IRIS DFIR
This Integration is part of the IRIS DFIR Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
IRIS is a collaborative platform aiming to help incident responders to share technical details during investigations. It's free and open-source. This integration was integrated and tested with version v2.3.6 of IRIS DFIR
Configure IRIS DFIR on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for IRIS DFIR.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server IP or Host Name (e.g., https://192.168.0.1) True API Key for authentication True Trust any certificate (not secure) False Use system proxy settings False Fetch incidents False Incidents Fetch Interval False Incident type False Incident Last Case ID Fetch all the cases starting from this value, not including it. False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
iris-get-last-case-id#
IRIS Command to get the last case information
Base Command#
iris-get-last-case-id
Input#
| Argument Name | Description | Required |
|---|
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_soc_id | string | SOC ID ticket case |
| IRIS.case_id | number | case ID ticket number |
| IRIS.case_description | string | case description |
| IRIS.opened_by | unknown | case opened by |
| IRIS.owner | unknown | case owner |
| IRIS.classification_id | number | case classification ID |
| IRIS.state_name | string | case state name |
| IRIS.case_open_date | unknown | case open date |
| IRIS.case_name | string | case name |
| IRIS.client_name | string | case client name |
| IRIS.classification | string | case classification |
| IRIS.case_uuid | string | case uuid |
| IRIS.state_id | string | case state ID |
| IRIS.access_level | string | case access level |
Command example#
!iris-get-last-case-id
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
access_level case_description case_id case_name case_open_date case_uuid classification classification_id client_name opened_by opened_by_user_id owner owner_id state_id state_name 4 TEST 7 32 #32 - TEST 7 12/18/2023 47ae5435-4c25-4408-bf86-98277807b2fa malicious-code:dialer 9 CERT-EU nouser2 1 nouser2 1 3 Opened
iris-get-all-cases#
Return a list of all IRIS DFIR cases
Base Command#
iris-get-all-cases
Input#
| Argument Name | Description | Required |
|---|
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_soc_id | unknown | SOC ID ticket case |
| IRIS.case_id | number | case ID ticket number |
| IRIS.case_description | unknown | case description |
| IRIS.opened_by | unknown | case opened by |
| IRIS.owner | unknown | case owner |
| IRIS.classification_id | number | case classification ID |
| IRIS.state_name | unknown | case state name |
| IRIS.case_open_date | unknown | case open date |
| IRIS.case_name | unknown | case name |
| IRIS.client_name | unknown | case client name |
| IRIS.classification | unknown | case classification |
| IRIS.case_uuid | unknown | case uuid |
| IRIS.state_id | unknown | case state ID |
| IRIS.access_level | unknown | case access level |
Command example#
!iris-get-all-cases
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
access_level case_close_date case_description case_id case_name case_open_date case_soc_id case_uuid classification classification_id client_name opened_by opened_by_user_id owner owner_id state_id state_name 4 TEST 7 32 #32 - TEST 7 12/18/2023 47ae5435-4c25-4408-bf86-98277807b2fa malicious-code:dialer 9 CERT-EU nouser2 1 nouser2 1 3 Opened 4 TEST 5 31 #31 - TEST 5 12/18/2023 5d5e6bc6-2c83-4c77-9f87-fb12d82e1e35 malicious-code:ransomware 6 CERT-EU nouser2 1 nouser2 1 3 Opened 4 case null 0000f
### dsdsdsd29 #29 - case null 0000f 12/14/2023 e7ed6439-799a-4eaf-b16c-cde8f7a10ffc malicious-code:dialer 9 CERT-EU nouser2 1 nouser2 1 3 Opened 4 malware byte you
test2222228 #28 - malware byte you 12/14/2023 test-eu-111 2aeb9026-7b1d-4caa-a22d-b95e7507eec8 abusive-content:harmful-speech 2 CERT-EU nouser2 1 nouser2 1 4 Containment 4 test jira fields
### 1224443427 #27 - test jira fields 11/30/2023 6b8d5e9a-e27b-4a6a-b27d-059b235f0814 malicious-code:spyware-rat 8 CERT-EU nouser2 1 nouser2 1 3 Opened 4 Evil rootkit
##
machine evil26 #26 - Evil rootkit 11/22/2023 CERT-EU-846327 dec1a169-37cf-44b0-8e9d-78b51efebbc0 malicious-code:rootkit 10 CERT-EU nouser2 1 nouser2 1 5 Eradication 4 mail spam
spam 123444425 #25 - mail spam 11/22/2023 CERT-EU-8213423 83317f2e-72df-4934-a283-500fecd0e758 abusive-content:spam 1 CERT-EU nouser2 1 nouser2 1 4 Containment 4 Evil spyware
dark 123 machine local24 #24 - Evil spyware 11/22/2023 CERT-EU-896492 c63dc059-b8a7-4595-bc2b-833e4798e3ac malicious-code:spyware-rat 8 CERT-EU nouser2 1 nouser2 1 3 Opened 4 Scanning VIP
fdsfdsfsdfsdfsdfsdf23 #23 - Scanning VIP 11/22/2023 CERT-EU-2316346 cd85ed04-fa5a-4f47-8a3f-0280297a3d53 information-gathering:scanner 11 CERT-EU nouser2 1 nouser2 1 3 Opened 4 virus id 2244
testing 123
machine 10.0.0.120 #20 - virus id 2244 11/22/2023 CERT-EU-55 6e71ba63-ad61-4c7e-8b4e-10f16a65cb36 malicious-code:virus 4 CERT-EU nouser2 1 nouser2 1 3 Opened 4 rootkit blabla
machine.dark.local malware baisfldasnfadsf19 #19 - rootkit blabla 09/29/2023 CERT--EU-444 a48eed36-cc03-4a42-a13b-3af41a76dccb malicious-code:rootkit 10 CERT-EU nouser2 1 nouser2 1 3 Opened 4 09/28/2023 Phishing EU member
blabla18 #18 - Phishing EU member 09/28/2023 CERT-EU-77 a9803459-461b-4442-a11e-b6440a91cd85 fraud:phishing 30 CERT-EU nouser2 1 nouser2 1 9 Closed 4 Phishing EU official
test ticket !!!17 #17 - #17 case custom attrib test 08/09/2023 soc_id_demo c034f0fa-d19c-480a-8b1d-045b558915d0 abusive-content:harmful-speech 2 CERT-EU nouser2 1 Natasha Carl 2 4 Containment 4 09/25/2023 spam test ticket
blah16 #16 - spam test ticket 07/13/2023 CERT-EU-21 71636b85-ef58-4d45-a5bf-faa2ac00031a abusive-content:spam 1 CERT-EU nouser2 1 nouser2 1 9 Closed 4 dark.local
testing notes15 #15 - Virus detected on VM dark.local 07/13/2023 CERT-EU-20 94e4a63a-3c8b-4a4e-ae02-b32c0c1b6386 malicious-code:virus 4 CERT-EU nouser2 1 nouser2 1 2 In progress 4 ROOTKIT TEST
THIS IS A TEST FORM13 #13 - ROOTKIT TEST 06/08/2023 CERT-EU-19 6f8a72b5-2c82-4654-b84a-e8e10e9299de malicious-code:rootkit 10 CERT-EU nouser2 1 nouser2 1 3 Opened 4 09/26/2023 Scanning ports machine X
- 1
- 2
- 3
-
## EDITED12 #12 - Scanning ports machine X 06/08/2023 CERT-EU-18 3662a525-d572-495c-9d25-45920c3ad1ce information-gathering:scanner 11 CERT-EU nouser2 1 nouser2 1 9 Closed 4 Code Dialer
### TEST CODE CODE11 #11 - Code Dialer 06/08/2023 CERT-EU-17 f0b3b128-88f3-4a37-a908-58ecb5fc7c89 malicious-code:dialer 9 CERT-EU nouser2 1 nouser2 1 3 Opened 4 spyware test 1 10 #10 - spyware test 1 06/08/2023 CERT-EU-16 38ba94bf-978f-4073-99af-291f79889b0b malicious-code:spyware-rat 8 CERT-EU nouser2 1 nouser2 1 3 Opened 4 Social Eng 9 #9 - Social Eng 06/07/2023 CERT-EU-15 35070554-73c1-421a-bdbb-b840f09411b4 information-gathering:social-engineering 13 CERT-EU nouser2 1 nouser2 1 3 Opened 4 WAF invaded 8 #8 - WAF invaded 06/07/2023 CERT-EU-15 9bab6e73-be89-497c-bfc1-25e213f933eb CERT-EU nouser2 1 nouser2 1 3 Opened 4 A virus has been detected on machine machine.darkside.in
DDOS
| Port | Protocol |Hostname|
|--|--|--|
| 443 | TCP |machine.darkside.in|
```echo Please investigate !```
### HELP !7 #7 - test command 1 06/07/2023 CERT-EU-14 e88efdc4-6811-4c59-aca6-7eeefab72a81 availability:ddos 23 CERT-EU nouser2 1 nouser2 1 6 Recovery 4 A virus has been detected on machine machine.darkside.in
| Port | Protocol |Hostname|
|--|--|--|
| 443 | TCP |machine.darkside.in|
```echo Please investigate !```
### HELP !6 #6 - Malware detected on machine.darkside.in 06/07/2023 CERT-EU-13 4f7d583d-7724-4be3-9137-7ca248630bc0 CERT-EU nouser2 1 nouser2 1 3 Opened 4 Ransomware test 3 #3 - CERT-EU Ransomware test 06/05/2023 CERT-EU-82 7b9ec75f-f194-4d73-a98a-b657b40b2cc4 malicious-code:ransomware 6 CERT-EU nouser2 1 nouser2 1 3 Opened 4 A virus has been detected on machine darkpace.evil
| Port | Protocol |Hostname|
|--|--|--|
| 443 | TCP |darkplace.evil|
```echo Please investigate !```
### HELP !2 #2 - virus-windows-11 06/05/2023 CERT-EU-12 1a5e6534-571f-4788-b4f5-47cc6b0c18bc malicious-code:virus 4 CERT-EU nouser2 1 nouser2 1 3 Opened 4 06/05/2023 This is a demonstration. 1 #1 - Initial Demo 06/05/2023 soc_id_demo 46480e7c-5b78-42c5-8b2e-678991a8a495 CERT-EU nouser2 1 nouser2 1 2 In progress
iris-close-case-id#
Close a specific case by ID.
Base Command#
iris-close-case-id
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Provide Case ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_name | unknown | case name |
| IRIS.case_soc_id | unknown | case soc ID |
| IRIS.open_date | unknown | case open date |
| IRIS.close_date | unknown | case close date |
Command example#
!iris-close-case-id case_id=9
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
case_customer case_description case_id case_name case_soc_id case_uuid classification_id close_date modification_history open_date owner_id state_id status_id user_id 1 Social Eng 9 #9 - Social Eng CERT-EU-15 35070554-73c1-421a-bdbb-b840f09411b4 13 2024-01-22 1686161424.82484: {"user": "nouser2", "user_id": 1, "action": "created"}
1694445948.238388: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694446268.42952: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694446597.253438: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694446626.551442: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447102.368478: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447187.785556: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447233.805542: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447256.462593: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447324.542543: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447772.724512: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1694448681.95518: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694449204.048061: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694449647.332296: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1694449754.493539: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694450199.853172: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1694452250.114495: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694452672.978887: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1704711697.835427: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1704711700.739643: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1704711947.950361: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1704711950.774661: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1705935117.44055: {"user": "nouser2", "user_id": 1, "action": "case closed"}2023-06-07 1 9 0 1
iris-reopen-case-id#
Reopen a specific case by ID.
Base Command#
iris-reopen-case-id
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | case ID. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_soc_id | unknown | case soc ID |
| IRIS.case_id | unknown | case ID |
| IRIS.close_date | unknown | case close date |
| IRIS.open_date | unknown | case open date |
| IRIS.case_name | unknown | case name |
| IRIS.closing_note | unknown | case closing note |
Command example#
!iris-reopen-case-id case_id=9
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
case_customer case_description case_id case_name case_soc_id case_uuid classification_id modification_history open_date owner_id state_id status_id user_id 1 Social Eng 9 #9 - Social Eng CERT-EU-15 35070554-73c1-421a-bdbb-b840f09411b4 13 1686161424.82484: {"user": "nouser2", "user_id": 1, "action": "created"}
1694445948.238388: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694446268.42952: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694446597.253438: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694446626.551442: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447102.368478: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447187.785556: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447233.805542: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447256.462593: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447324.542543: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447772.724512: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1694448681.95518: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694449204.048061: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694449647.332296: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1694449754.493539: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694450199.853172: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1694452250.114495: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694452672.978887: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1704711697.835427: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1704711700.739643: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1704711947.950361: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1704711950.774661: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1705935117.44055: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1705935120.30414: {"user": "nouser2", "user_id": 1, "action": "case reopened"}2023-06-07 1 3 0 1
iris-change-case-state#
Change case state status
Base Command#
iris-change-case-state
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Case ID. | Required |
| case_name | Case name. | Required |
| case_state | Case state. Possible values are: In progress, Opened, Containement, Eradication, Recovery, Post-Incident, Reporting, Closed. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_id | number | Case ID |
| IRIS.case_name | string | Case name |
| IRIS.case_state | string | Case state |
Command example#
!iris-change-case-state case_id=1 case_state="In progress" case_name="#1 - Initial Demo"
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
case_customer case_description case_id case_name case_soc_id case_uuid close_date modification_history open_date owner_id state_id status_id user_id 1 This is a demonstration. 1 #1 - Initial Demo soc_id_demo 46480e7c-5b78-42c5-8b2e-678991a8a495 2023-06-05 1685985574.367342: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1704711960.320669: {"user": "nouser2", "user_id": 1, "action": "case info updated"}
1705935129.662093: {"user": "nouser2", "user_id": 1, "action": "case info updated"}2023-06-05 1 2 0 1
iris-create-notes-group#
Creates notes group
Base Command#
iris-create-notes-group
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Case ID. | Required |
| group_title | Notes group tittle. | Required |
Context Output#
There is no context output for this command.
Command example#
!iris-create-notes-group case_id=1 group_title="test group"
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
group_creationdate group_id group_lastupdate group_title group_uuid 2024-01-22T14:52:12.540571 57 2024-01-22T14:52:12.540571 test group 62742497-8cf6-4cea-bac4-5ff50e4bb4e5
iris-add-new-note-to-group#
Add a new note to an existing group.
Base Command#
iris-add-new-note-to-group
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Case ID. | Required |
| note_title | Note tittle. | Required |
| note_content | Note content. | Required |
| group_id | Group ID. | Required |
Context Output#
There is no context output for this command.
Command example#
!iris-add-new-note-to-group case_id=1 group_id=55 note_content="test content" note_title="test tittle"
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
note_content note_creationdate note_id note_lastupdate note_title note_uuid test content 2024-01-22T14:52:15.366100 63 2024-01-22T14:52:15.366100 test tittle a2cf6b17-d8be-4ca0-814d-12910aefa2f2
iris-get-list-of-groups-and-notes#
Get a list of the notes and groups.
Base Command#
iris-get-list-of-groups-and-notes
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Case ID. | Required |
Context Output#
There is no context output for this command.
Command example#
!iris-get-list-of-groups-and-notes case_id=1
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
groups state {'group_id': 1, 'group_uuid': '98a49bf1-66a3-4014-94a3-b84f7465129e', 'group_title': 'test group', 'notes': []},
{'group_id': 55, 'group_uuid': '89085dde-aa63-467b-a17a-d78d20bdc794', 'group_title': 'test group', 'notes': [{'note_id': 61, 'note_uuid': '1e7cfa4e-6ce0-4261-ae5d-a70eba2b1462', 'note_title': 'test tittle', 'user': 'nouser2', 'note_lastupdate': '2024-01-08T11:04:41.529018'}, {'note_id': 62, 'note_uuid': 'c1ceef5b-0020-48d7-ac0f-c0c4c40ef396', 'note_title': 'test tittle', 'user': 'nouser2', 'note_lastupdate': '2024-01-08T11:06:05.840447'}, {'note_id': 63, 'note_uuid': 'a2cf6b17-d8be-4ca0-814d-12910aefa2f2', 'note_title': 'test tittle', 'user': 'nouser2', 'note_lastupdate': '2024-01-22T14:52:15.366100'}]},
{'group_id': 56, 'group_uuid': '36da7617-6eca-49d9-bbb6-64737db54aab', 'group_title': 'test group', 'notes': []},
{'group_id': 57, 'group_uuid': '62742497-8cf6-4cea-bac4-5ff50e4bb4e5', 'group_title': 'test group', 'notes': []}object_state: 8
object_last_update: 2024-01-22T14:52:15.373121
iris-get-list-of-iocs#
Returns a list of IOCs as well as any existing linked with other cases.
Base Command#
iris-get-list-of-iocs
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Case ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_id | number | Case ID. |
| IRIS.case_name | string | Case Name. |
Command example#
!iris-get-list-of-iocs case_id=1
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
ioc state {'ioc_id': 5, 'ioc_uuid': '93ca5e50-13a5-4d59-8b92-b99bf4bb70fd', 'ioc_value': 'github-username-example', 'ioc_type_id': 65, 'ioc_type': 'github-username', 'ioc_description': 'This is an example', 'ioc_tags': '', 'ioc_misp': None, 'tlp_name': 'amber', 'tlp_bscolor': 'warning', 'ioc_tlp_id': 2, 'link': [], 'misp_link': None} object_state: 1
object_last_update: 2024-01-08T10:45:20.129696
iris-get-ioc-content#
Fetch the content of an ioc.
Base Command#
iris-get-ioc-content
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Case ID. | Required |
| ioc_id | IoC ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_id | number | Case ID. |
| IRIS.ioc_description | string | IoC Description. |
| IRIS.ioc_id | number | IoC ID. |
| IRIS.ioc_value | string | IoC Value. |
| IRIS.ioc_type | string | IoC Type. |
Command example#
!iris-get-ioc-content case_id=1 ioc_id=5
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
ioc_description ioc_id ioc_tlp_id ioc_type ioc_type_id ioc_uuid ioc_value user_id This is an example 5 2 type_description: A github user name
type_taxonomy: null
type_id: 65
type_name: github-username
type_validation_regex: null
type_validation_expect: null65 93ca5e50-13a5-4d59-8b92-b99bf4bb70fd github-username-example 1