator password.
If no other administrative user exists : the change cannot be done via IRIS and an access to the backend is needed.
Danger
Do not delete and recreate any users directly from the DB! This will create inconsistencies in the relations and certainly corrupt everything.
Generate the hash of the new password with Python BCrypt in Python prompt
import bcrypt\nprint(bcrypt.hashpw('<new_password>'.encode('utf-8'), bcrypt.gensalt()))\nConnect to the DB docker then the Postgresql database iris_db and update the password
docker exec -ti <db_docker_id> /bin/bash\n/ # su postgres\n/ # psql\npostgres=# \\c iris_db \npostgres=# UPDATE \"user\" SET password = '<hash>' WHERE \"user\".name = 'administrator';\npostgres=# \\q\nexit\nexit\nLDAP authentication rely on a LDAP server to verify the password of a user. The user needs to be declared in IRIS.
graph LR\n A[User] -->|Authenticate| B(IRIS WebApp)\n B --> C{User exists in DB?}\n C -->|Yes| D{LDAP accepted password?}\n C -->|No| E[Authentication failed]\n D -->|Yes| F[Authentication succeeded]\n D -->|No| E[Authentication failed]The LDAP settings are present in the .env. Once the LDAP server information is set, reboot the Iris WebApp docker needs to be restarted.
docker-compose restart app\nTo set up LDAP without having run IRIS priorly, and as the app needs the accounts to be created first before using LDAP, one has to set the IRIS_ADM_EMAIL environment with the LDAP Email of the administrator user.
IRIS_AUTHENTICATION_TYPE=ldap\n\n## IP address or FQDN of the ldap server\nLDAP_SERVER=dc1.domain.local\n\n## Port of the LDAP server\nLDAP_PORT=636\n## LDAP Authentication type\nLDAP_AUTHENTICATION_TYPE=SIMPLE\n\n## Prefix to search the users within \nLDAP_USER_PREFIX=uid=\n## Suffix to search the users within\nLDAP_USER_SUFFIX=ou=people,dc=example,dc=com\n\n## Set to True to use LDAPS\nLDAP_USE_SSL=True\n\n## Set to True to verify the server certificate validity\nLDAP_VALIDATE_CERTIFICATE=True\n\n## TLS version to use LDAPS\nLDAP_TLS_VERSION=1.2\n\n## LDAP TLS configuration \nLDAP_CUSTOM_TLS_CONFIG=False\n\n# Set email address of the first user, that will be the admin \nIRIS_ADM_EMAIL=adm@example.com To use LDAP with an Active Directory, the following settings can be used:
Example of LDAP configuration for first run with Active DirectoryIRIS_AUTHENTICATION_TYPE=ldap\n\n## IP address or FQDN of the ldap server\nLDAP_SERVER=dc1.domain.local\n\n## Port of the LDAP server\nLDAP_PORT=636\n## LDAP Authentication type\nLDAP_AUTHENTICATION_TYPE=SIMPLE\n\n## Prefix to search the users within\nLDAP_USER_PREFIX=DOMAIN\\\n## Suffix to search the users within\nLDAP_USER_SUFFIX=\n## Set to True to verify the server certificate validity\nLDAP_VALIDATE_CERTIFICATE=True\n\n## TLS version to use LDAPS\nLDAP_TLS_VERSION=1.2\n\n## LDAP TLS configuration \nLDAP_CUSTOM_TLS_CONFIG=False\n\n# Set email address of the first user, that will be the admin\nIRIS_ADM_EMAIL=adm@example.com To set up LDAP after IRIS was already run, one only needs to set up the settings described previously without # Set email address of admin IRIS_ADM_EMAIL=adm@example.com and restart the docker.
Usernames in IRIS have to match the ones set in LDAP for the authentication to succeed.
"},{"location":"operations/access_control/authentication/#ldap-certificates","title":"LDAP certificates","text":"If the LDAP server uses a self-signed certificate, it is possible to add it to the trusted certificates of the IRIS WebApp docker.
certificates/ldap folder of the IRIS root directory.LDAP_VALIDATE_CERTIFICATE environment variable to True in the .env file.LDAP_CUSTOM_TLS_CONFIG environment variable to False in the .env file.LDAP_CA_CERTIFICATE environment variable certificate path used by the LDAP server in the .env file.If the LDAP server requires a client certificate, it is possible to add it to the trusted certificates of the IRIS WebApp docker.
certificates/ldap folder of the IRIS root directory.LDAP_VALIDATE_CERTIFICATE environment variable to True in the .env file.LDAP_CUSTOM_TLS_CONFIG environment variable to True in the .env file.LDAP_PRIVATE_KEY environment to the file name of the key in the .env file LDAP_PRIVATE_KEY_PASSWORD environment variable to the password of the key in the .env file - if needed Groups offer the possibility to set case access as well as permissions. By default two groups are created:
Administrator: users in this group hold the server_administrator permission, Analysts: users in this group hold the standard_user permission Both groups are set to give full cases access to the users.
"},{"location":"operations/access_control/groups/#setting-up-a-new-group","title":"Setting up a new group","text":"Head to the Access Control page and click Add group.
Fill the form. All the fields can be changed later on. The field Group name has to be unique on the IRIS instance. Access control and members can be set once the group is created.
The group can be configured once created by clicking on it in the list.
"},{"location":"operations/access_control/groups/#users","title":"Users","text":""},{"location":"operations/access_control/groups/#adding-users-to-a-group","title":"Adding users to a group","text":"To add users to the group, go to the Members tab and click Manage.
The User Manager should load and offers a list of users that can be added to the group. Select all the users you want to add to the group and press Save.
Permissions computation
When a user is added/removed to a group, its effective cases access are recomputed. Depending on the number of cases and users added/removed this can take some time. This process helps reducing the DB load when using IRIS during normal operation.
"},{"location":"operations/access_control/groups/#removing-users-from-a-group","title":"Removing users from a group","text":"To remove users from the group, go to the Members tab and click Manage.
The User Manager should load and present a list of both users already in the group as well as the ones that can be added. To remove one or more users, un-tick them from the list and press Save.
Alternatively, a user can be directly removed from within the group manager. Click on the red trash next to the user to remove and confirm the deletion.
"},{"location":"operations/access_control/groups/#cases","title":"Cases","text":""},{"location":"operations/access_control/groups/#adding-cases-to-the-group","title":"Adding cases to the group","text":"Access to one or multiple existing cases can be granted to a group. From within the Group Manager, go to the Cases Access tab and click Set case access.
The Cases Access Manager loads and gives the possibility to set the access to one or more cases.
Three choices of access are offered:
deny_all: No access at all to the case. The users won't even see the case listed, read_only: Read-only access to the case. The users can see everything related to the case(s) but cannot change anything,full_access: Read-Write access to the case. The users can see and change everything related to the case. Once the desired access is selected, press Set access.
Permissions computation
As for the addition of users, when a case is added/removed to a group, all the users' effective cases access are recomputed. Depending on the amount of cases added/removed and number of users this can take some time. This process helps reducing the DB load when using IRIS during normal operation.
"},{"location":"operations/access_control/groups/#removing-cases-from-the-group","title":"Removing cases from the group","text":"From within the Group Manager, go to the Cases Access tab. Click on the red trash next to the case to remove and confirm the deletion.
A group can be deleted by clicking on its name in the list and then Delete at the bottom of the Info tab.
Authentication
Looking for authentication settings? It's here
Whatever the authentication mechanism used (Local or LDAP), the users have to be declared in IRIS. This is done in Advanced > Access Control > Users.
Head to Advanced > Access Control > Users and click Add user. All fields of the form are required. All information can be changed after the creation.
Note
Permissions and groups can be set once the user is created.
Advanced > Server settings. The password also has to be set when using LDAP, it is then however not used for the authentication. A random password can be set when using LDAP. No password is required when the user is set as a service account. Service accounts
Service accounts users can use the API to perform any actions on the instance. They cannot login to the UI and they don't have a password.
"},{"location":"operations/access_control/users/#editing-a-user","title":"Editing a user","text":"
A user can be edited by clicking on its name or ID in Advanced > Access Control > Users. A window opens and display the user's information. Tabs at the top allow to configure multiple settings related to the user.
Permissions of a user cannot be set directly. They are inherited from the groups membership. The tab Permissions only displays the permissions the user has from its groups memberships. See Groups for more info.
Groups can be set by clicking on the Groups tab of the user's window and then Manage.
A new window appears with the possibility to select the groups the user should belong to.
After saving, the permissions of the user are updated. This can be verified in the Permissions tab.
Customers can be set by clicking on the Customers tab of the user's window and then Manage.
A new window appears with the possibility to select the customers the user should belong to.
"},{"location":"operations/access_control/users/#setting-cases-access","title":"Setting cases access","text":"Cases access are usually set through groups membership. However for granularity they can be set per user. To set the access of a user on a case, click on the Cases access tab of the user's window and then Set case access.
As for the Groups, a selector appears and allows to select one or multiple cases and the access to associate.
Info
Application of a case access is immediate, even if the user is logged in and browsing the case.
Info
Granular case access can also be set from a case itself, in Summary > Manage > Access.
A user can be deactivated, which has the following impact:
"},{"location":"operations/access_control/users/#deleting-a-user","title":"Deleting a user","text":"
It is usually not possible to delete a user. This is to keep consistency in the database. A user can be deleted if it has done absolutely no actions on the platform. If a user leaves the organisation, it is recommended to rename the user and deactivate it.
"},{"location":"operations/cases/case_operations/","title":"Case operations","text":""},{"location":"operations/cases/case_operations/#opening-a-case","title":"Opening a case","text":"
To open a case anywhere, press the + button in the top right corner. A popup appears and allows to fill the basic information of the new case.
A new window appears, requesting additional information. The following information are required:
The following information is optional:
Once Create is clicked, the case is created and a popup ask whether to the get redirected to the case or to add a new one.
Each case has its own context. To switch between cases/context, either click on the name of the current case at the top left, or click on the switch button on the top right.
A popup appears and allows to select the case to switch to. By default the last 100 cases are displayed. To look further in the past, one can use the search bar. Press Save to validate the switch. The page reloads with the new context.
A case metadata can be updated by going switching the case context and heading to Case > Summary. Clicking on Manage brings up a new window with the case metadata. The right pencil button allows to edit the metadata.
The following information can be updated:
Open. This defines the state of the case (open, closed, etc.). Unknown. This defines if the case is a true positive, false positive, etc. MediumOpenThe access of a case can be updated by going to Case > Summary > Manage, and from the popup, clicking on the Access tab.
Changes of access are immediately applied.
"},{"location":"operations/cases/case_operations/#closing-a-case","title":"Closing a case","text":"A case can be closed by going to Case > Summary > Manage, and from the popup, clicking on the Close case button. Closing a case doesn't delete it and it can be reopened at any time. The case can also be modified after it has been closed.
The modifications history of a case can be retrieved by going to Case > Summary > Manage, and from the popup, clicking on the history icon next to the case name.
IOCs are observables that were identified during the investigation, or that led to the case creation upon monitoring activities.
"},{"location":"operations/cases/iocs/#add-an-ioc","title":"Add an IoC","text":"An IoC object could be created by going to Case > IOC. Clicking on Add IOC in the top right corner brings up a new window for the IoC creation.
A new window appears, requesting additional information. The following information is required:
Amber by default)The following information is optional:
Once Save is clicked, the ioc is created.
IoC object data can be updated by clicking on the IoC value in the Case > IOC table. A popup appears and allows to change required and non-required fields.
Once Update is clicked, the IoC is updated.
IoC objects can be enriched in order to add valuable information to it.
"},{"location":"operations/cases/iocs/#comment-an-ioc","title":"Comment an IoC","text":"To comment an IoC, one can right click on it, in the Case > IOC menu, and select Comment. A new pop-up appears and allows to leave comments. This is also achievable by clicking on the IoC value in the Case > IOC table, and by clicking on the Comment button.
To have more information about modules, see the Modules section.
A set of modules can be launched to enrich IoCs. To do so, one can right click on the IoC , in the Case > IOC table, and select the module of choice. This is also achievable by clicking on the IoC value in the Case > IOC table, by clicking the Option button, and selecting the desired module.
The results of the module will appear in newly created tabs, in the IoC details. To view the tabs, click on the the IoC value.
"},{"location":"operations/cases/iocs/#delete-an-ioc","title":"Delete an IoC","text":"This will permanently delete the IoC and its attributes
To delete an IoC, one could either right click on the IoC, and select Delete, or click on the IoC value, and click on the Delete button.
The IOC is only unlinked from the case if it references other cases
"},{"location":"operations/cases/notes/","title":"Notes","text":"Attention
The notes layout has been updated in IRIS 2.4.0. The following documentation is valid for IRIS 2.4.0 and above.
IRIS allows analysts to add notes to cases. Notes can be added to a case from the Notes tab. Notes are organized by directories. A note has to live within a directory.
To add a directory, click on the + directory icon on the left side of the Notes tab. A new directory is added to the list and asks for a name.
The title of the directory can be edited by right clicking on it and selecting Rename.
To add a note, right click on the directory and select Add note. A new note is added to the list.
To rename the note, double click on the title and press enter to confirm.
"},{"location":"operations/cases/notes/#operations","title":"Operations","text":"Notes and directories can be moved. Right click on the note or directory and select Move. A popup appears and allows to select the destination directory.
Tasks allow incident handlers to split the workload into unit tasks, and to assign them to the team members.
"},{"location":"operations/cases/tasks/#add-a-task","title":"Add a task","text":"A task can be created by going to Case > Tasks. Clicking on Add Task in the top right corner brings up a new window for the task creation.
A new window appears, requesting additional information. The following information is required:
The following information is optional:
Once Save is clicked, the task is created.
Task metadata can be updated by clicking on the task title in the Case > Tasks table. A popup appears and allows to change required and non-required fields.
Once Update is clicked, the task is updated.
Tasks can be commented. This provide the ability for analysts to give more in-deepth information on the task execution (what did they do, how did they do, what are the results, etc.)
To comment a task, one can either right click on the task line and select Comment, or click on the task title, and click on the Comment button. A new windows appears and allows to add comments to the task.
Once Comment is clicked, in the last window, a comment is added to the task. Comments are editable and removable.
New types of modules are introduced in IRIS v1.4.0
IRIS can be extended with modules. They can be split in two types:
Modules (or DIM - DFIR-IRIS Modules) are actually Python packages which must be installed in the Python environment of iris-webapp and the worker (see Quick Start). Once installed in the Python environment, modules can be managed in Advanced > Modules.
Info
This section is only available for users with the Admin role.
By default IRIS is shipped with multiple modules.
To add a module, the user can click on the \"+\" button:
Then the user must enter the name of the pre-installed module. The name of the pip package must be used.
If everything is ok, the module will appear on the list. It is currently disabled, and needs configuration before it can be enabled. To do so, the user can click on the module's name:
A new text box appears, showing information about the module, and a list of parameters to configure. Each mandatory parameter must be configured to enable the module.
After configuring all the mandatory parameters, the \"Enable button\" is revealed and the user can finally enable the module.
That's all! The user can confirm in the summary that the module is indeed enabled and ready to use.
Finally, the user can either disable or remove the module by clicking on the according buttons.
Now that the module is configured and enabled, let's see how we can use it!
NB: As a temporary fix, after adding and configuring a module, one must restart the IRIS services (dockers) else the worker won't have the module installed properly.
"},{"location":"operations/modules/mod_management/#how-to-use-the-module","title":"How to use the module","text":"As stated in the beginning, a module extends the capabilities of IRIS. For now, it allows importing evidences of your needs into what we call a pipeline, where data will be handled in the module (checking, parsing, ingestion...). In our provided module, IrisEVTXModule ingest EVTX files, parse them as JSON, and send the results to a Splunk instance using its HTTP event collector (HEC) endpoint.
In IRIS, the files are always imported in the context of a case. To import a file, the user can click on Manage cases then Update tab.
In Processing pipeline, the user can pick a pipeline that will send the files to the wanted module. In our example, EVTX pipeline refers to the IrisEVTXModule module. Below, the user can fill the arguments needed by the according pipeline. Arguments can be optional. Finally, the user can import one or several files and click Update to start their processing by the module.
You can see in the picture below that the user will import four EVTX files.
The user can follow the upload of the different files with their respective progress bars.
Once uploaded, the status of the task can be observed on the DIM Tasks page.
Clicking on a Task ID shows information on the task processing.
After the processing of the files by the module, the list of the imported files is stored in the Evidences tab of the according case.
Introduced in IRIS v1.4.0
This module offers an interface with MISP and IRIS to automatically enrich IOCs with MISP insight.
The source code is available here. It is installed by default but needs to be configured to be enabled.
Note
The module is in its early stage and new features will be added over time.
"},{"location":"operations/modules/natives/IrisMISP/#features","title":"Features","text":"Two types of enrichement mecanism are proposed :
Get MISP insight. This sends the targets IOCs to the module and insights will be fetched and applied. The following types of IOCs are handled by the module :
The insight request on an IOC not handled is simply ignored.
The insights take the form of attributes added to the IOC. They are based on configurable templates.
"},{"location":"operations/modules/natives/IrisMISP/#configuration","title":"Configuration","text":"The behavior of the module can be configured as needed. Head to the Advanced > Modules > IrisMISP to change it.
At the time, only one MISP can be added. Future version might handled more than one MISP. The expected structure is the following :
{\n\"name\": \"Public_MISP\", \"type\":\"public\", \"url\":[\"https://testmisp\"],\n\"key\":[\"<apikey>\"], \"ssl\":[false]\n}\nIntroduced in IRIS v1.4.0
This module offers an interface with VirusTotal and IRIS to automatically enrich IOCs with VT insight. The source code is available here. It is installed by default but needs to be configured to be enabled.
"},{"location":"operations/modules/natives/IrisVT/#features","title":"Features","text":"Two types of enrichment mechanism are proposed :
Get VT insight. This sends the targets IOCs to the module and insights will be fetched and applied. The following types of IOCs are handled by the module :
The insight request on an IOC not handled is simply ignored.
Two types of insights are proposed :
vt:malicious or vt:suspicious tag if the detection thresholds are met (configurable). For domains, an ASN tag can also be added. The behavior of the module can be configured as needed. Head to the Advanced > Modules > IrisVT to change it.
vt:malicious. To disable, add a value > 100. vt:suspicious. To disable, add a value > 100. This module offers webhooks support for IRIS. It can be configured to send almost any events to to an external service supporting webhooks, such as Discord, Slack or Microsoft Teams. It can also be used with automation tools such as Tines and Shufle to further automate IRIS. The source code is available here.
"},{"location":"operations/modules/natives/IrisWebHooks/#features","title":"Features","text":"Slack Example
"},{"location":"operations/modules/natives/IrisWebHooks/#configuration","title":"Configuration","text":"The expected configuration is a JSON file, following the structure :
{ \"instance_url\": \"<IRIS_INSTANCE_URL>\",\n\"webhooks\": [\n{\n\"name\": \"Name of the webhook for internal reference only\",\n\"active\": false,\n\"trigger_on\": [<LIST OF HOOKS TO LISTEN TO>],\n\"request_url\": \"<URL OF THE WEBHOOK>\",\n\"use_rendering\": true,\n\"request_rendering\": \"<RENDERING TYPE OF THE MESSAGE>\", \"request_body\": {<BODY OF THE REQUET TO SEND>}\n},\n{\n\"name\": \"Another hook\",\n\"active\": false,\n\"use_rendering\": false,\n\"trigger_on\": [<LIST OF HOOKS TO LISTEN TO>],\n\"request_url\": \"<URL OF THE WEBHOOK 2>\",\n\"request_rendering\": \"<RENDERING TYPE OF THE MESSAGE>\", \"request_body\": {<BODY OF THE REQUEST TO SEND 2>}\n}\n]\n}\ninstance_url: Base URL of IRIS. This is used to set the links in the messageswebhooks: A list of JSON describing the webhooks For each webhook:name: Internal name of the webhook, this can be anything active: Optional - Set to false to disable the webhook trigger_on: List of IRIS hooks for which the webhook should be triggered. Only the on_postload_XX hooks are supported. To enable a set of hooks without writing them all, the following keywords can be used : all: Includes all on_postload hooks all_create: Includes all on_postload_XX_create hooksall_update: Includes all on_postload_XX_update hooksrequest_url: The URL provided by the webhook receiver. For instance for Slack : see how to get onerequest_rendering: URLs rendering may be specific from one receiver to another. The modules supports the following : markdown: Format the message as markdown. This can be used with Discord for instance markdown_slack: Format the message as markdown, with some specificities of Slack. html: Format the message as HTML. request_body: The request body to be sent to the webhook receiver. If use_rendering is true, then two markups can be used to set the content of the webhook. The request has to be in JSON format and is sent as-is after replacements of the markups. %TITLE%: Is replaced with name of the case and event title, e.g \"[#54 - Ransomware] IOC created\"%DESCRIPTION%: Description of the event, e.g \"UserX created IOC mimi.exe in case #54\" If use_rendering is false, then a raw json representation of the object related to the hook is available. See examples for more details. manual_trigger_name: The name of the manual trigger in the UI. This should be set if the registered hook is of type on_manual_trigger. This name is displayed as a new menu option in the UI for the target object. use_rendering: Whether the data should be formated in Markdown or not. If set to false, then the request body field can use the raw data such as assets. This will result in a request with the body containing the assets JSON representation related to the call of the hook. See examples for more details. Each time a webhook is added, the module subscribes to the specified hooks. After saving the configuration, one can check the registration was successful by filtering the Registered hooks table (don't forget to refresh the table).
The following example is a combination of webhooks that can be used to further automate IRIS. It uses Tines as an example, but this is reproductible with any automation tool that can sent HTTP requests. A Tines story is created and is set up to receive a webhook, such as https://anothertest.tines.io/webhook/xxxx/xxxxx. In this scenario, two IRIS webhooks are added:
on_manual_trigger_ioc_update hook. on_postload_case_create hook. We use the same Tines story and thus Tines webhook for both and dispatch the incoming request depending on its parameters.
"},{"location":"operations/modules/natives/IrisWebHooks/#todo","title":"TODO","text":""},{"location":"operations/modules/natives/IrisWebHooks/#examples-using-rendering","title":"Examples using rendering","text":"The following is an example of combined webhooks configuration. It can be directly imported in the module with the import feature. Please note that after import, the configuration should be opened and change to match your URL webhook receiver.
Download webhooks combined configuration example
"},{"location":"operations/modules/natives/IrisWebHooks/#discord","title":"Discord","text":"Discord webhook example - selection of events{ \"instance_url\": \"https://iris.local\",\n\"webhooks\": [\n{\n\"name\": \"Discord\",\n\"trigger_on\": [\n\"on_postload_ioc_create\",\n\"on_postload_ioc_update\",\n\"on_postload_note_create\",\n\"on_postload_note_update\"\n],\n\"request_url\": \"https://discord.com/api/webhooks/XXXX/XXXX\",\n\"request_rendering\": \"markdown\", \"request_body\": {\n\"embeds\": [{\n\"description\" : \"%DESCRIPTION%\",\n\"title\" : \"%TITLE%\"\n}]\n}\n}\n]\n}\n{ \"instance_url\": \"https://iris.local\",\n\"webhooks\": [\n{\n\"name\": \"Slack\",\n\"trigger_on\": [\n\"all\"\n],\n\"request_url\": \"https://hooks.slack.com/services/<XXX>/<XXX>/<XXX>\",\n\"request_rendering\": \"markdown_slack\",\n\"request_body\": {\n\"text\": \"%TITLE%\",\n\"blocks\": [\n{\n\"type\": \"section\",\n\"text\": {\n\"type\": \"mrkdwn\",\n\"text\": \"*%TITLE%*\"\n}\n},\n{\n\"type\": \"section\",\n\"block_id\": \"section567\",\n\"text\": {\n\"type\": \"mrkdwn\",\n\"text\": \"%DESCRIPTION%\"\n}\n}\n]\n}\n}\n]\n}\nWebhooks receivers are expecting specific message formatting to successfully process them. Please carefully read their documentations.
The module only handles JSON POST for the moment. If the target webhook receiver needs another type of request, please contact us so we can add it.
As any IRIS module, IrisWebhooks is logged into DIM Tasks. You can check the status of the requests made in these. Go to DIM Tasks and then filter with webhooks. You can then check details info by clicking in the Task ID. More info might be available in the Docker worker logs depending on the situation.
dfir_iris_client offers a Python interface to communicate with IRIS.
It relies exclusively on the API, which means output of the methods are the same as specified in the API reference.
"},{"location":"python_client/#installation","title":"Installation","text":"It can be easily with pip : pip3 install dfir_iris_client.
The source code of the project is available here.
"},{"location":"python_client/#versions","title":"Versions","text":"The Python client version follows the API versions (until the patch level). Meaning for API v1.0.1, one need to install dfir_iris_client-1.0.1.
Examples of usage are available here.
"},{"location":"python_client/#documentation","title":"Documentation","text":"The documentation of the client is available on client.docs.dfir-iris.org.
"}]} \ No newline at end of file +{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Home","text":"This documentation serves as a comprehensive guide to the IRIS web application operations, modules, and development.
If you're new to IRIS, we recommend starting with our Getting Started guide to learn the basics.
For those who want to try out IRIS easily, we offer a free demonstration instance of the rolling beta version here.
Our documentation is constantly evolving, so if you don't find what you're looking for, please contact us so we can add the missing piece.
"},{"location":"#what-is-iris","title":"What is IRIS?","text":"IRIS is a collaborative platform for incident response analysts that helps to share investigations at a technical level. It's a web application that can be installed on a fixed-server or on a laptop for roaming investigations where internet might not be available.
IRIS was born out of the struggle to share long and complex investigations among analysts.
The project is available on our Github organization.
Disclaimer
IRIS is still in its early stages. It can already be used in production, but please set backups of the database and DO NOT expose the interface on the Internet. We highly recommend the use of a private dedicated and secured network.
"},{"location":"changelog/","title":"Changelog","text":"For upgrades instructions, please see the Upgrades page.
"},{"location":"changelog/#v247-march-18-2024","title":"v2.4.7 March 18, 2024","text":""},{"location":"changelog/#whats-changed","title":"What's changed","text":"Fixed * Issues in the datastore preventing to upload multiple files
Full Changelog
"},{"location":"changelog/#v246-march-18-2024","title":"v2.4.6 March 18, 2024","text":""},{"location":"changelog/#whats-changed_1","title":"What's changed","text":"\u26a0\ufe0f Important changes are done in the Access Control. If you are upgrading, please carefully read the upgrades instructions. The layout of the reports has been changed. Reports template need to be upgraded as well.
Improved
Fixed
Full Changelog
"},{"location":"changelog/#v237-december-14-2023","title":"v2.3.7 December 14, 2023","text":""},{"location":"changelog/#whats-changed_2","title":"What's Changed","text":"Fixed
Improved
Full Changelog
"},{"location":"changelog/#v236-december-7-2023","title":"v2.3.6 December 7, 2023","text":""},{"location":"changelog/#whats-changed_3","title":"What's Changed","text":"Fixed
Full Changelog
"},{"location":"changelog/#v235-november-30-2023","title":"v2.3.5 November 30, 2023","text":""},{"location":"changelog/#whats-changed_4","title":"What's Changed","text":"Fixed
Full Changelog
"},{"location":"changelog/#v234-november-29-2023","title":"v2.3.4 November 29, 2023","text":"A severe bug has been introduced in this version. Please upgarde to v2.3.5.
"},{"location":"changelog/#whats-changed_5","title":"What's Changed","text":"Added
Fixed
\u2757 The layout of the reporting has slightly changed. Custom report templates might not work anymore. You can use https://<server>/case/export?cid=<case_id> to get all the possible fields.
Full Changelog
"},{"location":"changelog/#v233-october-5-2023","title":"v2.3.3 October 5, 2023","text":""},{"location":"changelog/#whats-changed_6","title":"What's Changed","text":"Fixed
@Scriptception made their first contribution in 313
Full Changelog
"},{"location":"changelog/#v232-august-2-2023","title":"v2.3.2 August 2, 2023","text":""},{"location":"changelog/#whats-changed_7","title":"What's Changed","text":"Fixed
Patches a critical issue corrupting files uploaded to the DataStore via the IOC option or when a password is set
Full Changelog
"},{"location":"changelog/#v231-july-23-2023","title":"v2.3.1 July 23, 2023","text":""},{"location":"changelog/#whats-changed_8","title":"What's Changed","text":"Improved
Fixed
Full Changelog
"},{"location":"changelog/#v230-july-09-2023","title":"v2.3.0 July 09, 2023","text":""},{"location":"changelog/#whats-changed_9","title":"What's Changed","text":"Added
Fixed
Full Changelog
"},{"location":"changelog/#v223-june-19-2023","title":"v2.2.3 June 19, 2023","text":""},{"location":"changelog/#whats-changed_10","title":"What's Changed","text":"Added
Fixed
Full Changelog
"},{"location":"changelog/#v222-may-30-2023","title":"v2.2.2 May 30, 2023","text":""},{"location":"changelog/#whats-changed_11","title":"What's Changed","text":"Added
Fixed - Delete character escaping for passwords by @juadde in #253 - Case template of tasks without tags - Shortening of case names during updates - Bad handling of certain requests without CID - Deletion of assets related to alerts once merge into a case
Full Changelog
"},{"location":"changelog/#v221-may-24-2023","title":"v2.2.1 May 24, 2023","text":""},{"location":"changelog/#whats-changed_12","title":"What's Changed","text":"Note 1: This version contains a security fix for iris-web (see CVE-2023-30615) Note 2: on_postload_case_info_update hook has been renamed to on_postload_case_update
Added
Fixed
Full Changelog
"},{"location":"changelog/#v220-may-22-2023","title":"v2.2.0 May 22, 2023","text":""},{"location":"changelog/#whats-changed_13","title":"What's Changed","text":"Added
Fixes
New Contributors
Full Changelog
"},{"location":"changelog/#v210-may-15-2023","title":"v2.1.0 May 15, 2023","text":"If you are using custom SSL certificates, please read the upgrade instructions when upgrading from previous versions.
"},{"location":"changelog/#whats-changed_14","title":"What's Changed","text":"Added
Fixed
New Contributors
Full Changelog
"},{"location":"changelog/#v202-april-18-2023","title":"v2.0.2 April 18, 2023","text":""},{"location":"changelog/#whats-changed_15","title":"What's Changed","text":"Fixed * Update case_notes_db.py for bug fix #200 by @LoneWolf-96 in #208 * Do not escape_filter_chars for NTLM username by @juadde in #212 * docker-compose cleanup by @juadde in #213 * Listening port not being propagated in nginx docker
New Contributors * @LoneWolf-96 made their first contribution in #208 * @juadde made their first contribution in #212
Full Changelog
"},{"location":"changelog/#v201-april-05-2023","title":"v2.0.1 April 05, 2023","text":""},{"location":"changelog/#whats-changed_16","title":"What's Changed","text":"Fixed [FIX] Additional table header in case management breaking proper loading of data in #206
Full Changelog
"},{"location":"changelog/#v200-march-26-2023","title":"v2.0.0 March 26, 2023","text":""},{"location":"changelog/#whats-changed_17","title":"What's Changed","text":"In addition to the features listed below, we are changing the way we are issuing releases. From now on, IRIS follows the Semantic Versioning 2.0 guidelines. The code ready for production is always tagged with a version number. alpha and beta versions are not production-ready.
Do not use the master branch in production.
A website with the current development version is also provided and freely accessible. It serves as a beta before public releases.
Added
Improved
Fixed
Full Changelog
"},{"location":"changelog/#v145-june-9-2022","title":"v1.4.5 June 9, 2022","text":"What's Changed
Full Changelog
Notes: Changes are made to the Nginx docker to allow upload of big files, hence specific upgrades are needed and auto-updates is not yet supported for this version. Please see the upgrades instruction for more details.
"},{"location":"changelog/#v144-may-18-2022","title":"v1.4.4 May 18, 2022","text":"What's Changed
Full Changelog
"},{"location":"changelog/#v143-may-13-2022","title":"v1.4.3 May 13, 2022","text":"What's changed
Full Changelog
"},{"location":"changelog/#v142-april-22-2022","title":"v1.4.2 April 22, 2022","text":"Improvements :
Fixes :
A bug fixe exists for this version. See v1.4.3
You can directly contact us, should you need direct support, a demo, further information or anything else related to the project.
contact@dfir-iris.org
Discord
IRIS uses dozen of OS modules and this list is not exhaustive. If you developped something which is used in IRIS and does not figures here, you can contact us.
The most straightforward and recommended way to use IRIS is with Docker. This is presented here.
Disclaimer
IRIS is in its early stage. It can already be used in production, but please set backups of the database and DO NOT expose the interface on the Internet. We highly recommended the use of a private dedicated and secured network.
"},{"location":"getting_started/#pre-requisites","title":"Pre-requisites","text":""},{"location":"getting_started/#hardware","title":"Hardware","text":"IRIS does not require a lot of resources, and it can be run on a small laptop (4 cores, 8Gb of RAM). However, for large a organization and heavy usage, it will need to be significantly scaled up. We don't have benchmarks yet, but keep in mind that the database can grow rapidly and modules can require more resources depending on their purposes.
"},{"location":"getting_started/#docker","title":"Docker","text":"Docker and docker compose are needed to build and run the project. Depending on the OS you will find all the information to install them on the official website of Docker.
The platform is officially supported on most Linux and MacOS. While it should work on Windows, some path needed by the containers to store permanent files might need to be changed in the dockerfiles.
"},{"location":"getting_started/#versioning","title":"Versioning","text":"Starting from version 2.0.0, Iris is following the Semantic Versioning 2.0 guidelines. The code ready for production is always tagged with a version number. alpha and beta versions are not production-ready.
Do not use the master branch in production.
To build and run IRIS, follow these steps:
Clone the iris-web repository:
git clone https://github.com/dfir-iris/iris-web.git\ncd iris-web\nCheck out the latest non-beta tagged version:
git checkout v2.4.7\nCopy the environment file
cp .env.model .env\nWarning
The default configuration is suitable for testing only. To configure IRIS for production, see the configuration section.
Build the Docker containers:
docker-compose build\nStart IRIS:
docker-compose up\nIRIS should now be available on the host interface, port 443, using HTTPS protocol by default. You can access it by navigating to https://hostip in your web browser.
By default, an administrator account is created when IRIS is started for the first time. The password is printed in the console output. You can search for WARNING :: post_init :: create_safe_admin :: >>> in the logs to find the password. Running docker compose logs app | grep 'admin' should help to find it.
If you want to define an admin password at the first start, you can create and define the environment variable IRIS_ADM_PASSWORD in the .env. This has no effect once the administrator account is created.
Note that IRIS is split into five Docker services, each with a different role:
app - iris_webapp: The core, including web server, database management, module management, etc.db: A PostgreSQL databaseRabbitMQ: A RabbitMQ engine to handle job queuing and processingworker: A job handler relying on RabbitMQnginx: A NGINX reverse proxyEach service can be built independently, which is useful when developing. In this QuickStart, all services are built at once.
"},{"location":"getting_started/#additional-configuration","title":"Additional configuration","text":"Please see configuration for more details.
"},{"location":"getting_started/#kubernetes","title":"Kubernetes","text":"For enterprises wishing to run their instance of IRIS, utilizing the projects official Helm charts and/or Kustomize manifests, allows them to significantly enhance their deployment and management, presenting a powerful solution to streamline their IRIS deployment and management processes, efficiently running across a cluster of machines, ensuring high availability and seamless scaling as demand fluctuates.
The deploy directory in the iris-web GitHub repository provides a practical starting point for deploying IRIS on their preferred managed k8s platform. We've created two variants: eks and gke, feel free to customize each with your own values.
For more details, please visit the deploy directory on GitHub: deploy
"},{"location":"resources/","title":"Resources","text":"This page is a collection of external resources to help you get started with IRIS and integrate it into your workflow. Please note that some of these resources may be outdated. If you want to add your own resources, please open a pull request or contact us.
"},{"location":"resources/#blog-posts","title":"Blog posts","text":"Note of 25-05-2023
IRIS is growing both in code and interestes. To future-proof the project, we have decided to pause the development of new features and focus on the core functionalities and stability for a while. This includes a major refactoring of the codebase. We will still fix bugs and security issues.
We do not provide a long-term roadmap to prevent any frustration and unmet expectations. It is constantly evolving with feedbacks we receive.
We've thus moved it within a Github project. You can check it here.
"},{"location":"security-advisories/","title":"Security Advisories","text":"This page lists all security advisories that have been published for the code released by DFIR-IRIS.
"},{"location":"security-advisories/#cve-2023-50712-dec-18-2023","title":"CVE-2023-50712 Dec 18, 2023","text":"CVE ID Github ID Severity Impacted product CVE-2023-30615 GHSA-593r-747g-p92p Moderate - CVSS3 4.6/10 iris-web"},{"location":"security-advisories/#description","title":"Description","text":"A stored Cross-Site Scripting (XSS) vulnerability has been identified in iris-web, affecting multiple locations in versions prior to v2.3.7. The vulnerability may allow an attacker to inject malicious scripts into the application, which could then be executed when a user visits the affected locations. This could lead to unauthorized access, data theft, or other related malicious activities.
An attacker need to be authenticated on the application to exploit this vulnerability.
"},{"location":"security-advisories/#affected-versions","title":"Affected versions","text":"iris-web < 2.3.7iris-web >= 2.3.7No workaround is available.
"},{"location":"security-advisories/#acknowledgment","title":"Acknowledgment","text":"Thanks to Leonard Rapp (G DATA Advanced Analytics GmbH) for the responsible disclosure.
"},{"location":"security-advisories/#cve-2023-30615-may-24-2023","title":"CVE-2023-30615 May 24, 2023","text":"CVE ID Github ID Severity Impacted product CVE-2023-30615 GHSA-gc6j-6276-2m49 Moderate - CVSS3 4.6/10 iris-web"},{"location":"security-advisories/#description_1","title":"Description","text":"A stored Cross-Site Scripting (XSS) vulnerability has been identified in iris-web, affecting multiple locations in versions prior to v2.2.1. The vulnerability allows an attacker to inject malicious scripts into the application, which are then executed when a user visits the affected locations. This can lead to unauthorized access, data theft, or other related malicious activities.
An attacker need to be authenticated on the application to exploit this vulnerability.
"},{"location":"security-advisories/#affected-versions_1","title":"Affected versions","text":"iris-web < 2.2.1iris-web > 2.0.0 and < 2.2.1 while not using the alerting feature are not impacted.iris-web >= 2.2.1No workaround is available.
"},{"location":"support/","title":"Getting support","text":"We understand the importance of having robust support and training to maximize the effectiveness of our tools in your IR efforts. Here's how we can assist:
We're flexible and can accommodate needs through our OpenCollective page.
Please get in touch with us at contact@dfir-iris.org for further details.
"},{"location":"support_us/","title":"Support us","text":"As a free and open source project, we rely on the support of our community to continue development and improve our platform. If you find the platform useful and would like to help us sustain and grow, you may consider supporting us financially through OpenCollective.
Support us
"},{"location":"zqa/","title":"Q & A","text":""},{"location":"zqa/#general-questions","title":"General questions","text":""},{"location":"zqa/#which-version-should-i-install","title":"Which version should I install?","text":"The master branch is stable as all the development is done under the develop branch and merged once ready. To ease the identification, each new version is tagged and a new release is published. We recommend using these. git checkout <tagged_version>
Yes, IRIS is under heavy development. We are adding more and more features, led by feedbacks from the community.
"},{"location":"zqa/#what-is-the-future-of-the-project","title":"What is the future of the project?","text":"We aim to make it evolve as much as possible with the help of the community. We have long term goals to integrate it seamlessly with project like MISP and other OS project, but we don't provide any commitment on how and when to avoid any unmet expectations. For a short term roadmap, you can head to the Github project.
"},{"location":"zqa/#how-can-i-contact-the-dfir-iris-team","title":"How can I contact the DFIR-IRIS team?","text":"You can reach us on discord, Twitter or by email.
"},{"location":"zqa/#cases","title":"Cases","text":""},{"location":"zqa/#can-i-recover-a-deleted-case","title":"Can I recover a deleted case?","text":"No. Cases are deleted from the database and changes are committed. There is no coming back unless you have made backups of the database (which we recommend).
"},{"location":"zqa/#can-i-recover-a-deleted-case-object","title":"Can I recover a deleted case object?","text":"No. Every object such as IOCs, assets, events, notes, etc are immediately deleted from the database and changes are committed.
"},{"location":"zqa/#can-i-add-a-new-asset-type","title":"Can I add a new asset type?","text":"Yes. With a user that have administrative rights, go to Advanced > Case Objects.
Yes. Starting from v1.3.0, IOC types can be manipulated. Head to Advanced > Case Objects
Yes. Starting from v1.4.0, all case objects can be extended thanks to custom attributes. With a user that have administrative rights, go to Advanced > Custom Attributes.
Not for now. The searches in each case objects page are done client-side, and the attributes are not fetched. We will however implement a server side search in next releases.
"},{"location":"zqa/#can-i-create-two-cases-with-the-same-name-for-the-same-customer","title":"Can I create two cases with the same name for the same customer?","text":"Yes. Cases are identified with a unique number, so they can have the same name.
"},{"location":"zqa/#can-i-restrict-the-view-of-case-to-a-set-of-users","title":"Can I restrict the view of case to a set of users?","text":"Yes it is since v2.0.0. See Access control.
"},{"location":"zqa/#can-i-change-the-name-or-customer-of-an-existing-case","title":"Can I change the name or customer of an existing case?","text":"Yes it is since v2.0.0.
"},{"location":"zqa/#operations","title":"Operations","text":""},{"location":"zqa/#what-is-the-password-policy-can-it-be-changed","title":"What is the password policy? Can it be changed?","text":"Before v1.4.5, the password policy is hardcoded and cannot be changed. It should be 12 characters minimum and contains a capital letter and a number.
"},{"location":"zqa/#can-i-change-my-profile-picture","title":"Can I change my profile picture?","text":"No, not for now. This wasn't a priority for us, it will be released in future versions.
"},{"location":"zqa/#i-lost-the-administrator-password-can-i-recover-it","title":"I lost the administrator password, can I recover it?","text":"Passwords are hashed so they can't be recovered. But you can change it. Please see changing a lost password.
"},{"location":"zqa/#can-i-delete-a-user","title":"Can I delete a user?","text":"No. To keep consistencies in the database, users unfortunately cannot be deleted if they have done some activities. You can however disable them to prevent them appearing in the UI and connecting to the plafeform.
"},{"location":"zqa/#can-i-delete-a-customer","title":"Can I delete a customer?","text":"No. To keep consistencies in the database, customers unfortunately cannot be deleted if they are linked to cases.
"},{"location":"zqa/#can-i-prevent-backrefs-of-assets-and-iocs","title":"Can I prevent backrefs of assets and IOCs?","text":"No. It might be possible in future versions but for now it is better to spin up a new instance for restricted cases. The backref is however automatically disabled for performance reasons, for cases with more than 300 assets. We are working on a more efficient way to backref.
"},{"location":"zqa/#my-report-template-is-not-generated-and-generates-an-error","title":"My report template is not generated and generates an error","text":"Please triple check typos in tags as there is no fault tolerance. You can reach us in case of troubles.
"},{"location":"zqa/#integration","title":"Integration","text":""},{"location":"zqa/#can-i-enrich-iocs-with-external-sources","title":"Can I enrich IOCs with external sources?","text":"Starting from v1.4.0, it is now possible to easily develop module to enrich case objects. A module Iris VT and IRIS MISP are already provided.
"},{"location":"zqa/#is-there-an-api-client","title":"Is there an API client?","text":"Yes, you can find it on our Github.
"},{"location":"zqa/#security","title":"Security","text":""},{"location":"zqa/#can-i-restrict-cases","title":"Can I restrict cases?","text":"Yes it is since v2.0.0. See Access control.
"},{"location":"zqa/#can-i-expose-iris-on-the-internet","title":"Can I expose IRIS on the Internet?","text":"NO! Please don't. This platform should only be accessible in a restricted environment.
"},{"location":"zqa/#i-found-a-security-issue-can-i-have-a-bounty","title":"I found a security issue, can I have a bounty?","text":"No - IRIS is free and open source so there is no bounty. Please report it as soon as possible so we can fix it.
"},{"location":"zqa/#misc","title":"MISC","text":""},{"location":"zqa/#what-does-iris-stand-for","title":"What does IRIS stand for?","text":"Originally Incident Response Investigation System. But it can be whatever you want really.
"},{"location":"development/","title":"Development","text":"This section is under construction and more elements will be added over time
This documentation is not a detailed how-to develop IRIS. It gives some insights to help understand the basic code of the project and how to contribute.
"},{"location":"development/#general-repositories-conventions","title":"General repositories conventions","text":""},{"location":"development/#branches","title":"Branches","text":"We are using the Gitflow Workflow to manage our git branches. In a nutshell :
master contains only \"production-ready\" codedevelop contains the major development code. When ready it is tagged and merged into masterdevelop contains either : new_featureiXX_issue_title, with XX being the issue number The commits convention is the following :
[action] Commit message is used, with action being a 3 letters action related to the commit, eg ADDfor additions, DEL for deletions, IMP for improvements, etc.[#issue_id][action] Commit message The following sections are available in this documentation :
IRIS does not defines a separate API for users, meaning the HTML pages are actually using the API themselves. Routes don't need to handle the authentication and roles. These are handles by wrappers (see snippets below).
"},{"location":"development/code-tips/#page-route","title":"Page route","text":"A page returns an HTML content and should use the following code structure : Example of page route
@blueprint.route('/a/good/route', methods=['GET']) # (1)\n@login_required # (2)\ndef view_a_good_route(caseid, url_redir): # (3)\nif url_redir:\nreturn redirect(url_for('bluprintname.method_name', cid=caseid)) # (4)\n# route code \nreturn render_template(\"a_good_route.html\", variable_1=var_1, ...) # (5)\n@login_required is used for users page and @admin_login_required is used for admin restricted pages. caseid and url_redir are variable provided by @login_required and @admin_login_required wraps. caseid indicates which case ID the user tried to access the route with. url_redir indicates the caseid provided wasn't valid and a redirection is needed. variable_1 is a value that can be accessed from within the template itself. More variables can be added, or not at all. An API route returns a JSON content. Two types are pre-defined and should be used : Standard API returns
response_success(msg=\"A success message\", data=<data associated with the success feedback>)\nresponse_error(msg=\"An error message\", data=<data associated with the error feedback>, status=<status code, by default 400>)\nBelow is an example of standard API route. Example of page route
@blueprint.route('/a/good/api_route', methods=['GET']) # (1)\n@api_login_required # (2)\ndef view_a_good_route(caseid): # (3)\n# API route code \nreturn response_success(\"ok\", data=my_data_object) # (4)\n@api_login_required is used for users API endpoints and @api_admin_required is used for admin restricted endpoints. caseid is provided @api_login_required and @api_admin_required wraps. It indicates which case ID the user tried to access the endpoint with. In case a DB migration is needed, you need to provide an alembic migration script.
Test your migration
Please try out your migration as this is an important piece of the upgrades. Spin up an old version of IRIS, input some data and then try to start your new version. Ensure that everything is migrated as expected.
In a terminal and from within the IRIS virtual env :
source alembic -c app/alembic.ini revision -m \"A few words to describe your changes\" This creates a new revision file source > app > alembic > versions. It's a Python file that basically describes what needs to be updated DB-wise. You can take example from the ones we already have generated in the same folder.
Hint
During your tests you might face the issue that Alembic does not apply your changes after you executed it once. It's because it keeps tracks of the latest applied revision in a table alembic_version. It doesn't know you changed the revision file. In that case the trick is to connect to the DB, and then delete the entry in the alembic_version. This will force it to reapply all revisions at startup. If you're using the DB docker you can use the following:
docker exec -it <db_container_id> /bin/sh su postgrespsql\\c iris_db; DELETE FROM alembic_version; It follows an issue raised on the Github of the project.
It recommends the use of a hybrid development environment, as most of the time only the web-app needs to be changed:
For the webapp configuration, a specific .ini need to be created.
config.priv.ini in source/app by copying the config.docker.inipresent in the same directory. PG_SERVER = db to PG_SERVER = 127.0.0.1 or whatever IP is the Postgresql/docker running withThat's the only configuration change needed for the app to run outside docker. The docker.priv.ini is already excluded in gitignore.
Then Pycharm need to be setup with a dedicated environment, by adding a new configuration:
source/run.pysourceTo have pylint, right click on source in the directory tree and mark directory as > sources root. The requirements then need to be installed. Pycharm should detect the requirements.txt and propose to install the dependencies. Otherwise they can be installed with the following command (issued in the virtual environment) : pip3 install -r source\\requirements.txt
docker-compose up dbIRIS can now be developed and debugged on the fly.
"},{"location":"development/environment/#tests-in-docker","title":"Tests in docker","text":"Once the code is working by running on Pycharm, we highly recommend testing it on Docker. To do so, the app docker need to be erased and rebuilt.
docker-compose rm appdocker-compose build appdocker-compose up db appDevelopment considerations If the development results in DB modification, please use Alembic and add a migration script so users don't loose their data when they upgrade.
"},{"location":"development/hooks/","title":"Hooks","text":"Introduced in IRIS v1.4.0
Hooks are a mean for modules to react on specific events that occurs on IRIS. By subscribing to a hook, a module is automatically notified when the associated event occurs. This offers a multitude of possibilities, from adding insight to IRIS objects, to pushing information to another platform or even changing how IRIS works.
"},{"location":"development/hooks/#types","title":"Types","text":"There are 3 types of hooks.
On preload: Triggered before an object is processed and committed to database. It is triggered right after a request is received, and the data associated with the hook is usually the request content itself. In most of the cases, modules should not subscribe to these hooks. On postload: Triggered after an object is processed and committed to database. It is triggered after IRIS processed the request and the data associated with the hook is usually a list of SqlAlchemy objects (such as IOC, Assets, etc). Manual: Triggered by manual action of a user. When a module subscribes to these hooks, it needs to provide a \"menu option name\" which will be displayed to users. When they click this option, the associated hook is triggered for this module only. Multiple manual hooks can be registered for one module. Danger
on_preload hooks must run synchronously, i.e not queued in RabbitMQ. This effectively blocks the current user request until the module finishes the processing. We highly recommend to only use on_postload hooks for a better user experience. These hooks are transparent for users and rely on already verified and committed data. Handling on_preload hooks implies the received data is unsafe - directly coming from remote clients - and the module needs to process the data as fast as possible.
Two methods are provided by IrisModuleInterface to subscribe and unsubscribe to hooks.
def register_to_hook(module_id: int, \niris_hook_name: str, \nmanual_hook_name: str = None, \nrun_asynchronously: bool = True)\ndef deregister_from_hook(module_id: int, \niris_hook_name: str)\nThe registration method expects the following arguments:
module_id: The ID of the calling module. This information is given by IRIS when the register_hooks method is called. iris_hook_name: The name of the hook to which subscribe. This must be one of the hook listed in the section below. manual_hook_name: The name of the UI menu that is provided to users if the registration concerns a manual hook. If nothing is provided, IRIS will create a name composed as follows: <module_name>::<hook_name>. This value is ignored if the signal is not manual. run_asynchronously: Set to True (default) to run the module in a RabbitMQ task upon hook triggering. If set to False, the module is called immediately, which have for effect to effectively block the current user request until the module finishes. This is the behavior to use for on_preload hooks. However, we strongly recommend the use of on_postload hooks to prevent any unwanted (see warning section above). The deregistration method expects the following arguments:
module_id: The ID of the calling module. This information is given by IRIS when the register_hooks methods is called. iris_hook_name: The name of the hook to which unsubscribe. If the module is not subscribed to the specified hook the function returns without errors. Please see the modules documentation for more details on how to implement these methods.
"},{"location":"development/hooks/#available-hooks","title":"Available hooks","text":"The following hooks are natively available for subscription.
Hook name Description on_preload_case_create Triggered on case creation, before commit in DB on_postload_case_create Triggered on case creation, after commit in DB on_preload_case_delete Triggered on case deletion, before commit in DB on_postload_case_delete Triggered on case deletion, after commit in DB on_postload_case_update Triggered on case update, before commit in DB on_manual_trigger_case Triggered upon user action on_postload_alert_create Triggered on alert creation, after commit in DB on_postload_alert_update Triggered on alert update, after commit in DB on_postload_alert_delete Triggered on alert deletion, after commit in DB on_postload_alert_escalate Triggered on alert escalation, after commit in DB on_postload_alert_merge Triggered on alert merge, after commit in DB on_postload_alert_unmerge Triggered on alert unmerge, after commit in DB on_preload_asset_create Triggered on asset creation, before commit in DB on_postload_asset_create Triggered on asset creation, after commit in DB on_preload_asset_update Triggered on asset update, before commit in DB on_postload_asset_update Triggered on asset update, after commit in DB on_preload_asset_delete Triggered on asset deletion, before commit in DB on_postload_asset_delete Triggered on asset deletion, after commit in DB on_manual_trigger_asset Triggered upon user action on_preload_note_create Triggered on note creation, before commit in DB on_postload_note_create Triggered on note creation, after commit in DB on_preload_note_update Triggered on note update, before commit in DB on_postload_note_update Triggered on note update, after commit in DB on_preload_note_delete Triggered on note deletion, before commit in DB on_postload_note_delete Triggered on note deletion, after commit in DB on_manual_trigger_note Triggered upon user action on_preload_ioc_create Triggered on ioc creation, before commit in DB on_postload_ioc_create Triggered on ioc creation, after commit in DB on_preload_ioc_update Triggered on ioc update, before commit in DB on_postload_ioc_update Triggered on ioc update, after commit in DB on_preload_ioc_delete Triggered on ioc deletion, before commit in DB on_postload_ioc_delete Triggered on ioc deletion, after commit in DB on_manual_trigger_ioc Triggered upon user action on_preload_event_create Triggered on event creation, before commit in DB on_preload_event_duplicate Triggered on event duplication, before commit in DB. This event only received the event ID which will be duplicated on_postload_event_create Triggered on event creation, after commit in DB on_preload_event_update Triggered on event update, before commit in DB on_postload_event_update Triggered on event update, after commit in DB on_preload_event_delete Triggered on event deletion, before commit in DB on_postload_event_delete Triggered on event deletion, after commit in DB on_manual_trigger_event Triggered upon user action on_preload_evidence_create Triggered on evidence creation, before commit in DB on_postload_evidence_create Triggered on evidence creation, after commit in DB on_preload_evidence_update Triggered on evidence update, before commit in DB on_postload_evidence_update Triggered on evidence update, after commit in DB on_preload_evidence_delete Triggered on evidence deletion, before commit in DB on_postload_evidence_delete Triggered on evidence deletion, after commit in DB on_manual_trigger_evidence Triggered upon user action on_preload_task_create Triggered on task creation, before commit in DB on_postload_task_create Triggered on task creation, after commit in DB on_preload_task_update Triggered on task update, before commit in DB on_postload_task_update Triggered on task update, after commit in DB on_preload_task_delete Triggered on task deletion, before commit in DB on_postload_task_delete Triggered on task deletion, after commit in DB on_manual_trigger_task Triggered upon user action on_preload_global_task_create Triggered on global task creation, before commit in DB on_postload_global_task_create Triggered on global task creation, after commit in DB on_preload_global_task_update Triggered on task update, before commit in DB on_postload_global_task_update Triggered on global task update, after commit in DB on_preload_global_task_delete Triggered on task deletion, before commit in DB on_postload_global_task_delete Triggered on global task deletion, after commit in DB on_manual_trigger_global_task Triggered upon user action on_preload_report_create Triggered on report creation, before generation in DB on_postload_report_create Triggered on report creation, before download of the document on_preload_activities_report_create Triggered on activities report creation, before generation in DB on_postload_activities_report_create Triggered on activities report creation, before download of the document on_postload_asset_commented Triggered on asset comment, after commit in DB on_postload_asset_comment_update Triggered on asset comment update, after commit in DB on_postload_asset_comment_delete Triggered on asset comment deletion, after commit in DB on_postload_evidence_commented Triggered on evidence comment, after commit in DB on_postload_evidence_comment_update Triggered on evidence comment update, after commit in DB on_postload_evidence_comment_delete Triggered on evidence comment deletion, after commit in DB on_postload_task_commented Triggered on task comment, after commit in DB on_postload_task_comment_update Triggered on task comment update, after commit in DB on_postload_task_comment_delete Triggered on task comment deletion, after commit in DB on_postload_ioc_commented Triggered on ioc comment, after commit in DB on_postload_ioc_comment_update Triggered on ioc comment update, after commit in DB on_postload_ioc_comment_delete Triggered on ioc comment deletion, after commit in DB on_postload_event_commented Triggered on event comment, after commit in DB on_postload_event_comment_update Triggered on event comment update, after commit in DB on_postload_event_comment_delete Triggered on event comment deletion, after commit in DB on_postload_note_commented Triggered on note comment, after commit in DB on_postload_note_comment_update Triggered on note comment update, after commit in DB on_postload_note_comment_delete Triggered on note comment deletion, after commit in DB on_postload_alert_commented Triggered on alert comment, after commit in DB on_postload_alert_comment_update Triggered on alert comment update, after commit in DB on_postload_alert_comment_delete Triggered on alert comment deletion, after commit in DB"},{"location":"development/structure/","title":"Structure overview","text":""},{"location":"development/structure/#flask","title":"Flask","text":"IRIS uses Flask for the web engine.
"},{"location":"development/structure/#routes-and-blueprints","title":"Routes and blueprints","text":"Each page and API endpoints (eg /login, /dashboard, /case/assets/list, etc) refers to a route in the IRIS Flask app. They define what the application should do when Flask receives a request on an URI. To keep structure in the projects, these routes are grouped by Blueprints. The Blueprints reflects the structure shown in the IRIS UI left menu. For instance there is a case and an activities Blueprint.
The Blueprints and thus routes are defined in source > app > blueprints. All the blueprints are registered in source > app > views.py.
IRIS uses dynamic page templating when an URI is visited. These Jinja2 templates are filled at runtime with the needed information and then returned to the client. Each route offering a page (i.e non-API endpoints) thus relies on a template. These are set in a folder named templates in each Blueprint. For instance, for the dashboard template : source > app > blueprints > dashboard > templates > index.html.
Static content is served from a common folder under source > app > static > assets. It contains CSS, JS and images. These can be accessed by pages using \"/static/assets/<the-resource>\".
For the database management, the application uses SQLAlchemy with a PostgreSQL backend. There is - normally - no need to directly deal with PostgreSQL, everything goes through SQLAlchemy. It provides a Python overlay which allows to talk to the DB with objects.
"},{"location":"development/structure/#models","title":"Models","text":"Each table of the app is defined by a model. These are defined in source > app > model. When IRIS starts, it looks for the already created tables and creates the missing ones if needed. If changes are done on a table or field, then a migration is needed. This is explained in Alembic migrations.
To help structuring the code, we are trying to move the DB code from the routes code. This is partially done and work in progress. If your route requests the DB, please put the DB code in source > app > datamgmt.
To apply schema migration without the need to rebuild the DB, IRIS uses Alembic. It allows to define migration scheme and IRIS calls it when it starts so users can upgrade without too much hassles.
"},{"location":"development/structure/#hooks-modules-and-tasks","title":"Hooks, modules and tasks","text":"Modules are handled via tasks thanks to Celery and RabbitMQ. More info here and here.
"},{"location":"development/structure/#iris-startup","title":"IRIS startup","text":"When starting-up, IRIS initiates a bunch of DB objects, whether it is started for the first time or just restarted. Objects already created are not recreated, but the missing ones are applied. This ensure a smooth migration between versions. These are defined in source > app > post_init.py. The scripts also contains the code that runs th DB migration with Alembic.
A DFIR-IRIS Module (DIM) is a Python package allowing to extend IRIS features. DIMs are not running constantly and are only called following specific actions done by users.
We distinct two types of modules:
Pipeline modules: Allow uploading and processing of evidences through modular pipelines (eg: EVTX parsing and injection into a database or data visualiser). These are called when a user queries Update case and select evidences to process. Processor modules: Allow processing of IRIS data upon predefined actions / hooks. (eg: be notified when a new IOC is created and get VT/MISP insights for it). These are either called automatically upon specific events, or if a user manually triggers them. Except for some triggers for processor modules, all tasks provided by DIMs are run asynchronously in RabbitMQ tasks, so they don't impact the UI.
Both types of DIMs have the same structure, they only differ in their configurations and how they handle the data they receive. For that purpose, every DIM inherit from a common class named IrisModuleInterface - available here - which provides the basic structure and methods of a module.
Hint
To quickly start writing a new module, one can follow these tutorials.
"},{"location":"development/modules/#overview","title":"Overview","text":"Modules are instantiated upon actions (hooks, triggers, user actions) and this occurs each time the said actions occur. It implies the initiation of a module has to be very quick. In most of the case, the __init__ method should not even be overwritten.
They can live either in the worker or the web-app, depending on their type and action they are handling. They can also live in both. This implies multiple instances of the same module can run at the same time.
The graph below shows two modules of different types running in the worker and interacting with external elements.
Modules don't have to handle the task creations or resource locks. This is handled by IRIS. They just need to process the data they received and return results in a predefined manner.
"},{"location":"development/modules/#common-structure","title":"Common structure","text":"The section below describes the common structure of modules.
"},{"location":"development/modules/#directory-structure","title":"Directory structure","text":"setup.py # Setup configuration to build the module \nREADME.md # README \niris_example_name # Name of the package \n __init__.py # Declaration of the package and main class\n IrisExampleConfig.py # Configuration of the module to help keep the main file clean \n IrisExampleInterface.py # Main class of the module \n module_helper # Sub module containing the helper functions of the module \n helper.py # for instance access to ext resource, manipulation of data \n helper2.py # etc. \nIris loads the modules dynamically. To do so, it needs to know the name of the main class of the module and relies on __init__.py to find this information.
__iris_module_interface = \"IrisEXAMPLEInterface\"\nWhere IrisEXAMPLEInterface is the main class of the module and inherits of the base class IrisModuleInterface.
Caution
Failing to provide the main class in __init__.py or having the main class inherit from IrisModuleInterface will make IRIS fail each time it attempts to load the module.
Iris needs to know what the module is doing and what services it is providing. This is done via the attributes of the main class (let's say IrisEXAMPLEInterface). The attributes are :
_module_name : string - \"human\" name presented to users. _interface_version : float - version of IrisModuleInterface used. If the version is not supported, the server will refuse to register the module. _module_version : float - version of the module itself to help users keep tracks of evolutions. _module_type: string - Type of module. The available modules types are listed in IrisModuleInterface.IrisModuleTypes_pipeline_support : bool - should be set to True if it implements a pipeline process (aka module of type pipeline_module)._pipeline_info : dict - contains the configuration of the pipeline. The following structure must be followed:pipeline_info = {\n# Name of the pipeline used for internal tracking. This \n# must be unique among all modules so pick something really unique \n\"pipeline_internal_name\": \"example_pipeline\",\n# The name of the pipeline presented to the user. Use something \n# that will help the users to identify the right pipeline\n\"pipeline_human_name\": \"Example Pipeline\",\n# Arguments presented to the users when they select the pipeline\n\"pipeline_args\": [\n['some_index', 'required'],\n['example_argument', 'optional']\n]\n}\n_module_configuration : A list of dict. The list contains each field needed by the module. This list is shown in the Iris webpage of the module configuration. Each field in an entry is mandatory. _module_configuration = [\n{\n\"param_name\": \"vt_api_key\",\n\"param_human_name\": \"VT API Key\",\n\"param_description\": \"Virus total API key\",\n\"default\": None,\n\"mandatory\": True,\n\"type\": \"sensitive_string\"\n},\n{\n\"param_name\": \"vt_key_is_premium\",\n\"param_human_name\": \"VT Key is premium\",\n\"param_description\": \"Set to True if the VT key is premium\",\n\"default\": False,\n\"mandatory\": True,\n\"type\": \"bool\"\n},\n{\n\"param_name\": \"vt_ip_assign_asn_as_tag\",\n\"param_human_name\": \"Assign ASN tag to IP\",\n\"param_description\": \"Assign a new tag to IOC IPs with the ASN fetched from VT\",\n\"default\": True,\n\"mandatory\": True,\n\"type\": \"bool\"\n}\n]\nThe above example results in the following.
"},{"location":"development/modules/quick_start/processor/","title":"Processor modules","text":"In this tutorial, we demonstrate the steps to write a basic processor module which subscribes to a hook, and log what it receives when the hook is triggered. We will also add a configuration setting to offer our users the ability disable this feature.
We'll call it IrisDummyModule.
As described in the development module main page, the module should have the following structure.
setup.py # Setup configuration to build the module \nREADME.md # README \niris_dummy_module # Name of the package \n__init__.py # Declaration of the package and main class\nIrisDummyConfig.py # Configuration of the module to help keep the main file clean \nIrisDummyModule.py # Main class of the module \nWhile the module could have only one main file IrisDummyModule.py, we recommend splitting its configuration into a new configuration file (here IrisDummyConfig.py) to keep the code clear.
There is no mandatory naming convention for the files or the class or the methods. We chose this one to keep things clear, and we recommend following the same. But it's up to you really.
We will walk over these files one by one during this tutorial.
"},{"location":"development/modules/quick_start/processor/#creating-the-interface","title":"Creating the interface","text":"The interface is the code that talks with IRIS. It implements methods that call and are called by the server. It needs to inherit IrisModuleInterface class from the IrisModuleInterface package. This module handles most of the methods needed by IRIS to recognize, set up and call the module. By inheriting this class in our interface, we avoid writing that part ourselves.
Let's write our basic interface class. The name of the file has to be the name of the main class, that's the only constraint. We'll see later on why.
iris_dummy_module/IrisDummyModule.py#!/usr/bin/env python3\n# Import the IrisInterface class\nfrom iris_interface.IrisModuleInterface import IrisModuleInterface\n# Create our module class\nclass IrisDummyModule(IrisModuleInterface):\npass \nThat's it! Actually this class is not doing anything right now. We'll need to add a few methods to register our hook later.
But first we need to indicate to IRIS what is our main interface class. Remember, there is no convention restriction, so IRIS has no way to know which class it should instantiate to call our module.
To do so, we need to set a specific variable in our __init__.py.
# Set the __iris_module_interface variable to the name of our main class. \n# When IRIS instantiates the python module, it looks for \"module.__iris_module_interface\"\n# And then tries to instantiate the class \"__iris_module_interface.__iris_module_interface\", here 'IrisDummyModule.IrisDummyModule'. \n# That's why the python file must have the same name as the class. \n__iris_module_interface = \"IrisDummyModule\"\nOur module is now recognizable by IRIS Pretty simple right?
"},{"location":"development/modules/quick_start/processor/#writing-the-configuration","title":"Writing the configuration","text":"The next step is to describe what the module is doing, its name, its configuration, etc. This is done by overwriting predefined variables of the IrisModuleInterface class.
Let's create our Python configuration file and go through each variables.
iris_dummy_module/IrisDummyConfig.py# Import the module types list, so we can indicate the type of our module \nfrom iris_interface.IrisModuleInterface import IrisModuleTypes \n# Human name displayed in the GUI Manage > Modules. This can be anything, \n# but try to put something meaningful, so users recognize your module. \nmodule_name = \"IrisDummy\"\n# Description displayed when editing the module configuration in the UI. \n# This can be anything, \nmodule_description = \"Provides a dummy module that replies to one hook\"\n# Set the interface version used. This needs to be the version of \n# the IrisModuleInterface package. This version is check by the server to\n# to ensure our module can run on this specific server \ninterface_version = 1.1\n# The version of the module itself, it can be anything \nmodule_version = 1.0\n# The type of the module, here processor \nmodule_type = IrisModuleTypes.module_processor\n# Our module is a processor type, so it doesn't offer any pipeline \npipeline_support = False\n# Provide no pipeline information as our module don't implement any \npipeline_info = {}\n# The configuration of the module that will be displayed and configurable \n# by administrators on the UI. This describes every parameter that can \n# be set. \nmodule_configuration = [\n{\n\"param_name\": \"log_received_hook\",\n\"param_human_name\": \"Log received hook\",\n\"param_description\": \"Logs a message upon hook receiving if set to true. Otherwise do nothing.\",\n\"default\": True,\n\"mandatory\": True,\n\"type\": \"bool\"\n}\n]\nThe module configuration parameters are the following :
param_name : The internal parameter name. This will be used by the module itself to fetch the value when needed.param_human_name : The name displayed on the UI for this specific parameterparam_description: A description explaining what this parameter is doing to help administratorsdefault: The default value of our parameter. Here we set to True, so after install our module is already configured and ready to log the hook. mandatory: Indicates whether the parameter is mandatory or not. If set to True and no value is provided (either by admin or by default), the module is automatically disabled by IRIStype: The type of parameter. Here a boolean, which will be rendered under the form of a checkbox. A module can have as many parameters as it needs.
We now need to update our main class to set this configuration.
iris_dummy_module/IrisDummyModule.py#!/usr/bin/env python3\n# Import the IrisInterface class\nfrom iris_interface.IrisModuleInterface import IrisModuleInterface\n# Create our module class\nclass IrisDummyModule(IrisModuleInterface):\n# Set the configuration\n_module_name = interface_conf.module_name\n_module_description = interface_conf.module_description\n_interface_version = interface_conf.interface_version\n_module_version = interface_conf.module_version\n_pipeline_support = interface_conf.pipeline_support\n_pipeline_info = interface_conf.pipeline_info\n_module_configuration = interface_conf.module_configuration\n_module_type = interface_conf.module_type\npass \nDone! The module is now providing enough information to IRIS, so it knows exactly what our module do and what needs to be called to run it.
However, our module is still doing nothing. Let's make it subscribe to an IRIS hook.
"},{"location":"development/modules/quick_start/processor/#subscribing-to-a-hook","title":"Subscribing to a hook","text":"Hooks allow to be notified by IRIS when a specific event occurs (IOC creation, deletion, etc). For a comprehensive description of hooks, please see the Hooks section of this documentation.
The registration (or subscription) to a hook occurs at two moments during the life of a module:
These registration/deregistration events are triggered by IRIS, and are propagated to modules through the IrisModuleInterface method register_hooks [ref].
To register to a hook, we need to override this method and register our hook within this method. To do so, IrisModuleInterface offers us another method register_to_hook [ref], which we can call for each hook we want to subscribe.
Here is a summary of the events:
register_hooks of our module. This indicates it is time for us to register our hooks. register_to_hook for each hook we want to subscribeLet's add this to our main class and register to the on_postload_ioc_create. This will notify use each time a new IOC is created and committed to the database.
#!/usr/bin/env python3\n# Import the IrisInterface class\nfrom iris_interface.IrisModuleInterface import IrisModuleInterface\n# Create our module class\nclass IrisDummyModule(IrisModuleInterface):\n# Set the configuration\n_module_name = interface_conf.module_name\n_module_description = interface_conf.module_description\n_interface_version = interface_conf.interface_version\n_module_version = interface_conf.module_version\n_pipeline_support = interface_conf.pipeline_support\n_pipeline_info = interface_conf.pipeline_info\n_module_configuration = interface_conf.module_configuration\n_module_type = interface_conf.module_type\ndef register_hooks(self, module_id: int):\n\"\"\"\n Called by IRIS indicating it's time to register hooks. \n :param module_id: Module ID provided by IRIS.\n \"\"\"\n# Call the hook registration method. We need to pass the \n# the module_id to this method, otherwise IRIS won't know \n# to whom associate the hook. \n# The hook name needs to be a well known hook name by IRIS. \nstatus = self.register_to_hook(module_id, iris_hook_name='on_postload_ioc_create')\nif status.is_failure():\n# If we have a failure, log something out \nself.log.error(status.get_message())\nelse:\n# Log that we successfully registered to the hook \nself.log.info(f\"Successfully subscribed to on_postload_ioc_create hook\")\nThat's it! Our module has now officially subscribed to a hook and will be notified each time an IOC is created.
So how the module is notified? Once again this is done by a method named hooks_handler [ref] that IrisModuleInterface provides, and we need to overwrite.
This method is called each time one of the event associated to the hook we subscribed is triggered. It provides the name of the hook and as well as the data associated to it. By overwriting this method, we can process the hook and the data!
We will add a condition in this method, that is if the administrator sets the module parameter log_received_hook to False, then the module won't log anything and simply return the data.
Hint
The current configuration of the module can be accessed with the attribute self._dict_conf.
#!/usr/bin/env python3\n# Import the IrisInterface class\nfrom iris_interface.IrisModuleInterface import IrisModuleInterface\n# Create our module class\nclass IrisDummyModule(IrisModuleInterface):\n# Set the configuration\n_module_name = interface_conf.module_name\n_module_description = interface_conf.module_description\n_interface_version = interface_conf.interface_version\n_module_version = interface_conf.module_version\n_pipeline_support = interface_conf.pipeline_support\n_pipeline_info = interface_conf.pipeline_info\n_module_configuration = interface_conf.module_configuration\n_module_type = interface_conf.module_type\ndef register_hooks(self, module_id: int):\n\"\"\"\n Called by IRIS indicating it's time to register hooks. \n :param module_id: Module ID provided by IRIS.\n \"\"\"\n# Call the hook registration method. We need to pass the \n# the module_id to this method, otherwise IRIS won't know \n# to whom associate the hook. \n# The hook name needs to be a well known hook name by IRIS. \nstatus = self.register_to_hook(module_id, iris_hook_name='on_postload_ioc_create')\nif status.is_failure():\n# If we have a failure, log something out \nself.log.error(status.get_message())\nelse:\n# Log that we successfully registered to the hook \nself.log.info(f\"Successfully subscribed to on_postload_ioc_create hook\")\ndef hooks_handler(self, hook_name: str, data):\n\"\"\"\n Called by IRIS each time one of our hook is triggered. \n \"\"\"\n# read the current configuration and only log the call if \n# our parameter is set to true \nif self._dict_conf.get('log_received_hook') is True:\nself.log.info(f'Received {hook_name}')\nself.log.info(f'Received data of type {type(data)}')\n# Return a standardized message to IRIS saying that everything is ok. \n# logs=list(self.message_queue) is needed, so the users can see the logs \n# our module generated during its execution. \nreturn InterfaceStatus.I2Success(data=data, logs=list(self.message_queue))\nWe are done! Our module is now fully ready to register, subscribe to a hook and act when notified.
"},{"location":"development/modules/quick_start/processor/#installing-and-registering-the-module","title":"Installing and registering the module","text":"We need now need to build and install the module. To do so, you'll need this script and an IRIS docker instance running on the same machine.
The script will build the module, copy it to the docker instances, install it within them and restart the dockers.
chmox +x buildnpush2iris.sh ./buildnpush2iris.sh -a The module should now be installed. We can register it in IRIS as explained here.
"},{"location":"operations/alerts/","title":"Alerts","text":"Introduced in IRIS v2.1.0
Alerts can be fed directly into IRIS using the Alerts API. Any source can inject alerts into IRIS, as long as it can send HTTP requests and respects the alert format.
A service account with the alert_read and alert_write permission can be used to send alerts to IRIS.
Warning
This section is only available for users with the alert_read and alert_write permissions.
Alerts can then be viewed in the Alerts section of IRIS. Analysts can then triage the alerts and create cases from them.
Each alert can be expanded to show more details.
"},{"location":"operations/alerts/#alerts-assignment","title":"Alerts assignment","text":"Alerts can be assigned to analysts. This can be done directly from the alert view.
To self-assign an unassigned alert, click on the hand icon on the left.
Clicking again on the hand icon will prompt with a list of analysts to assign the alert to.
The right button Assign, when hovering above an alert, can also be used to assign the alert to an analyst.
Alerts can be escalated/merged into a new case. When hovering above an alert, a Merge button will appear.
Once clicked, a new window appears, requesting additional information. In this window, the analyst can:
Alerts can also be escalated/merged into an existing case. When hovering above an alert, a Merge button will appear.
Once clicked, a new window appears requesting additional information. The button Merge into existing case needs to be clicked. A new dropdown appears and allows to select the case to merge the alert into.
Similar to the case creation, the analyst can:
The selected IOCs and assets are then added to the selected case.
"},{"location":"operations/alerts/#unmerge-alerts-from-a-case","title":"Unmerge alerts from a case","text":"Alerts can be unmerged from a case.
Info
When unmerging an alert, the alert is not deleted. It is only removed from the case. The alert state is not changed. The IOCs and assets are not removed from the case.
When a case is merged, a new link appears on the alert and mentions the case it was merged into. Clicking on this link allows to browse the case or to unmerge the alert.
"},{"location":"operations/alerts/#alerts-relationships","title":"Alerts relationships","text":"Each alert have a Relastionships section. This section shows the relationships between the alert and other objects in IRIS. This feature is in preview and might report false relationships.
The relationships are computed using the following logic:
By default the view limits the relationships to 100 nodes and looks back 7 days. This can be updated directly in the alert view.
"},{"location":"operations/api/","title":"API","text":"IRIS is meant to be plug-able and be integrated with the existing environments.
Through the REST API, one can do almost as much as it is possible to do through the web interface. Under the hood, the web interface is actually talking to the API.
The API endpoints are reachable on the same port as the web interface, i.e 443/HTTPS by default.
Hint
A Python client is available here to ease the automation.
"},{"location":"operations/api/#api-keys","title":"API Keys","text":"The first step is to obtain an API key. Each user is automatically attributed one when it is created. It can be found on the left panel, under username and My Settings.
Token exposure
In case the token is exposed and needs to be changed, a new one can be generated with the Renew option. Renewing a token revokes the previous.
The API constantly evolves with IRIS and thus multiple versions exists. Use the references below to check which API version applies to your IRIS version. Starting from IRIS v1.4.0, the supported API version can also be checked in the UI Advanced > Server settings.
The API token is used as a Bearer and needs to be present in the header Authorization when issuing requests. For example, to list all the cases:
curl --request GET \\\n--url http://<yourserver_ip>/manage/cases/list?cid=1 \\\n--header 'Authorization: Bearer mWpCUVNzBMU5EnbIAK50jLPhYjKBTHZjobdogc_n_yixpJTmt9tzAf8WYDI7m5XgB9wCJnlaXlHIh9RZjtp2fA' \\\n--header 'Content-Type: application/json'\nThe only way to revoke a token is to renew the current one. Once done, the previous API token does not exist anymore in the database and it becomes ineffective.
"},{"location":"operations/case_templates/","title":"Case templates","text":"Introduced in IRIS v2.1.0
Case templates are a way to pre-configure a case with a set of predefined informations. The case templates can be managed in Advanced > Case templates.
Info
This section is only available for users with the administrator role.
Case templates are made of a set of informations that will be used to pre-fill the case creation form. The following elements can be set:
Looking for case templates?
We are providing a set of case templates in the IRIS Resources repository.
"},{"location":"operations/case_templates/#structure-of-templates","title":"Structure of templates","text":"The following defines the structure of a case template:
{\n\"name\": \"ransomware_infection\",\n\"display_name\": \"Ransomware Infection Template\",\n\"description\": \"This case template describes first-response tasks to handle information system compromised by a ransomware.\",\n\"author\": \"DFIR-IRIS\",\n\"classification\": \"malicious-code:ransomware\",\n\"title_prefix\": \"[RANS]\",\n\"summary\": \"# Context \\n\\n\\n# Contact \\n\\n\\n# Actions \\n\\n\\n\",\n\"tags\": [\"ransomware\",\"malware\"],\n\"tasks\": [\n{\n\"title\": \"Identify the perimeter\",\n\"description\": \"The perimeter of compromise must be identified\",\n\"tags\": [\"identify\"]\n},\n{\n\"title\": \"Collect compromised hosts\",\n\"description\": \"Deploy Velociraptor and start collecting evidence\",\n\"tags\": [\"collect\", \"velociraptor\"]\n},\n{\n\"title\": \"Containment\"\n}\n],\n\"note_directories\": [\n{\n\"title\": \"Identify\",\n\"notes\": [\n{\n\"title\": \"Identify the compromised accounts\",\n\"content\": \"# Observations\\n\\n\"\n}\n]\n},\n{\n\"title\": \"Collect\",\n\"notes\": [\n{\n\"title\": \"Velociraptor deployment\"\n},\n{\n\"title\": \"Assets collected\",\n\"content\": \"# Assets collected\\n\\n# Assets not collected\"\n}\n]\n}\n]\n}\nCase templates can be used when creating a new case. On the UI, when creating a case, select the case template to use in the Case template dropdown. The case will then automatically use the informations defined in the template.
Since v2.0.0 the entire configuration is done through the .env file at the root of the IRIS directory.
The default configuration is provided through a .env.model file at the root of the IRIS directory. One need to copy this file to .env and modify it if needed.
The default configuration is suitable for testing only. See the section below to configure IRIS for production.
"},{"location":"operations/configuration/#production-configuration","title":"Production configuration","text":""},{"location":"operations/configuration/#secrets","title":"Secrets","text":""},{"location":"operations/configuration/#required-changes","title":"Required changes","text":"The following secrets in the .env need to be changed for production. We recommend using OpenSSL to generate different values from each secret: openssl rand -base64 64
POSTGRES_PASSWORD: Password of the postgres userPOSTGRES_ADMIN_PASSWORD: Password of the db admin user IRIS_SECRET_KEY: Key used by Flask to secure the session cookiesIRIS_SECURITY_PASSWORD_SALT: A salt used for password encryption in the DB Critical configuration
These settings are critical and need to be set properly otherwise authentication bypass may occur.
"},{"location":"operations/configuration/#optionnal-changes","title":"Optionnal changes","text":"To automate the provisionning of IRIS, one might need to set the default administrator API token and password. This can be achieve with the following environment variables. If those variables are not set, random ones are generated during the very first boot of the application.
Warning
The administrator password is printed in the logs. It is recommended to change it as soon as possible. The set of the following environment variables has no effect once the administrator account is created, i.e after the very first boot.
IRIS_ADM_PASSWORD: Password of the administrator account. The password need to match the default password policy or the administrator won't be able to login, IRIS_ADM_API_KEY: API key of the administrator. A random long string. No verification for the complexity is done. We recommend using openssl rand -base64 64IRIS is configured to use a self-signed certificate by default. This is suitable for testing only. To use your own certificate, you need to set the following environment variables:
KEY_FILENAME: The filename of the key file in the certificates/web_certificates directory at the root of the IRIS directoryCERT_FILENAME: The filename of the certificate file in the certificates/web_certificates directory at the root of the IRIS directoryOnce the changes are done, nginx docker container need to be rebuilt with the following command:
docker-compose stop nginx\ndocker-compose build nginx --no-cache\ndocker-compose up IRIS can be configured to use LDAP authentication. See the Authentication section for more details.
"},{"location":"operations/configuration/#available-settings","title":"Available settings","text":"These environment variables are availabled to be set.
Key Section Opt DescriptionSERVER_NAME Nginx No Passed to the server_name in NGINX configuration KEY_FILENAME Nginx No SSL Cert key filename passed to the NGINX configuration CERT_FILENAME Nginx No SSL Cert filename passed to the NGINX configuration INTERFACE_HTTPS_PORT Nginx Yes Listening interface of IRIS POSTGRES_USER DB No Name of the POSTGRES user POSTGRES_PASSWORD DB No Password of the POSTGRES user POSTGRES_ADMIN_USER DB No Name of the admin user POSTGRES_ADMIN_PASSWORD DB No Password of the ADMIN user POSTGRES_DB DB No Name of the DB used by IRIS POSTGRES_SERVER DB No Hostname or IP of the DB POSTGRES_PORT DB No Port of the DB server DOCKERIZED IRIS Yes Set to 1 when using dockers (default) IRIS_SECRET_KEY IRIS No Secret key used to secure sessions - needs to be random IRIS_SECURITY_PASSWORD_SALT IRIS No Secret used to salt the passwords in DB - needs to be random IRIS_UPSTREAM_SERVER IRIS No WebApp upstream server - used to configure nginx reverse proxy IRIS_UPSTREAM_PORT IRIS No WebApp upstream server port - used to configure nginx reverse proxy IRIS_ORGANISATION_NAME IRIS No Name of the company / organisation. Used on the UI IRIS_LOGIN_BANNER_TEXT IRIS No Text displayed on the login page IRIS_LOGIN_PTFM_CONTACT IRIS No Contact information displayed on the login page IRIS_UPLOADED_PATH IRIS No Path to store uploaded data. IRIS_BACKUP_PATH IRIS No Path to store backup files. IRIS_TEMPLATES_PATH IRIS No Path of the templates IRIS_DATASTORE_PATH IRIS No Path of the datastore files IRIS_DEMO_ENABLED Demo No Set to True to switch IRIS to Demo mode IRIS_DEMO_DOMAIN Demo No URL of the demonstration server IRIS_DEMO_USER_SEED Demo No Random seed to generate demo users IRIS_DEMO_ADM_SEED Demo No Random seed to generate admin users for demo CELERY_BROKER Celery No Broker URL used to handle IRIS tasks IRIS_AUTHENTICATION_TYPE Auth No IRIS auth mode : local or ldap IRIS_ADM_PASSWORD Auth Yes Set to use as initial password of the administrator account. Only works for the very first run of IRIS. Needs to match the password policy IRIS_ADM_API_KEY Auth Yes Set to use as initial API Key of the administrator IRIS_ADM_EMAIL Auth Yes Set to use as initial email of the administrator IRIS_ADM_USERNAME Auth Yes Set to use as initial username of the administrator LDAP_SERVER Auth Yes LDAP server IP or domain LDAP_PORT Auth Yes LDAP server port LDAP_USER_PREFIX Auth Yes Prefix to search the users within LDAP_USER_SUFFIX Auth Yes Suffix to search the users within LDAP_USE_SSL Auth Yes Set to True to use LDAPS LDAP_VALIDATE_CERTIFICATE Auth Yes Set to True to verify the server certificate validity LDAP_TLS_VERSION Auth Yes TLS version to use LDAPS LDAP_SERVER_CERTIFICATE Auth Yes Path of the LDAP server certificate LDAP_PRIVATE_KEY Auth Yes Path of the LDAP private certificate LDAP_PRIVATE_KEY_PASSWORD Auth Yes Password of the private key LDAP_AUTHENTICATION_TYPE Auth Yes Simple, SASL or NTLM LDAP_CUSTOM_TLS_CONFIG Auth Yes If set to true, the TLS configuration is not set by IRIS and taken from the defined environment. Default to False"},{"location":"operations/custom_attributes/","title":"Custom Attributes","text":"Introduced in IRIS v1.4.0
All the case objects can be extended with custom attributes. These attributes can be added by :
VT Report attribute to each objects it analyses)Attributes offer the ability to :
This section only describes how an administrator can add or delete attributes to an object.
Tip
We have publish a detailed article of custom attributes with advanced usage on our blog.
"},{"location":"operations/custom_attributes/#management-page","title":"Management page","text":"Custom attributes can be changed in the Advanced > Custom Attributes section on the left panel.
The page lists the objects for which custom attributes can be added or modified.
Attributes are defined in JSON which describes tabs and fields that makes the attributes.
{\n\"Tab Name 1\": { // Defines a new tab \n\"Field 1\": { // Defines a new field within the Tab Name 1\n\"type\": \"input_string\", // Defines the type of field, here a standard string input\n\"mandatory\": true, // Indicates whether the field is mandatory upon saving\n\"value\": \"\" // Default value if any, else empty\n},\n\"Field 2\": { // Defines a second field within the tab Tab Name 1\n\"type\": \"input_checkbox\", // Defines an input checkbox\n\"mandatory\": false, // Indicates whether the field is mandatory upon saving\n\"value\": false // Default value - must be set for booleans\n}\n},\n\"VT report\": { // Defines a second tab named VT report\n\"Content\": { // Defines a new field Content within the VT Report\n\"type\": \"html\", // Defines an HTML interpreted content\n\"value\": \"\" // Default value if any, else empty\n}\n}\n}\nThe code above would be rendered as :
With :
Tab Name 1 VT reportThe available fields type are available for rendering :
input_string: Standard input textinput_textfield: Standard input textfieldinput_checkbox: Standard checkboxinput_date: Standard date inputinput_datetime: Standard date and time inputinput_select: Standard select input. Need \"options\" tag to describe the available options, as a list of string. raw: A static content rendered in raw text. HTML is not be interpreted.html: A static content rendered as HTML. This is by nature prone to abuse, but at the same time allows adding custom JS scripts. When an attribute is updated, it will try to update all the existing objects with the new attributes. To prevent any data loss from previous attributes and attributes pushed by modules, the update is only made on attributes which don't have any values set or are type-compatibles (ie string to textfield).
The migration of an attribute can however be forced in two ways, both resulting in potential attributes data loss.
Good to know
Migrating or overwriting attributes never change the native information of an object. It only applies to custom attributes.
Partial overwrite basically resets all the values of every target objects that matches the current attribute definition. All associated values are lost. This does not impact attributes pushed by modules or previous configuration.
Complete overwrite resets all attributes of every target objects, including the ones created by modules, and then applies the current attributes. All associated values are lost.
Custom attributes can be more complex than what presented above. With the html type, it is possible to build almost anything. Below is an example of the custom attributes used in the IrisVT module. The {{ }} are used withing the module to generates the page with data received from VT.
Note : This example won't work as is, the value field is expanded here for reability.
IrisVT default custom attribute{\n\"VT report\": { \"Content\": { \"type\": \"html\", \"value\": \"<div class='row'>\n <div class='col-12'>\n <h3>Basic information</h3>\n <dl class='row'>\n {% if results.as_owner %}\n <dt class='col-sm-3'>AS owner</dt>\n <dd class='col-sm-9'>{{ results.as_owner }}</dd>\n {% endif %}\n {% if country %}\n <dt class='col-sm-3'>Country</dt>\n <dd class='col-sm-9'>{{ results.country }}</dd>\n {% endif %}\n </dl>\n </div>\n </div> \n {% if nb_detected_urls %}\n <div class='row'>\n <div class='col-12'>\n <h3>Detected URLS</h3>\n <dl class='row'>\n <dt class='col-sm-3'>Total detected URLs</dt>\n <dd class='col-sm-9'>{{ nb_detected_urls }}</dd>\n <dt class='col-sm-3'>Average detection ratio</dt>\n <dd class='col-sm-9'>{{ avg_urls_detect_ratio }}</dd>\n </dl>\n </div>\n </div> \n {% endif %}\n {% if nb_detected_samples %}\n <div class='row'>\n <div class='col-12'>\n <h3>Detected communicating samples</h3>\n <dl class='row'>\n <dt class='col-sm-3'>Total detected samples</dt>\n <dd class='col-sm-9'>{{ nb_detected_samples }}</dd>\n <dt class='col-sm-3'>Average detection ratio</dt>\n <dd class='col-sm-9'>{{ avg_samples_detect_ratio }}</dd>\n </dl>\n </div>\n </div> \n {% endif %}\n <div class='row'>\n <div class='col-12'>\n <div class='accordion'>\n <h3>Additional information</h3>\n {% if results.resolutions %}\n <div class='card'>\n <div class='card-header collapsed' id='drop_res' data-toggle='collapse' data-target='#drop_resolutions' aria-expanded='false' aria-controls='drop_resolutions' role='button'>\n <div class='span-icon'>\n <div class='flaticon-file'></div>\n </div>\n <div class='span-title'>\n Resolutions history\n </div>\n <div class='span-mode'></div>\n </div>\n <div id='drop_resolutions' class='collapse' aria-labelledby='drop_res' style=''>\n <div class='card-body'>\n <ul>\n {% for resolution in results.resolutions %} \n <li>{{ resolution.hostname }} ( Last resolved on {{resolution.last_resolved}} )</li>\n {% endfor %}\n </ul>\n </div>\n </div>\n </div>\n {% endif %}\n </div>\n </div>\n </div>\n <div class='row'>\n <div class='col-12'>\n <div class='accordion'>\n <h3>Raw report</h3>\n <div class='card'>\n <div class='card-header collapsed' id='drop_r' data-toggle='collapse' data-target='#drop_raw' aria-expanded='false' aria-controls='drop_raw' role='button'>\n <div class='span-icon'>\n <div class='flaticon-file'></div>\n </div>\n <div class='span-title'>\n Raw report\n </div>\n <div class='span-mode'></div>\n </div>\n <div id='drop_raw' class='collapse' aria-labelledby='drop_r' style=''>\n <div class='card-body'>\n <div id='vt_raw_ace'>{{ results| tojson(indent=4) }}</div>\n </div>\n </div>\n </div>\n </div>\n </div>\n </div> \n <script>\n var vt_in_raw = ace.edit('vt_raw_ace',\n {\n autoScrollEditorIntoView: true,\n minLines: 30,\n });\n vt_in_raw.setReadOnly(true);\n vt_in_raw.setTheme('ace/theme/tomorrow');\n vt_in_raw.session.setMode('ace/mode/json');\n vt_in_raw.renderer.setShowGutter(true);\n vt_in_raw.setOption('showLineNumbers', true);\n vt_in_raw.setOption('showPrintMargin', false);\n vt_in_raw.setOption('displayIndentGuides', true);\n vt_in_raw.setOption('maxLines', 'Infinity');\n vt_in_raw.session.setUseWrapMode(true);\n vt_in_raw.setOption('indentedSoftWrap', true);\n vt_in_raw.renderer.setScrollMargin(8, 5);\n </script>\" }\n}\n}\nIntroduced in IRIS v1.4.5
The datastore offers a way to store files directly in the context of a case. Documents, IOCs, evidences, etc, anything can be uploaded and managed through IRIS.
"},{"location":"operations/datastore/#accessing-the-datastore","title":"Accessing the datastore","text":"The datastore can be accessed from any page with the top-right shortcut.
A new pane will open, with a default folder tree created for the case.
"},{"location":"operations/datastore/#files","title":"Files","text":""},{"location":"operations/datastore/#adding-a-file","title":"Adding a file","text":"To add a file to a folder, press the + button near a folder where you want to place it, and select Add file.
A new window appear and allows to upload the file. The following fields are available :
infected unless specified otherwise in this field,infected unless specified otherwise in the password field. The file is also added to the IOC tab of the case, A file can be both IOC and Evidence, in which case it is handled as an IOC and also added to the Evidence tab of the case.
Depending on the file size, the upload might take some time. We are aware that the Nginx introduces a delay compared to a direct upload. We have not yet found a configuration that does not impact the speed upload.
Once uploaded, and depending on the options selected, the file appear in the target folder with specific icons. A mouse hover explains what each icon means.
"},{"location":"operations/datastore/#files-operations","title":"Files operations","text":"Once a file is added, a left-click on it shows a dropdown with multiple options.
Batch operations such as moving and deleting are also available by clicking on Select at the top right, and then selecting the files.
Images can now be directly pasted in notes an summary. Only images are supported. Once an image is pasted, the file is automatically uploaded in the datastore in the folder Notes Upload and a link to the file is inserted.
Example of pasted image
The image is by default sized to 40%. Changing the end of the link =SIZE%xSIZE% allows to resize the image.
The file is now available in the DS and can be replaced if needed. The ID of the file is the one provided in the link, which can help finding out when names are updated.
Note
Under certain conditions (browser, version, OS) the image copy/paste cannot be done directly. This is a known issue, not directly linked to IRIS but related to how browsers handle files in clipboards. If you face this issue, try to open the image and copy it from there instead of the file manager. Otherwise you need to upload it via the Datastore and then get a link from it.
"},{"location":"operations/datastore/#folders","title":"Folders","text":""},{"location":"operations/datastore/#adding-a-folder","title":"Adding a folder","text":"To add folder, press the + button near a folder where you want to place it, and select Add subfolder.
A new window appear requesting the name of the folder to create. Validate and the new folder appears in the folder tree. Files can then be added to it.
"},{"location":"operations/datastore/#moving-folders","title":"Moving folders","text":"Folders can be moved within other folders. When doing so, every files and subfolders are also moved, like we are used to with files managers.
Click on the + near the folder to move, and then select Move. The target folder is underlined in blue. Select then the target folder which should appear underline in orange. Then validate the move.
The folder and all its children are moved in the target directory.
"},{"location":"operations/datastore/#searching","title":"Searching","text":"When dozens of files are added, the filtering bar can be used to quickly find a file. The filtering mechanism is similar to the one in the timeline.
The query schema is : target_element:search_value AND target_element2:search_value2. There is no OR condition and searching without target does not work.
The following target elements can be used to filter :
Here a are a few concepts to better understand how the datastore is working.
Folders represented on the datastore are virtual and do not represent the folders on the system. This is to ensure smooth files operations. The files are never touched again (unless overwritten or deleted) once uploaded. When a file or directory is moved or renamed, only its parent references are updated.
Files are saved by GUID instead of their real names on the system. They are saved under the mapped volume /home/iris/server_data/datastore by default. Then three directories are created :
EvidencesIOCsRegularsWithin each of these, a new subdirectory with the case ID is created when a file is uploaded. This is ensure IOC, which can be harmful, are formally identified on the server itself. Files can be found on the system by looking up the Storage UUID of the file (eg: dsf-f86926ec-513d-4e47-88fa-02110e7fb412) in these directories.
All components of IRIS offers by-default logging in the docker instances. Depending on the OS of the hosts, the location of these logs may differ.
For Debian-based distributions, the logs are usually in /var/lib/docker/containers/. The usually interesting logs in IRIS are the following:
iriswebapp_app : Contains the logs of core of IRIS, including major stack traces and access control output iriswebapp_worker: Contains the logs of the worker and output of modulesiriswebapp_nginx: Contains the logs of the reverse proxy. Every request to IRIS is logged there. Logs of IRIS can be forwarded to a SIEM for monitoring. Below is discussed how to setup Splunk forwarding. Other drivers are available and detailed on the docker website.
/etc/docker/daemon.json and specify the following content: {\n\"log-driver\": \"splunk\",\n\"log-opts\": {\n\"splunk-insecureskipverify\": \"true\", \"splunk-index\": \"iris\",\n\"splunk-token\": \"YOUR HEC TOKEN\",\n\"splunk-url\": \"https://SPLUNK_SERVER:8088\"\n}\n}\nsystemctl reload docker. The logs should appear in the Splunk instance.IRIS has the ability to generate reports based on the data of an investigation. The reports templates can be managed in Advanced > Templates.
Info
This section is only available for users with the Admin role.
There is two types of reports :
The following report formats are supported:
Reports templates are made of tags, which are then processed and filed by the template engine of IRIS. The templates can have any forms as soon as they respect the tags. We are providing two example of reports.
Info
The templates includes a few lines that describes how to handle styles. These should not be removed. They are be present in the generated reports and need to be removed manually.
"},{"location":"operations/reports/#available-tags","title":"Available tags","text":"The following tags are available. None are mandatory. If a tag is mistyped, the generation step will produce an error message.
Hint
To get the list of available tags for a specific IRIS version, head to /case/export?cid=1.
Hint
Standard objects are accessible with {{ objectname }}. List objects can be looped:
{% for object in object_list %}\n {{ object.attribute }}\n {% endfor %} \ncase.name: Name of the casecase.description: Description of the casecase.open_date: Case open date case.close_date: Case close date case.opened_by: User that initially opened the case case.for_customer: Customer linked to the case case.soc_id: SOC ID number linked to the case evidences: List of evidence objects (see below - given evidence as loop variable)
evidence.filename: File name of the evidence evidence.date_added: Date of registration evidence.file_hash: Hash of the evidence evidence.added_by: User who added the evidenceevidence.custom_attributes: Custom attributes of the evidenceiocs: List of IOCs objects (see below - given ioc as loop variable)
ioc.ioc_value: Value of the IOC ioc.ioc_description: Description of the IOCioc.ioc_type: Type of IOC ioc.ioc_tags: Tags linked to the IOC ioc.custom_attributes: Custom attributes of the IOCnotes: List of notes objects (see below - given note as loop variable)
note.note_title: Title of the note note.note_content: Content of the note note.note_creationdate: Creation date of the note note.note_lastupdate: Date of last update note.custom_attributes: Custom attributes of the notetasks: List of tasks objects (see below - given task as loop variable)
task.task_title: Title of the task task.task_description: Description of the task task.task_open_date: Open date of the task task.task_last_update: Last update of the task task.task_close_date: Date of closure task.task_status: Status of the task task.task_tags: Task for the tags task.custom_attributes: Custom attributes of the tasktimeline: List of events objects (see below - given event as loop variable)
event.event_title: Title of the event event.event_content: Content of the event event.event_raw: Raw content of the event event.event_date: Date when the event happened event.event_source: Source of the event event.category: Category of the event event.event_tags: Tags of the events event.last_edited_by: User who last edited the event event.assets: List of assets names linked to the eventevent.custom_attributes: Custom attributes of the eventWe are providing two example of full reports.
The following snippets aimed to be placed directly in the DOCX documents.
"},{"location":"operations/reports/#loops-and-tables","title":"Loops and tables","text":""},{"location":"operations/reports/#standard-loops","title":"Standard loops","text":"A loop needs to be used for list objects. Loop on IOC example
The IOCs of this case are : \n\n{% for ioc in case.iocs %}\n - {{ ioc.ioc_value }}\n - {{ ioc.ioc_description }}\n{% endfor %}\nTo use a loop in a table, a tr tag needs to be added to the loop and the loop directly integrated in the table. Loop on IOC table example
The IOCs of this case are in the following table : \n\n{%tr for ioc in case.iocs %}\n {{ ioc.ioc_value }}\n {{ ioc.type_name }}\n {{ ioc.ioc_description }}\n{%tr endfor %}\nLoops can be nested. Don't forget to close each loop.
Nested loop{%for ioc in case.iocs %}\n\n Custom attributes of {{ ioc.ioc_value }} :\n\n {% for attribute in ioc.custom_attributes %}\n\n - {{ attribute }}\n\n {% endfor %}\n\n{% endfor %}\n{% for asset in assets %} \n\n {% if asset.compromised %}\n Asset {{ asset.asset_name }} is compromised\n {% endif %}\n\n{% endfor %}\nTo check if a list of objects is not empty, use the processor tag count.
{% if assets|count %} \n The case has assets\n{% endif %}\nThe case summary and notes are in markdown. A processor tag should thus be added |markdown. Summary as markdown
This is an example of summary : \n\n{{ case.description|markdown }}\nThis is an example of recursive notes : \n\n{% for note in case.notes %}\n\n My note named {{ note.note_title }} : \n {{ note.note_content|markdown }}\n\n{% endfor %}\nMost of the time an error of generation is due to misspelled tag or a missing closing tag ({% endfor %}, {% endif %}, etc). In case you cannot figure out what is going wrong, don't hesitate to reach us on Discord.
Some basic settings can be set in the section Advanced > Server settings.
Behavior :
Prevent post-init step to register default modules again during boot: By default if a module is deleted and the server is restart, the module will be registered again. Setting this will prevent this behavior. Prevent post-init step to register default case objects again during boot: By default if case objects are deleted and the server is restart, the case objects will be registered again. Setting this will prevent this behavior. Password policy : the password policy can be changed and is applied for the new users and next changes of users password
The tutorials have been discared as we now provide a free demonstration instance on v200.beta.dfir-iris.org. Should you need more information or assistance to use IRIS, you can contact us here.
"},{"location":"operations/upgrades/","title":"Upgrades","text":"Most of the time, Iris handles upgrades of the database automatically when a new version is started, thus no specific actions are required. However, some breaking changes might need manual intervention. Please use the selectors below to assess if a manual action is required.
Your current version: --Please choose current version-- v1.2.1 v1.3.0 v1.3.1 v1.4.0 v1.4.1 v1.4.2 v1.4.3 v1.4.4 v1.4.5 v2.0.0 v2.0.1 v2.0.2 v2.1.0 v2.2.0 v2.2.1 v2.2.2 v2.2.3 v2.3.0 v2.3.1 v2.3.2 v2.3.3 v2.3.4 v2.3.5 v2.3.6 v2.3.7 v2.4.5 v2.4.6 v2.4.7
Upgrading to: --Please choose target version-- v1.2.1 v1.3.0 v1.3.1 v1.4.0 v1.4.1 v1.4.2 v1.4.3 v1.4.4 v1.4.5 v2.0.0 v2.0.1 v2.0.2 v2.1.0 v2.2.0 v2.2.1 v2.2.2 v2.2.3 v2.3.0 v2.3.1 v2.3.2 v2.3.3 v2.3.4 v2.3.5 v2.3.6 v2.3.7 v2.4.5 v2.4.6 v2.4.7
Check upgrades conditions
For production environments, it is highly recommended to make backups of the DB in case any issues occur during upgrades.
"},{"location":"operations/upgrades/#backing-up-db","title":"Backing-up DB","text":"Only if you run in production and/or data is critical.
docker container list docker exec <container> pg_dump -U postgres iris_db | \\ \ngzip > ../iris_db_backup.gz\n zcat ../iris_db_backup.gz | less Stop the dockers
docker-compose stop\nRemove the application dockers
docker-compose rm app worker\nGet the last version of Iris
git checkout <last_tagged_version>\neg git checkout v2.4.7
Build the new versions
docker-compose build --no-cache app worker\nRun IRIS again. The app will handle the DB migration automatically.
docker-compose up\nIn case something went wrong, you can rollback to your previous version and restore data.
docker-compose down db --volumesdocker-compose build --no-cachedocker-compose up dbdocker container listzcat ../iris_db_backup.gz | docker exec -i <container> psql -U postgres -d iris_dbdocker-compose upWarning
v2.4.0 to v2.4.6 contains bugs. Please upgrade to v2.4.7 directly.
The update from previous versions to this one is done automatically. However it introduces a number of changes in the API and access control. It may thus break integrations.
Danger
Access control has been updated. Starting from this version, all users have by-default access deny to all the cases, expect explicitely specified otherwise by group membership or automatic access rights. Users can also now be linked to customers, which automatically give them access to the related alerts and cases.
Please refer to the API documentation to update any integration which may use the following features:
The layout of the reporting has been updated as well. Refer to the https://<server>/case/export?cid=<case_id> endpoint to get all the possible fields.
\u2757 The layout of the reporting has slightly changed. Custom report templates might not work anymore. You can use https://<server>/case/export?cid=<case_id> to get all the possible fields.
No other impact is to be expected.
"},{"location":"operations/upgrades/#v210","title":"v2.1.0","text":"The default location of the SSL certificates have been changed from dockers/nginx/dev_certs to certificates/nginx/web_certificates. The docker-compose.yml has thus been updated to mount this volume on the nginx Docker.
Except these changes, users in v2.0.x can upgrade to v2.1.0 without any manual intervention. Users in v1.4.x need to follow the v2.0.0 upgrade instructions before upgrading to v2.1.0.
"},{"location":"operations/upgrades/#v200","title":"v2.0.0","text":""},{"location":"operations/upgrades/#breaking-changes","title":"Breaking changes","text":"This version brings breaking changes on the following:
.env configurationWarning
Custom made modules need to be upgraded to IRIS Module Interface v1.2.0. Please see modules upgrade for v2.0.0
"},{"location":"operations/upgrades/#instance-migration","title":"Instance migration","text":"To migrate an instance from v1.4.5, one can use the script in upgrades/upgrade_to_2.0.0.py located in the repository. These commands needs to be run from the root of the repository (pwd should return something like /iris-web):
# Pull the lastest version \ngit pull # Checkout to iris v2.0.0\ngit checkout v2.0.0 # Check if upgrades possible\npython3 upgrades/upgrade_to_2.0.0.py --check\n\n# Run the upgrade\npython3 upgrades/upgrade_to_2.0.0.py --install\nThe script will take care of migrating the environment variables to reflect the changes in v2.0.0. Please review the .env file afterward.
The port have been changed 443. The script asks if the previous port should be kept or migrated to the new one.
Once validated, one can proceed with the usual upgrade methodology.
docker-compose stop \ndocker-compose build --no-cache \ndocker-compose up -d\nThis only concerns custom modules not shipped with IRIS Web App. The IRIS module interface has been upgraded to v1.2.0. No breaking changes are associated. One need to change the iris_module_interface dependency to 1.2.0 in the requirements and rebuild the module.
The client has been updated to reflect the latest changes of the API. It also integrates features that were missing previously, such as Datastore Management. Some methods have been deprecated and some other modified. The easiest way to upgrade is to increase the version in the requirements and test. Each deprecated method will produce a warning or raise an exception.
"},{"location":"operations/upgrades/#v145","title":"v1.4.5","text":"If you are coming from IRIS <= v1.3.1 please read this. Changes have been made to the NGINX docker to allow upload of big files for the datastore. It is hence necessary to also rebuild the NGINX docker this time.
docker-compose stopdocker-compose rm app workergit checkout <last_tagged_version> - eg git checkout v1.4.5docker-compose build --no-cache app worker nginxdocker-compose upThis only applies if you are coming from IRIS <= v1.3.1.
This version brings breaking changes in the DB docker by adding a named volume instead of the default one. This implies that previous existing database is ignored as the new docker won't know which volume was previously used. To prevent this, please strictly follow the guide below. This will copy the data of the existing volume, to the new named one.
docker container list. It should look like iris-web-db-xname field with the command below)docker inspect <iris_db> | grep -A5 \"Mounts\"\n# Example of output\n\"Mounts\": [\n{\n\"Type\": \"volume\",\n \"Name\": \"a90b9998a3233a68438c8e099bd0ba98d9f62c9734e40297b8067f9fdb921eb9\",\n \"Source\": \"/var/lib/docker/volumes/a90b9998a3233a68438c8e099bd0ba98d9f62c9734e40297b8067f9fdb921eb9/_data\",\n \"Destination\": \"/var/lib/postgresql/data\",\ndocker-compose stop 4. Create a new empty volume : docker volume create --name iris-web_db_data 5. Run a volume copy via a dummy image : docker run --rm -it -v <previous_db_volume_id>:/from:ro -v iris-web_db_data:/to alpine ash -c \"cd /from ; cp -av . /to\"\n# With the example of 2., this gives \ndocker run --rm -it -v a90b9998a3233a68438c8e099bd0ba98d9f62c9734e40297b8067f9fdb921eb9:/from:ro -v iris-web_db_data:/to alpine ash -c \"cd /from ; cp -av . /to\"\nv1.4.4, build and run. git pull origin git checkout v1.4.4\ndocker-compose build docker-compose up Do not forget to clear out your browser cache, many JS files were changed.
"},{"location":"operations/upgrades/#v143","title":"v1.4.3","text":"A patch exists for this version. Please directly upgrade to v1.4.4
"},{"location":"operations/upgrades/#v142","title":"v1.4.2","text":"A patch exists for this version. Please directly upgrade to v1.4.4
"},{"location":"operations/upgrades/#v141","title":"v1.4.1","text":"A patch exists for this version. Please directly upgrade to v1.4.4
"},{"location":"operations/upgrades/#v140","title":"v1.4.0","text":"A patch exists for this version. Please directly upgrade to v1.4.4
"},{"location":"operations/access_control/","title":"Access control","text":"Changes in v2.4.0
Starting from IRIS v2.4.0 the default access control is deny_all for all users. When upgrading, existing users keep their rights on the existing cases.
IRIS offers a granular access control for cases and management features. Two types of access control are available :
To ease the access control, users can be managed in :
A user can be in one or multiple groups and customers. The effective case access control of a user is deduced from its group and customer membership and its own cases access control. The effective permissions are deduced from its groups membership.
"},{"location":"operations/access_control/#cases-access-control-overview","title":"Cases access control overview","text":"Cases access control offer three levels:
deny_all: No access to the case. The user don't even see the case listed, read_only: Read-only access to the case. The user can see everything related to the case but cannot edit,full_access: Read-write access to the case. The user can see and edit everything related to the case, including closing and deleting the case. Cases access control can be applied through customers, groups and users. It starts with the customers, groups and ends with atomic user access control.
For example, the following configuration gives no access to the user since the atomic user access prevail upon the rest.
stateDiagram-v2\n DefaultPermission --> Group_prevail: DenyAll\n\n state join_groups <<join>>\n Group1 --> join_groups: ReadOnly\n Group2 --> join_groups: DenyAll\n join_groups --> Group_prevail: ReadOnly\n Group_prevail --> Effective_DenyAll: ReadOnly \n\n Effective_DenyAll: Resulting Deny All access for user\n User_Access --> Effective_DenyAll: DenyAllIn the next configuration, the user has Read Only access to the case because the atomic user access is not set, so the access is inherited from the group ownership.
stateDiagram-v2\n DefaultPermission --> Group_prevail: DenyAll\n\n state join_groups <<join>>\n Group1 --> join_groups: ReadOnly\n Group2 --> join_groups: DenyAll\n Group3 --> join_groups: DenyAll\n join_groups --> Group_prevail: ReadOnly\n\n Effective_ReadOnly: Resulting Read Only access for user\n Group_prevail --> Effective_ReadOnly: ReadOnly \n\n User_Access --> Effective_ReadOnly: Not setThis notably allows to create groups which can join a set of people from different organisations to work on the same case.
In the next configuration, the user pertains to a customer, which give automatically Full Access access to all the cases of the customer.
stateDiagram-v2\n DefaultPermission --> Customer_prevail: DenyAll\n\n Customer1 --> Customer_prevail: FullAccess\n Group1 --> Effective_FullAccess: Not set\n\n Effective_FullAccess: Resulting Full Access access for user\n Customer_prevail --> Effective_FullAccess: FullAccess \n\n User_Access --> Effective_FullAccess: Not setIn case the user pertains to a customer but is also in a group, the group access prevail upon the customer access.
stateDiagram-v2\n DefaultPermission --> Customer_prevail: DenyAll\n\n Customer1 --> Customer_prevail: FullAccess\n Group1 --> Group_prevail: ReadOnly\n\n Customer_prevail --> Group_prevail: FullAccess\n\n Group_prevail --> Effective_FullAccess: ReadOnly\n\n Effective_FullAccess: Resulting Read only Access access for user\n\n User_Access --> Effective_FullAccess: Not setFinally, the atomic user access prevail upon the rest.
stateDiagram-v2\n DefaultPermission --> Customer_prevail: DenyAll\n\n Customer1 --> Customer_prevail: FullAccess\n Group1 --> Group_prevail: ReadOnly\n\n Customer_prevail --> Group_prevail: FullAccess\n\n User_access --> User_prevail: DenyAll\n Group_prevail --> User_prevail: ReadOnly\n User_prevail --> Effective_FullAccess: DenyAll\n\n Effective_FullAccess: Resulting Deny all Access access for userPermissions allow to control the access to specific management features on the platform (adding users, cases etc.). A set of permissions are available:
standard_user: which includes the basic access to the interface and create casesserver_administrator: which includes managing users, groupsalerts_read: which includes access to the alertsalerts_write: which includes access to the alerts and the ability to add new onesalerts_delete: which includes the ability to delete the alertssearch across cases: which includes the ability to search across casescustomers_read: which includes the ability to read customerscustomers_write: which includes the ability to add and edit customerscase_templates_read: which includes the ability to read case templatescase_templates_write: which includes the ability to add and edit case templatesactivities_read: which includes the ability to read activitiesall_activities_read: which includes the ability to read all activities of all casesIRIS supports local and LDAP authentication. In both cases, users need to be declared in IRIS.
"},{"location":"operations/access_control/authentication/#local-authentication","title":"Local authentication","text":"Local authentication is the default setting. The password is validated against the local IRIS database. Passwords are stored salted and hashed, it is thus not possible to retrieve them in case they are lost. It is however possible to change them.
"},{"location":"operations/access_control/authentication/#changing-a-lost-password","title":"Changing a lost password","text":"If another administrative user exists : Being logged as this user, head to the Advanced > Access Control > Users section, and change the administrator password.
If no other administrative user exists : the change cannot be done via IRIS and an access to the backend is needed.
Danger
Do not delete and recreate any users directly from the DB! This will create inconsistencies in the relations and certainly corrupt everything.
Generate the hash of the new password with Python BCrypt in Python prompt
import bcrypt\nprint(bcrypt.hashpw('<new_password>'.encode('utf-8'), bcrypt.gensalt()))\nConnect to the DB docker then the Postgresql database iris_db and update the password
docker exec -ti <db_docker_id> /bin/bash\n/ # su postgres\n/ # psql\npostgres=# \\c iris_db \npostgres=# UPDATE \"user\" SET password = '<hash>' WHERE \"user\".name = 'administrator';\npostgres=# \\q\nexit\nexit\nLDAP authentication rely on a LDAP server to verify the password of a user. The user needs to be declared in IRIS.
graph LR\n A[User] -->|Authenticate| B(IRIS WebApp)\n B --> C{User exists in DB?}\n C -->|Yes| D{LDAP accepted password?}\n C -->|No| E[Authentication failed]\n D -->|Yes| F[Authentication succeeded]\n D -->|No| E[Authentication failed]The LDAP settings are present in the .env. Once the LDAP server information is set, reboot the Iris WebApp docker needs to be restarted.
docker-compose restart app\nTo set up LDAP without having run IRIS priorly, and as the app needs the accounts to be created first before using LDAP, one has to set the IRIS_ADM_EMAIL environment with the LDAP Email of the administrator user.
IRIS_AUTHENTICATION_TYPE=ldap\n\n## IP address or FQDN of the ldap server\nLDAP_SERVER=dc1.domain.local\n\n## Port of the LDAP server\nLDAP_PORT=636\n## LDAP Authentication type\nLDAP_AUTHENTICATION_TYPE=SIMPLE\n\n## Prefix to search the users within \nLDAP_USER_PREFIX=uid=\n## Suffix to search the users within\nLDAP_USER_SUFFIX=ou=people,dc=example,dc=com\n\n## Set to True to use LDAPS\nLDAP_USE_SSL=True\n\n## Set to True to verify the server certificate validity\nLDAP_VALIDATE_CERTIFICATE=True\n\n## TLS version to use LDAPS\nLDAP_TLS_VERSION=1.2\n\n## LDAP TLS configuration \nLDAP_CUSTOM_TLS_CONFIG=False\n\n# Set email address of the first user, that will be the admin \nIRIS_ADM_EMAIL=adm@example.com To use LDAP with an Active Directory, the following settings can be used:
Example of LDAP configuration for first run with Active DirectoryIRIS_AUTHENTICATION_TYPE=ldap\n\n## IP address or FQDN of the ldap server\nLDAP_SERVER=dc1.domain.local\n\n## Port of the LDAP server\nLDAP_PORT=636\n## LDAP Authentication type\nLDAP_AUTHENTICATION_TYPE=SIMPLE\n\n## Prefix to search the users within\nLDAP_USER_PREFIX=DOMAIN\\\n## Suffix to search the users within\nLDAP_USER_SUFFIX=\n## Set to True to verify the server certificate validity\nLDAP_VALIDATE_CERTIFICATE=True\n\n## TLS version to use LDAPS\nLDAP_TLS_VERSION=1.2\n\n## LDAP TLS configuration \nLDAP_CUSTOM_TLS_CONFIG=False\n\n# Set email address of the first user, that will be the admin\nIRIS_ADM_EMAIL=adm@example.com To set up LDAP after IRIS was already run, one only needs to set up the settings described previously without # Set email address of admin IRIS_ADM_EMAIL=adm@example.com and restart the docker.
Usernames in IRIS have to match the ones set in LDAP for the authentication to succeed.
"},{"location":"operations/access_control/authentication/#ldap-certificates","title":"LDAP certificates","text":"If the LDAP server uses a self-signed certificate, it is possible to add it to the trusted certificates of the IRIS WebApp docker.
certificates/ldap folder of the IRIS root directory.LDAP_VALIDATE_CERTIFICATE environment variable to True in the .env file.LDAP_CUSTOM_TLS_CONFIG environment variable to False in the .env file.LDAP_CA_CERTIFICATE environment variable certificate path used by the LDAP server in the .env file.If the LDAP server requires a client certificate, it is possible to add it to the trusted certificates of the IRIS WebApp docker.
certificates/ldap folder of the IRIS root directory.LDAP_VALIDATE_CERTIFICATE environment variable to True in the .env file.LDAP_CUSTOM_TLS_CONFIG environment variable to True in the .env file.LDAP_PRIVATE_KEY environment to the file name of the key in the .env file LDAP_PRIVATE_KEY_PASSWORD environment variable to the password of the key in the .env file - if needed Groups offer the possibility to set case access as well as permissions. By default two groups are created:
Administrator: users in this group hold the server_administrator permission, Analysts: users in this group hold the standard_user permission Both groups are set to give full cases access to the users.
"},{"location":"operations/access_control/groups/#setting-up-a-new-group","title":"Setting up a new group","text":"Head to the Access Control page and click Add group.
Fill the form. All the fields can be changed later on. The field Group name has to be unique on the IRIS instance. Access control and members can be set once the group is created.
The group can be configured once created by clicking on it in the list.
"},{"location":"operations/access_control/groups/#users","title":"Users","text":""},{"location":"operations/access_control/groups/#adding-users-to-a-group","title":"Adding users to a group","text":"To add users to the group, go to the Members tab and click Manage.
The User Manager should load and offers a list of users that can be added to the group. Select all the users you want to add to the group and press Save.
Permissions computation
When a user is added/removed to a group, its effective cases access are recomputed. Depending on the number of cases and users added/removed this can take some time. This process helps reducing the DB load when using IRIS during normal operation.
"},{"location":"operations/access_control/groups/#removing-users-from-a-group","title":"Removing users from a group","text":"To remove users from the group, go to the Members tab and click Manage.
The User Manager should load and present a list of both users already in the group as well as the ones that can be added. To remove one or more users, un-tick them from the list and press Save.
Alternatively, a user can be directly removed from within the group manager. Click on the red trash next to the user to remove and confirm the deletion.
"},{"location":"operations/access_control/groups/#cases","title":"Cases","text":""},{"location":"operations/access_control/groups/#adding-cases-to-the-group","title":"Adding cases to the group","text":"Access to one or multiple existing cases can be granted to a group. From within the Group Manager, go to the Cases Access tab and click Set case access.
The Cases Access Manager loads and gives the possibility to set the access to one or more cases.
Three choices of access are offered:
deny_all: No access at all to the case. The users won't even see the case listed, read_only: Read-only access to the case. The users can see everything related to the case(s) but cannot change anything,full_access: Read-Write access to the case. The users can see and change everything related to the case. Once the desired access is selected, press Set access.
Permissions computation
As for the addition of users, when a case is added/removed to a group, all the users' effective cases access are recomputed. Depending on the amount of cases added/removed and number of users this can take some time. This process helps reducing the DB load when using IRIS during normal operation.
"},{"location":"operations/access_control/groups/#removing-cases-from-the-group","title":"Removing cases from the group","text":"From within the Group Manager, go to the Cases Access tab. Click on the red trash next to the case to remove and confirm the deletion.
A group can be deleted by clicking on its name in the list and then Delete at the bottom of the Info tab.
Authentication
Looking for authentication settings? It's here
Whatever the authentication mechanism used (Local or LDAP), the users have to be declared in IRIS. This is done in Advanced > Access Control > Users.
Head to Advanced > Access Control > Users and click Add user. All fields of the form are required. All information can be changed after the creation.
Note
Permissions and groups can be set once the user is created.
Advanced > Server settings. The password also has to be set when using LDAP, it is then however not used for the authentication. A random password can be set when using LDAP. No password is required when the user is set as a service account. Service accounts
Service accounts users can use the API to perform any actions on the instance. They cannot login to the UI and they don't have a password.
"},{"location":"operations/access_control/users/#editing-a-user","title":"Editing a user","text":"
A user can be edited by clicking on its name or ID in Advanced > Access Control > Users. A window opens and display the user's information. Tabs at the top allow to configure multiple settings related to the user.
Permissions of a user cannot be set directly. They are inherited from the groups membership. The tab Permissions only displays the permissions the user has from its groups memberships. See Groups for more info.
Groups can be set by clicking on the Groups tab of the user's window and then Manage.
A new window appears with the possibility to select the groups the user should belong to.
After saving, the permissions of the user are updated. This can be verified in the Permissions tab.
Customers can be set by clicking on the Customers tab of the user's window and then Manage.
A new window appears with the possibility to select the customers the user should belong to.
"},{"location":"operations/access_control/users/#setting-cases-access","title":"Setting cases access","text":"Cases access are usually set through groups membership. However for granularity they can be set per user. To set the access of a user on a case, click on the Cases access tab of the user's window and then Set case access.
As for the Groups, a selector appears and allows to select one or multiple cases and the access to associate.
Info
Application of a case access is immediate, even if the user is logged in and browsing the case.
Info
Granular case access can also be set from a case itself, in Summary > Manage > Access.
A user can be deactivated, which has the following impact:
"},{"location":"operations/access_control/users/#deleting-a-user","title":"Deleting a user","text":"
It is usually not possible to delete a user. This is to keep consistency in the database. A user can be deleted if it has done absolutely no actions on the platform. If a user leaves the organisation, it is recommended to rename the user and deactivate it.
"},{"location":"operations/cases/case_operations/","title":"Case operations","text":""},{"location":"operations/cases/case_operations/#opening-a-case","title":"Opening a case","text":"
To open a case anywhere, press the + button in the top right corner. A popup appears and allows to fill the basic information of the new case.
A new window appears, requesting additional information. The following information are required:
The following information is optional:
Once Create is clicked, the case is created and a popup ask whether to the get redirected to the case or to add a new one.
Each case has its own context. To switch between cases/context, either click on the name of the current case at the top left, or click on the switch button on the top right.
A popup appears and allows to select the case to switch to. By default the last 100 cases are displayed. To look further in the past, one can use the search bar. Press Save to validate the switch. The page reloads with the new context.
A case metadata can be updated by going switching the case context and heading to Case > Summary. Clicking on Manage brings up a new window with the case metadata. The right pencil button allows to edit the metadata.
The following information can be updated:
Open. This defines the state of the case (open, closed, etc.). Unknown. This defines if the case is a true positive, false positive, etc. MediumOpenThe access of a case can be updated by going to Case > Summary > Manage, and from the popup, clicking on the Access tab.
Changes of access are immediately applied.
"},{"location":"operations/cases/case_operations/#closing-a-case","title":"Closing a case","text":"A case can be closed by going to Case > Summary > Manage, and from the popup, clicking on the Close case button. Closing a case doesn't delete it and it can be reopened at any time. The case can also be modified after it has been closed.
The modifications history of a case can be retrieved by going to Case > Summary > Manage, and from the popup, clicking on the history icon next to the case name.
IOCs are observables that were identified during the investigation, or that led to the case creation upon monitoring activities.
"},{"location":"operations/cases/iocs/#add-an-ioc","title":"Add an IoC","text":"An IoC object could be created by going to Case > IOC. Clicking on Add IOC in the top right corner brings up a new window for the IoC creation.
A new window appears, requesting additional information. The following information is required:
Amber by default)The following information is optional:
Once Save is clicked, the ioc is created.
IoC object data can be updated by clicking on the IoC value in the Case > IOC table. A popup appears and allows to change required and non-required fields.
Once Update is clicked, the IoC is updated.
IoC objects can be enriched in order to add valuable information to it.
"},{"location":"operations/cases/iocs/#comment-an-ioc","title":"Comment an IoC","text":"To comment an IoC, one can right click on it, in the Case > IOC menu, and select Comment. A new pop-up appears and allows to leave comments. This is also achievable by clicking on the IoC value in the Case > IOC table, and by clicking on the Comment button.
To have more information about modules, see the Modules section.
A set of modules can be launched to enrich IoCs. To do so, one can right click on the IoC , in the Case > IOC table, and select the module of choice. This is also achievable by clicking on the IoC value in the Case > IOC table, by clicking the Option button, and selecting the desired module.
The results of the module will appear in newly created tabs, in the IoC details. To view the tabs, click on the the IoC value.
"},{"location":"operations/cases/iocs/#delete-an-ioc","title":"Delete an IoC","text":"This will permanently delete the IoC and its attributes
To delete an IoC, one could either right click on the IoC, and select Delete, or click on the IoC value, and click on the Delete button.
The IOC is only unlinked from the case if it references other cases
"},{"location":"operations/cases/notes/","title":"Notes","text":"Attention
The notes layout has been updated in IRIS 2.4.0. The following documentation is valid for IRIS 2.4.0 and above.
IRIS allows analysts to add notes to cases. Notes can be added to a case from the Notes tab. Notes are organized by directories. A note has to live within a directory.
To add a directory, click on the + directory icon on the left side of the Notes tab. A new directory is added to the list and asks for a name.
The title of the directory can be edited by right clicking on it and selecting Rename.
To add a note, right click on the directory and select Add note. A new note is added to the list.
To rename the note, double click on the title and press enter to confirm.
"},{"location":"operations/cases/notes/#operations","title":"Operations","text":"Notes and directories can be moved. Right click on the note or directory and select Move. A popup appears and allows to select the destination directory.
Tasks allow incident handlers to split the workload into unit tasks, and to assign them to the team members.
"},{"location":"operations/cases/tasks/#add-a-task","title":"Add a task","text":"A task can be created by going to Case > Tasks. Clicking on Add Task in the top right corner brings up a new window for the task creation.
A new window appears, requesting additional information. The following information is required:
The following information is optional:
Once Save is clicked, the task is created.
Task metadata can be updated by clicking on the task title in the Case > Tasks table. A popup appears and allows to change required and non-required fields.
Once Update is clicked, the task is updated.
Tasks can be commented. This provide the ability for analysts to give more in-deepth information on the task execution (what did they do, how did they do, what are the results, etc.)
To comment a task, one can either right click on the task line and select Comment, or click on the task title, and click on the Comment button. A new windows appears and allows to add comments to the task.
Once Comment is clicked, in the last window, a comment is added to the task. Comments are editable and removable.
New types of modules are introduced in IRIS v1.4.0
IRIS can be extended with modules. They can be split in two types:
Modules (or DIM - DFIR-IRIS Modules) are actually Python packages which must be installed in the Python environment of iris-webapp and the worker (see Quick Start). Once installed in the Python environment, modules can be managed in Advanced > Modules.
Info
This section is only available for users with the Admin role.
By default IRIS is shipped with multiple modules.
To add a module, the user can click on the \"+\" button:
Then the user must enter the name of the pre-installed module. The name of the pip package must be used.
If everything is ok, the module will appear on the list. It is currently disabled, and needs configuration before it can be enabled. To do so, the user can click on the module's name:
A new text box appears, showing information about the module, and a list of parameters to configure. Each mandatory parameter must be configured to enable the module.
After configuring all the mandatory parameters, the \"Enable button\" is revealed and the user can finally enable the module.
That's all! The user can confirm in the summary that the module is indeed enabled and ready to use.
Finally, the user can either disable or remove the module by clicking on the according buttons.
Now that the module is configured and enabled, let's see how we can use it!
NB: As a temporary fix, after adding and configuring a module, one must restart the IRIS services (dockers) else the worker won't have the module installed properly.
"},{"location":"operations/modules/mod_management/#how-to-use-the-module","title":"How to use the module","text":"As stated in the beginning, a module extends the capabilities of IRIS. For now, it allows importing evidences of your needs into what we call a pipeline, where data will be handled in the module (checking, parsing, ingestion...). In our provided module, IrisEVTXModule ingest EVTX files, parse them as JSON, and send the results to a Splunk instance using its HTTP event collector (HEC) endpoint.
In IRIS, the files are always imported in the context of a case. To import a file, the user can click on Manage cases then Update tab.
In Processing pipeline, the user can pick a pipeline that will send the files to the wanted module. In our example, EVTX pipeline refers to the IrisEVTXModule module. Below, the user can fill the arguments needed by the according pipeline. Arguments can be optional. Finally, the user can import one or several files and click Update to start their processing by the module.
You can see in the picture below that the user will import four EVTX files.
The user can follow the upload of the different files with their respective progress bars.
Once uploaded, the status of the task can be observed on the DIM Tasks page.
Clicking on a Task ID shows information on the task processing.
After the processing of the files by the module, the list of the imported files is stored in the Evidences tab of the according case.
Introduced in IRIS v1.4.0
This module offers an interface with MISP and IRIS to automatically enrich IOCs with MISP insight.
The source code is available here. It is installed by default but needs to be configured to be enabled.
Note
The module is in its early stage and new features will be added over time.
"},{"location":"operations/modules/natives/IrisMISP/#features","title":"Features","text":"Two types of enrichement mecanism are proposed :
Get MISP insight. This sends the targets IOCs to the module and insights will be fetched and applied. The following types of IOCs are handled by the module :
The insight request on an IOC not handled is simply ignored.
The insights take the form of attributes added to the IOC. They are based on configurable templates.
"},{"location":"operations/modules/natives/IrisMISP/#configuration","title":"Configuration","text":"The behavior of the module can be configured as needed. Head to the Advanced > Modules > IrisMISP to change it.
At the time, only one MISP can be added. Future version might handled more than one MISP. The expected structure is the following :
{\n\"name\": \"Public_MISP\", \"type\":\"public\", \"url\":[\"https://testmisp\"],\n\"key\":[\"<apikey>\"], \"ssl\":[false]\n}\nIntroduced in IRIS v1.4.0
This module offers an interface with VirusTotal and IRIS to automatically enrich IOCs with VT insight. The source code is available here. It is installed by default but needs to be configured to be enabled.
"},{"location":"operations/modules/natives/IrisVT/#features","title":"Features","text":"Two types of enrichment mechanism are proposed :
Get VT insight. This sends the targets IOCs to the module and insights will be fetched and applied. The following types of IOCs are handled by the module :
The insight request on an IOC not handled is simply ignored.
Two types of insights are proposed :
vt:malicious or vt:suspicious tag if the detection thresholds are met (configurable). For domains, an ASN tag can also be added. The behavior of the module can be configured as needed. Head to the Advanced > Modules > IrisVT to change it.
vt:malicious. To disable, add a value > 100. vt:suspicious. To disable, add a value > 100. This module offers webhooks support for IRIS. It can be configured to send almost any events to to an external service supporting webhooks, such as Discord, Slack or Microsoft Teams. It can also be used with automation tools such as Tines and Shufle to further automate IRIS. The source code is available here.
"},{"location":"operations/modules/natives/IrisWebHooks/#features","title":"Features","text":"Slack Example
"},{"location":"operations/modules/natives/IrisWebHooks/#configuration","title":"Configuration","text":"The expected configuration is a JSON file, following the structure :
{ \"instance_url\": \"<IRIS_INSTANCE_URL>\",\n\"webhooks\": [\n{\n\"name\": \"Name of the webhook for internal reference only\",\n\"active\": false,\n\"trigger_on\": [<LIST OF HOOKS TO LISTEN TO>],\n\"request_url\": \"<URL OF THE WEBHOOK>\",\n\"use_rendering\": true,\n\"request_rendering\": \"<RENDERING TYPE OF THE MESSAGE>\", \"request_body\": {<BODY OF THE REQUET TO SEND>}\n},\n{\n\"name\": \"Another hook\",\n\"active\": false,\n\"use_rendering\": false,\n\"trigger_on\": [<LIST OF HOOKS TO LISTEN TO>],\n\"request_url\": \"<URL OF THE WEBHOOK 2>\",\n\"request_rendering\": \"<RENDERING TYPE OF THE MESSAGE>\", \"request_body\": {<BODY OF THE REQUEST TO SEND 2>}\n}\n]\n}\ninstance_url: Base URL of IRIS. This is used to set the links in the messageswebhooks: A list of JSON describing the webhooks For each webhook:name: Internal name of the webhook, this can be anything active: Optional - Set to false to disable the webhook trigger_on: List of IRIS hooks for which the webhook should be triggered. Only the on_postload_XX hooks are supported. To enable a set of hooks without writing them all, the following keywords can be used : all: Includes all on_postload hooks all_create: Includes all on_postload_XX_create hooksall_update: Includes all on_postload_XX_update hooksrequest_url: The URL provided by the webhook receiver. For instance for Slack : see how to get onerequest_rendering: URLs rendering may be specific from one receiver to another. The modules supports the following : markdown: Format the message as markdown. This can be used with Discord for instance markdown_slack: Format the message as markdown, with some specificities of Slack. html: Format the message as HTML. request_body: The request body to be sent to the webhook receiver. If use_rendering is true, then two markups can be used to set the content of the webhook. The request has to be in JSON format and is sent as-is after replacements of the markups. %TITLE%: Is replaced with name of the case and event title, e.g \"[#54 - Ransomware] IOC created\"%DESCRIPTION%: Description of the event, e.g \"UserX created IOC mimi.exe in case #54\" If use_rendering is false, then a raw json representation of the object related to the hook is available. See examples for more details. manual_trigger_name: The name of the manual trigger in the UI. This should be set if the registered hook is of type on_manual_trigger. This name is displayed as a new menu option in the UI for the target object. use_rendering: Whether the data should be formated in Markdown or not. If set to false, then the request body field can use the raw data such as assets. This will result in a request with the body containing the assets JSON representation related to the call of the hook. See examples for more details. Each time a webhook is added, the module subscribes to the specified hooks. After saving the configuration, one can check the registration was successful by filtering the Registered hooks table (don't forget to refresh the table).
The following example is a combination of webhooks that can be used to further automate IRIS. It uses Tines as an example, but this is reproductible with any automation tool that can sent HTTP requests. A Tines story is created and is set up to receive a webhook, such as https://anothertest.tines.io/webhook/xxxx/xxxxx. In this scenario, two IRIS webhooks are added:
on_manual_trigger_ioc_update hook. on_postload_case_create hook. We use the same Tines story and thus Tines webhook for both and dispatch the incoming request depending on its parameters.
"},{"location":"operations/modules/natives/IrisWebHooks/#todo","title":"TODO","text":""},{"location":"operations/modules/natives/IrisWebHooks/#examples-using-rendering","title":"Examples using rendering","text":"The following is an example of combined webhooks configuration. It can be directly imported in the module with the import feature. Please note that after import, the configuration should be opened and change to match your URL webhook receiver.
Download webhooks combined configuration example
"},{"location":"operations/modules/natives/IrisWebHooks/#discord","title":"Discord","text":"Discord webhook example - selection of events{ \"instance_url\": \"https://iris.local\",\n\"webhooks\": [\n{\n\"name\": \"Discord\",\n\"trigger_on\": [\n\"on_postload_ioc_create\",\n\"on_postload_ioc_update\",\n\"on_postload_note_create\",\n\"on_postload_note_update\"\n],\n\"request_url\": \"https://discord.com/api/webhooks/XXXX/XXXX\",\n\"request_rendering\": \"markdown\", \"request_body\": {\n\"embeds\": [{\n\"description\" : \"%DESCRIPTION%\",\n\"title\" : \"%TITLE%\"\n}]\n}\n}\n]\n}\n{ \"instance_url\": \"https://iris.local\",\n\"webhooks\": [\n{\n\"name\": \"Slack\",\n\"trigger_on\": [\n\"all\"\n],\n\"request_url\": \"https://hooks.slack.com/services/<XXX>/<XXX>/<XXX>\",\n\"request_rendering\": \"markdown_slack\",\n\"request_body\": {\n\"text\": \"%TITLE%\",\n\"blocks\": [\n{\n\"type\": \"section\",\n\"text\": {\n\"type\": \"mrkdwn\",\n\"text\": \"*%TITLE%*\"\n}\n},\n{\n\"type\": \"section\",\n\"block_id\": \"section567\",\n\"text\": {\n\"type\": \"mrkdwn\",\n\"text\": \"%DESCRIPTION%\"\n}\n}\n]\n}\n}\n]\n}\nWebhooks receivers are expecting specific message formatting to successfully process them. Please carefully read their documentations.
The module only handles JSON POST for the moment. If the target webhook receiver needs another type of request, please contact us so we can add it.
As any IRIS module, IrisWebhooks is logged into DIM Tasks. You can check the status of the requests made in these. Go to DIM Tasks and then filter with webhooks. You can then check details info by clicking in the Task ID. More info might be available in the Docker worker logs depending on the situation.
dfir_iris_client offers a Python interface to communicate with IRIS.
It relies exclusively on the API, which means output of the methods are the same as specified in the API reference.
"},{"location":"python_client/#installation","title":"Installation","text":"It can be easily with pip : pip3 install dfir_iris_client.
The source code of the project is available here.
"},{"location":"python_client/#versions","title":"Versions","text":"The Python client version follows the API versions (until the patch level). Meaning for API v1.0.1, one need to install dfir_iris_client-1.0.1.
Examples of usage are available here.
"},{"location":"python_client/#documentation","title":"Documentation","text":"The documentation of the client is available on client.docs.dfir-iris.org.
"}]} \ No newline at end of file diff --git a/2.4.7/sitemap.xml b/2.4.7/sitemap.xml index 64df66ad..c1e282ce 100644 --- a/2.4.7/sitemap.xml +++ b/2.4.7/sitemap.xml @@ -2,222 +2,222 @@