IRIS is a collaborative platform aiming to help incident responders to share technical details during investigations.
It's free and open-source.
You just need Docker Compose and you will be set in a few minutes. No installation hassles. You can even install it on a small laptop for roaming investigations.
The main goal of IRIS is to help analysts collaborate during engagements, by simplifying and structuring the elements but not the steps. All without real constraints, because everyone's working differently.
IRIS can be extended with custom modules to fits your needs. By default it is shipped with a VirusTotal and MISP modules to showcase the possibilities.
Through the API, you can manage the investigations as if you are in front of the interface. Which means IRIS can be automated and integrated with existing tools.
IRIS helps you organise and share technical details during engagements. Each team member can follow who's doing what in the investigation, add new elements to it, attribute task, and much more. It also offers docx reporting features, effectively reducing the post-incident phase time.
Assets, IOC, notes, timeline, evidences are among the elements the analysts can input and link together in the platform. It automatically keeps track of what is done, giving you an automated follow-up to which you can add additional inputs.
It gives you insights from previous engagements such as if an IOC or asset was already seen and compromised. It can also use external sources like VirusTotal or MISP to enrich the data. And thanks to its API and modules, you can extend its capabilities and/or integrates it with existing solutions.
Overview of the IRIS capabilities
Full featured documented API
Python client to ease integration
Python modules to process files
Python modules to process IRIS data
Full featured timeline creation
Assets and IOCs management
Enrichments of IOC, assets, etc
Backref of IOC, assets, etc from previous cases