Using IRIS
Last updated
Last updated
After all configurations have been completed, IRIS can be used to carry out incident response. The following is the workflow in incident response using IRIS.
Alerts are generated Manually and Automatically. Manually reported incidents are those that are reported by users through a variety of channels, such as email, web forms, or phone calls. Automatically reported incidents are those that are reported by Wazuh. Wazuh can collect logs from a variety of sources, including servers, networks, and applications, and it can use these logs to identify potential security incidents. When Wazuh identifies a potential security incident, it will automatically report it to IRIS. The SOC Team is responsible for receiving incident reports and creating tickets based on these reports. Below is an example of an alert collected from Wazuh
Ticket creation
Manual ticket creation
Alert based ticket creation
Evidence gathering
Asset Infected
IRIS tracks the progress of incidents from reporting to resolution. This includes tracking the status of the incident, the assigned investigator, and any updates that are made to the incident. IRIS also provides a timeline of events for each incident, which makes it easy to see how the incident has progressed over time.
Incident timeline
Assign task to Incident Handler
You can add task and assign the task to the incident handler
IRIS provides tools to help investigators gather and analyze evidence. Iris also provides a knowledge base of known security vulnerabilities and exploits, which can help investigators to identify the root cause of an incident. IRIS helps to coordinate the resolution of incidents by providing a shared workspace for all stakeholders (the person who has responsibility for resolving the incident).
IRIS generates reports that can be used to identify trends and improve incident response processes. These reports can be used to track the number of incidents, the average time to resolution, and the types of incidents that are occurring. Iris also provides tools for creating custom reports, which can be used to track specific metrics that are important to the organization.