IRIS DFIR
This Integration is part of the IRIS DFIR Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
IRIS is a collaborative platform aiming to help incident responders to share technical details during investigations. It's free and open-source. This integration was integrated and tested with version v2.3.6 of IRIS DFIR
Configure IRIS DFIR in Cortex#
| Parameter | Description | Required |
|---|---|---|
| Server IP or Host Name (e.g., https://192.168.0.1) | True | |
| API Key for authentication | True | |
| Trust any certificate (not secure) | False | |
| Use system proxy settings | False | |
| Fetch incidents | False | |
| Incidents Fetch Interval | False | |
| Incident type | False | |
| Incident Last Case ID | Fetch all the cases starting from this value, not including it. | False |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
iris-get-last-case-id#
IRIS Command to get the last case information
Base Command#
iris-get-last-case-id
Input#
| Argument Name | Description | Required |
|---|
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_soc_id | string | SOC ID ticket case |
| IRIS.case_id | number | case ID ticket number |
| IRIS.case_description | string | case description |
| IRIS.opened_by | unknown | case opened by |
| IRIS.owner | unknown | case owner |
| IRIS.classification_id | number | case classification ID |
| IRIS.state_name | string | case state name |
| IRIS.case_open_date | unknown | case open date |
| IRIS.case_name | string | case name |
| IRIS.client_name | string | case client name |
| IRIS.classification | string | case classification |
| IRIS.case_uuid | string | case uuid |
| IRIS.state_id | string | case state ID |
| IRIS.access_level | string | case access level |
Command example#
!iris-get-last-case-id
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
access_level case_description case_id case_name case_open_date case_uuid classification classification_id client_name opened_by opened_by_user_id owner owner_id state_id state_name 4 TEST 7 32 #32 - TEST 7 12/18/2023 47ae5435-4c25-4408-bf86-98277807b2fa malicious-code:dialer 9 CERT-EU nouser2 1 nouser2 1 3 Opened
iris-get-all-cases#
Return a list of all IRIS DFIR cases
Base Command#
iris-get-all-cases
Input#
| Argument Name | Description | Required |
|---|
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_soc_id | unknown | SOC ID ticket case |
| IRIS.case_id | number | case ID ticket number |
| IRIS.case_description | unknown | case description |
| IRIS.opened_by | unknown | case opened by |
| IRIS.owner | unknown | case owner |
| IRIS.classification_id | number | case classification ID |
| IRIS.state_name | unknown | case state name |
| IRIS.case_open_date | unknown | case open date |
| IRIS.case_name | unknown | case name |
| IRIS.client_name | unknown | case client name |
| IRIS.classification | unknown | case classification |
| IRIS.case_uuid | unknown | case uuid |
| IRIS.state_id | unknown | case state ID |
| IRIS.access_level | unknown | case access level |
Command example#
!iris-get-all-cases
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
access_level case_close_date case_description case_id case_name case_open_date case_soc_id case_uuid classification classification_id client_name opened_by opened_by_user_id owner owner_id state_id state_name 4 TEST 7 32 #32 - TEST 7 12/18/2023 47ae5435-4c25-4408-bf86-98277807b2fa malicious-code:dialer 9 CERT-EU nouser2 1 nouser2 1 3 Opened 4 TEST 5 31 #31 - TEST 5 12/18/2023 5d5e6bc6-2c83-4c77-9f87-fb12d82e1e35 malicious-code:ransomware 6 CERT-EU nouser2 1 nouser2 1 3 Opened 4 case null 0000f
### dsdsdsd29 #29 - case null 0000f 12/14/2023 e7ed6439-799a-4eaf-b16c-cde8f7a10ffc malicious-code:dialer 9 CERT-EU nouser2 1 nouser2 1 3 Opened 4 malware byte you
test2222228 #28 - malware byte you 12/14/2023 test-eu-111 2aeb9026-7b1d-4caa-a22d-b95e7507eec8 abusive-content:harmful-speech 2 CERT-EU nouser2 1 nouser2 1 4 Containment 4 test jira fields
### 1224443427 #27 - test jira fields 11/30/2023 6b8d5e9a-e27b-4a6a-b27d-059b235f0814 malicious-code:spyware-rat 8 CERT-EU nouser2 1 nouser2 1 3 Opened 4 Evil rootkit
##
machine evil26 #26 - Evil rootkit 11/22/2023 CERT-EU-846327 dec1a169-37cf-44b0-8e9d-78b51efebbc0 malicious-code:rootkit 10 CERT-EU nouser2 1 nouser2 1 5 Eradication 4 mail spam
spam 123444425 #25 - mail spam 11/22/2023 CERT-EU-8213423 83317f2e-72df-4934-a283-500fecd0e758 abusive-content:spam 1 CERT-EU nouser2 1 nouser2 1 4 Containment 4 Evil spyware
dark 123 machine local24 #24 - Evil spyware 11/22/2023 CERT-EU-896492 c63dc059-b8a7-4595-bc2b-833e4798e3ac malicious-code:spyware-rat 8 CERT-EU nouser2 1 nouser2 1 3 Opened 4 Scanning VIP
fdsfdsfsdfsdfsdfsdf23 #23 - Scanning VIP 11/22/2023 CERT-EU-2316346 cd85ed04-fa5a-4f47-8a3f-0280297a3d53 information-gathering:scanner 11 CERT-EU nouser2 1 nouser2 1 3 Opened 4 virus id 2244
testing 123
machine 10.0.0.120 #20 - virus id 2244 11/22/2023 CERT-EU-55 6e71ba63-ad61-4c7e-8b4e-10f16a65cb36 malicious-code:virus 4 CERT-EU nouser2 1 nouser2 1 3 Opened 4 rootkit blabla
machine.dark.local malware baisfldasnfadsf19 #19 - rootkit blabla 09/29/2023 CERT--EU-444 a48eed36-cc03-4a42-a13b-3af41a76dccb malicious-code:rootkit 10 CERT-EU nouser2 1 nouser2 1 3 Opened 4 09/28/2023 Phishing EU member
blabla18 #18 - Phishing EU member 09/28/2023 CERT-EU-77 a9803459-461b-4442-a11e-b6440a91cd85 fraud:phishing 30 CERT-EU nouser2 1 nouser2 1 9 Closed 4 Phishing EU official
test ticket !!!17 #17 - #17 case custom attrib test 08/09/2023 soc_id_demo c034f0fa-d19c-480a-8b1d-045b558915d0 abusive-content:harmful-speech 2 CERT-EU nouser2 1 Natasha Carl 2 4 Containment 4 09/25/2023 spam test ticket
blah16 #16 - spam test ticket 07/13/2023 CERT-EU-21 71636b85-ef58-4d45-a5bf-faa2ac00031a abusive-content:spam 1 CERT-EU nouser2 1 nouser2 1 9 Closed 4 dark.local
testing notes15 #15 - Virus detected on VM dark.local 07/13/2023 CERT-EU-20 94e4a63a-3c8b-4a4e-ae02-b32c0c1b6386 malicious-code:virus 4 CERT-EU nouser2 1 nouser2 1 2 In progress 4 ROOTKIT TEST
THIS IS A TEST FORM13 #13 - ROOTKIT TEST 06/08/2023 CERT-EU-19 6f8a72b5-2c82-4654-b84a-e8e10e9299de malicious-code:rootkit 10 CERT-EU nouser2 1 nouser2 1 3 Opened 4 09/26/2023 Scanning ports machine X
- 1
- 2
- 3
-
## EDITED12 #12 - Scanning ports machine X 06/08/2023 CERT-EU-18 3662a525-d572-495c-9d25-45920c3ad1ce information-gathering:scanner 11 CERT-EU nouser2 1 nouser2 1 9 Closed 4 Code Dialer
### TEST CODE CODE11 #11 - Code Dialer 06/08/2023 CERT-EU-17 f0b3b128-88f3-4a37-a908-58ecb5fc7c89 malicious-code:dialer 9 CERT-EU nouser2 1 nouser2 1 3 Opened 4 spyware test 1 10 #10 - spyware test 1 06/08/2023 CERT-EU-16 38ba94bf-978f-4073-99af-291f79889b0b malicious-code:spyware-rat 8 CERT-EU nouser2 1 nouser2 1 3 Opened 4 Social Eng 9 #9 - Social Eng 06/07/2023 CERT-EU-15 35070554-73c1-421a-bdbb-b840f09411b4 information-gathering:social-engineering 13 CERT-EU nouser2 1 nouser2 1 3 Opened 4 WAF invaded 8 #8 - WAF invaded 06/07/2023 CERT-EU-15 9bab6e73-be89-497c-bfc1-25e213f933eb CERT-EU nouser2 1 nouser2 1 3 Opened 4 A virus has been detected on machine machine.darkside.in
DDOS
| Port | Protocol |Hostname|
|--|--|--|
| 443 | TCP |machine.darkside.in|
```echo Please investigate !```
### HELP !7 #7 - test command 1 06/07/2023 CERT-EU-14 e88efdc4-6811-4c59-aca6-7eeefab72a81 availability:ddos 23 CERT-EU nouser2 1 nouser2 1 6 Recovery 4 A virus has been detected on machine machine.darkside.in
| Port | Protocol |Hostname|
|--|--|--|
| 443 | TCP |machine.darkside.in|
```echo Please investigate !```
### HELP !6 #6 - Malware detected on machine.darkside.in 06/07/2023 CERT-EU-13 4f7d583d-7724-4be3-9137-7ca248630bc0 CERT-EU nouser2 1 nouser2 1 3 Opened 4 Ransomware test 3 #3 - CERT-EU Ransomware test 06/05/2023 CERT-EU-82 7b9ec75f-f194-4d73-a98a-b657b40b2cc4 malicious-code:ransomware 6 CERT-EU nouser2 1 nouser2 1 3 Opened 4 A virus has been detected on machine darkpace.evil
| Port | Protocol |Hostname|
|--|--|--|
| 443 | TCP |darkplace.evil|
```echo Please investigate !```
### HELP !2 #2 - virus-windows-11 06/05/2023 CERT-EU-12 1a5e6534-571f-4788-b4f5-47cc6b0c18bc malicious-code:virus 4 CERT-EU nouser2 1 nouser2 1 3 Opened 4 06/05/2023 This is a demonstration. 1 #1 - Initial Demo 06/05/2023 soc_id_demo 46480e7c-5b78-42c5-8b2e-678991a8a495 CERT-EU nouser2 1 nouser2 1 2 In progress
iris-close-case-id#
Close a specific case by ID.
Base Command#
iris-close-case-id
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Provide Case ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_name | unknown | case name |
| IRIS.case_soc_id | unknown | case soc ID |
| IRIS.open_date | unknown | case open date |
| IRIS.close_date | unknown | case close date |
Command example#
!iris-close-case-id case_id=9
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
case_customer case_description case_id case_name case_soc_id case_uuid classification_id close_date modification_history open_date owner_id state_id status_id user_id 1 Social Eng 9 #9 - Social Eng CERT-EU-15 35070554-73c1-421a-bdbb-b840f09411b4 13 2024-01-22 1686161424.82484: {"user": "nouser2", "user_id": 1, "action": "created"}
1694445948.238388: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694446268.42952: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694446597.253438: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694446626.551442: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447102.368478: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447187.785556: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447233.805542: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447256.462593: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447324.542543: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447772.724512: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1694448681.95518: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694449204.048061: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694449647.332296: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1694449754.493539: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694450199.853172: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1694452250.114495: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694452672.978887: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1704711697.835427: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1704711700.739643: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1704711947.950361: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1704711950.774661: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1705935117.44055: {"user": "nouser2", "user_id": 1, "action": "case closed"}2023-06-07 1 9 0 1
iris-reopen-case-id#
Reopen a specific case by ID.
Base Command#
iris-reopen-case-id
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | case ID. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_soc_id | unknown | case soc ID |
| IRIS.case_id | unknown | case ID |
| IRIS.close_date | unknown | case close date |
| IRIS.open_date | unknown | case open date |
| IRIS.case_name | unknown | case name |
| IRIS.closing_note | unknown | case closing note |
Command example#
!iris-reopen-case-id case_id=9
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
case_customer case_description case_id case_name case_soc_id case_uuid classification_id modification_history open_date owner_id state_id status_id user_id 1 Social Eng 9 #9 - Social Eng CERT-EU-15 35070554-73c1-421a-bdbb-b840f09411b4 13 1686161424.82484: {"user": "nouser2", "user_id": 1, "action": "created"}
1694445948.238388: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694446268.42952: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694446597.253438: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694446626.551442: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447102.368478: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447187.785556: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447233.805542: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447256.462593: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447324.542543: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694447772.724512: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1694448681.95518: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694449204.048061: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694449647.332296: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1694449754.493539: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694450199.853172: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1694452250.114495: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1694452672.978887: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1704711697.835427: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1704711700.739643: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1704711947.950361: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1704711950.774661: {"user": "nouser2", "user_id": 1, "action": "case reopened"}
1705935117.44055: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1705935120.30414: {"user": "nouser2", "user_id": 1, "action": "case reopened"}2023-06-07 1 3 0 1
iris-change-case-state#
Change case state status
Base Command#
iris-change-case-state
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Case ID. | Required |
| case_name | Case name. | Required |
| case_state | Case state. Possible values are: In progress, Opened, Containement, Eradication, Recovery, Post-Incident, Reporting, Closed. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_id | number | Case ID |
| IRIS.case_name | string | Case name |
| IRIS.case_state | string | Case state |
Command example#
!iris-change-case-state case_id=1 case_state="In progress" case_name="#1 - Initial Demo"
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
case_customer case_description case_id case_name case_soc_id case_uuid close_date modification_history open_date owner_id state_id status_id user_id 1 This is a demonstration. 1 #1 - Initial Demo soc_id_demo 46480e7c-5b78-42c5-8b2e-678991a8a495 2023-06-05 1685985574.367342: {"user": "nouser2", "user_id": 1, "action": "case closed"}
1704711960.320669: {"user": "nouser2", "user_id": 1, "action": "case info updated"}
1705935129.662093: {"user": "nouser2", "user_id": 1, "action": "case info updated"}2023-06-05 1 2 0 1
iris-create-notes-group#
Creates notes group
Base Command#
iris-create-notes-group
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Case ID. | Required |
| group_title | Notes group tittle. | Required |
Context Output#
There is no context output for this command.
Command example#
!iris-create-notes-group case_id=1 group_title="test group"
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
group_creationdate group_id group_lastupdate group_title group_uuid 2024-01-22T14:52:12.540571 57 2024-01-22T14:52:12.540571 test group 62742497-8cf6-4cea-bac4-5ff50e4bb4e5
iris-add-new-note-to-group#
Add a new note to an existing group.
Base Command#
iris-add-new-note-to-group
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Case ID. | Required |
| note_title | Note tittle. | Required |
| note_content | Note content. | Required |
| group_id | Group ID. | Required |
Context Output#
There is no context output for this command.
Command example#
!iris-add-new-note-to-group case_id=1 group_id=55 note_content="test content" note_title="test tittle"
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
note_content note_creationdate note_id note_lastupdate note_title note_uuid test content 2024-01-22T14:52:15.366100 63 2024-01-22T14:52:15.366100 test tittle a2cf6b17-d8be-4ca0-814d-12910aefa2f2
iris-get-list-of-groups-and-notes#
Get a list of the notes and groups.
Base Command#
iris-get-list-of-groups-and-notes
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Case ID. | Required |
Context Output#
There is no context output for this command.
Command example#
!iris-get-list-of-groups-and-notes case_id=1
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
groups state {'group_id': 1, 'group_uuid': '98a49bf1-66a3-4014-94a3-b84f7465129e', 'group_title': 'test group', 'notes': []},
{'group_id': 55, 'group_uuid': '89085dde-aa63-467b-a17a-d78d20bdc794', 'group_title': 'test group', 'notes': [{'note_id': 61, 'note_uuid': '1e7cfa4e-6ce0-4261-ae5d-a70eba2b1462', 'note_title': 'test tittle', 'user': 'nouser2', 'note_lastupdate': '2024-01-08T11:04:41.529018'}, {'note_id': 62, 'note_uuid': 'c1ceef5b-0020-48d7-ac0f-c0c4c40ef396', 'note_title': 'test tittle', 'user': 'nouser2', 'note_lastupdate': '2024-01-08T11:06:05.840447'}, {'note_id': 63, 'note_uuid': 'a2cf6b17-d8be-4ca0-814d-12910aefa2f2', 'note_title': 'test tittle', 'user': 'nouser2', 'note_lastupdate': '2024-01-22T14:52:15.366100'}]},
{'group_id': 56, 'group_uuid': '36da7617-6eca-49d9-bbb6-64737db54aab', 'group_title': 'test group', 'notes': []},
{'group_id': 57, 'group_uuid': '62742497-8cf6-4cea-bac4-5ff50e4bb4e5', 'group_title': 'test group', 'notes': []}object_state: 8
object_last_update: 2024-01-22T14:52:15.373121
iris-get-list-of-iocs#
Returns a list of IOCs as well as any existing linked with other cases.
Base Command#
iris-get-list-of-iocs
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Case ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_id | number | Case ID. |
| IRIS.case_name | string | Case Name. |
Command example#
!iris-get-list-of-iocs case_id=1
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
ioc state {'ioc_id': 5, 'ioc_uuid': '93ca5e50-13a5-4d59-8b92-b99bf4bb70fd', 'ioc_value': 'github-username-example', 'ioc_type_id': 65, 'ioc_type': 'github-username', 'ioc_description': 'This is an example', 'ioc_tags': '', 'ioc_misp': None, 'tlp_name': 'amber', 'tlp_bscolor': 'warning', 'ioc_tlp_id': 2, 'link': [], 'misp_link': None} object_state: 1
object_last_update: 2024-01-08T10:45:20.129696
iris-get-ioc-content#
Fetch the content of an ioc.
Base Command#
iris-get-ioc-content
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_id | Case ID. | Required |
| ioc_id | IoC ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| IRIS.case_id | number | Case ID. |
| IRIS.ioc_description | string | IoC Description. |
| IRIS.ioc_id | number | IoC ID. |
| IRIS.ioc_value | string | IoC Value. |
| IRIS.ioc_type | string | IoC Type. |
Command example#
!iris-get-ioc-content case_id=1 ioc_id=5
Context Example#
Human Readable Output#
Command successfully sent to IRIS DFIR"#
ioc_description ioc_id ioc_tlp_id ioc_type ioc_type_id ioc_uuid ioc_value user_id This is an example 5 2 type_description: A github user name
type_taxonomy: null
type_id: 65
type_name: github-username
type_validation_regex: null
type_validation_expect: null65 93ca5e50-13a5-4d59-8b92-b99bf4bb70fd github-username-example 1