IRIS is a collaborative platform aiming to help incident responders to share technical details during investigations.
It's free and open-source.
The primary objective of IRIS is to facilitate collaboration among analysts during engagements by organizing and streamlining the elements involved, while allowing for flexibility in the steps taken. This is achieved without imposing any real constraints, as each team works differently.
IRIS can receive alerts from SIEM or any other sources. Alerts can then be triaged, commented, linked to cases and others alerts. Once assessed, alerts can be escalated to cases.
IRIS can be extended with custom modules to fits your needs. By default it is shipped with a VirusTotal, MISP, WebHooks and IntelOwl.
Through the API, you can manage the investigations as if you are in front of the interface. Which means IRIS can be automated and integrated with existing tools.
IRIS is deployed with Docker Compose and can be set in a few minutes. No installation hassles. It can even be installed on a small laptop for roaming investigations.
IRIS helps IR teams organise and share technical details during engagements. Each team member can follow who's doing what in the investigation, add new elements to it, attribute task, and much more. It also offers reporting features, effectively reducing the post-incident phase time.
Assets, IOC, notes, timeline, evidences are among the elements the analysts can input and link together in the platform. It automatically keeps track of what is done, giving an automated follow-up to which anyone can add additional inputs.
It gives insights from previous engagements such as if an IOC or asset was already seen and compromised. It can also use external sources like VirusTotal or MISP to enrich the data. And thanks to its API and modules, one can extend its capabilities and/or integrates it with existing solutions.
IRIS can also receive alerts from other systems, such as SIEM. These alerts can be attributed, assessed, commented and merged into investigations.
Overview of the IRIS capabilities
Full featured documented API
Python client to ease integration
Python modules to process files
Python modules to process IRIS data
Full featured timeline creation
Assets and IOCs management
Enrichments of IOC, assets, etc
Backref of IOC, assets, etc from previous cases