DFIR-IRIS (Digital Forensic Incident Response - IRIS)

IRIS is a collaborative platform for incident response analysts that helps to share investigations at a technical level. It's a web application that can be installed on a fixed-server or on a laptop for roaming investigations where the internet might not be available.

IRIS works by providing a platform for reporting, investigating, and resolving security incidents. When a security incident occurs, users can report the incident to IRIS through a variety of channels, such as email, web forms, or phone calls. IRIS will then track the progress of the incident from reporting to resolution.

Furthermore, IRIS can be seamlessly integrated with Wazuh to capture incident logs, enhancing its ability to detect and respond to security threats. Once integrated, Wazuh automatically sends logs to IRIS, where the system parses the logs and extracts relevant information, such as the source of the log, the timestamp, and the event type. This extracted information is then used to populate IRIS incidents, providing a comprehensive overview of each security event.

There are many benefits to using IRIS, including:

1. Improved incident response times: IRIS can help to streamline the incident response process, which can lead to faster resolution times. IRIS also provides a number of tools that can help to automate some of the tasks involved in incident response, such as sending notifications and generating reports.

2. Increased visibility into security incidents: IRIS provides a centralized view of all security incidents, which can help to identify trends and make better security decisions. This is because IRIS provides a number of dashboards and reports that can be used to analyze incident data.

Here are some of the main features of IRIS:

1. Incident reporting: Users can report incidents through a variety of channels, such as email, web forms, phone calls, etc. This can be done by anyone, and IRIS will then create a ticket for the incident and assign it to an investigator or incident handler.

2. Incident tracking: IRIS tracks the progress of incidents from reporting to resolution. This includes tracking the status of the incident, the assigned investigator, and any updates that are made to the incident. IRIS also provides a timeline of events for each incident, which makes it easy to see how the incident has progressed over time.

3. Incident investigation and resolution: IRIS provides tools to help investigators gather and analyze evidence. Iris also provides a knowledge base of known security vulnerabilities and exploits, which can help investigators to identify the root cause of an incident. IRIS helps to coordinate the resolution of incidents by providing a shared workspace for all stakeholders (the person who has responsibility for resolving the incident).

4. Reporting and analytics: IRIS generates reports that can be used to identify trends and improve incident response processes. These reports can be used to track the number of incidents, the average time to resolution, and the types of incidents that are occurring. Iris also provides tools for creating custom reports, which can be used to track specific metrics that are important to the organization.