Open-Source Collaborative Incident Response Platform

Created by incident responders for incident responders

hero
IRIS v2.4.11 is out

A lot of additions, including MFA support, Notes revisions and GraphQL!

Features

IRIS is a collaborative platform aiming to help incident responders to share technical details during investigations.
It's free and open-source.

Collaborate on incidents

The primary objective of IRIS is to facilitate collaboration among analysts during engagements by organizing and streamlining the elements involved, while allowing for flexibility in the steps taken. This is achieved without imposing any real constraints, as each team works differently.

Alerts

IRIS can receive alerts from SIEM or any other sources. Alerts can then be triaged, commented, linked to cases and others alerts. Once assessed, alerts can be escalated to cases.

Extensible

IRIS can be extended with custom modules to fits your needs. By default it is shipped with a VirusTotal, MISP, WebHooks and IntelOwl.

API

Through the API, you can manage the investigations as if you are in front of the interface. Which means IRIS can be automated and integrated with existing tools.

Easy to deploy

IRIS is deployed with Docker Compose and can be set in a few minutes. No installation hassles. It can even be installed on a small laptop for roaming investigations.

In a nutshell

IRIS helps IR teams organise and share technical details during engagements. Each team member can follow who's doing what in the investigation, add new elements to it, attribute task, and much more. It also offers reporting features, effectively reducing the post-incident phase time.

Assets, IOC, notes, timeline, evidences are among the elements the analysts can input and link together in the platform. It automatically keeps track of what is done, giving an automated follow-up to which anyone can add additional inputs.

It gives insights from previous engagements such as if an IOC or asset was already seen and compromised. It can also use external sources like VirusTotal or MISP to enrich the data. And thanks to its API and modules, one can extend its capabilities and/or integrates it with existing solutions.

IRIS can also receive alerts from other systems, such as SIEM. These alerts can be attributed, assessed, commented and merged into investigations.

image

Features

Overview of the IRIS capabilities

Integration

Full featured documented API

Python client to ease integration

Python modules to process files

Python modules to process IRIS data

Case management

Full featured timeline creation

Assets and IOCs management

Notes taking

Tasks management

Evidences management

Follow up

Automation

Reports generation

Automatic follow-up

Enrichments of IOC, assets, etc

Backref of IOC, assets, etc from previous cases

Some questions you might have

You can also find more answers in the FAQ.

Supporting us

As a free and open source project, we rely on the support of our community to continue development and improve our platform. If you find the platform useful and would like to help us sustain and grow, please consider supporting us financially through OpenCollective.


Support

They support us

author

Deutsche Telekom Security GmbH

https://github.com/telekom-security

author

MT

Anonymous

author

maof97

Anonymous

author

SecurityDungeon

Company

author

RTeam SOC

Company

author

Jones

Anonymous

author

Shanief W.

author

ESET Team

during Locked Shields 2024