Using IRIS

After all configurations have been completed, IRIS can be used to carry out incident response. The following is the workflow in incident response using IRIS.

1. Alerts and Ticker Creation

Alerts are generated Manually and Automatically. Manually reported incidents are those that are reported by users through a variety of channels, such as email, web forms, or phone calls. Automatically reported incidents are those that are reported by Wazuh. Wazuh can collect logs from a variety of sources, including servers, networks, and applications, and it can use these logs to identify potential security incidents. When Wazuh identifies a potential security incident, it will automatically report it to IRIS. The SOC Team is responsible for receiving incident reports and creating tickets based on these reports. Below is an example of an alert collected from Wazuh

1. Ticket creation

Manual ticket creation

Alert based ticket creation

1. Evidence gathering

1. Asset Infected

1. Incident Tracking

IRIS tracks the progress of incidents from reporting to resolution. This includes tracking the status of the incident, the assigned investigator, and any updates that are made to the incident. IRIS also provides a timeline of events for each incident, which makes it easy to see how the incident has progressed over time.

Incident timeline

Assign task to Incident Handler

You can add task and assign the task to the incident handler

1. Incident Investigation and resolution

IRIS provides tools to help investigators gather and analyze evidence. Iris also provides a knowledge base of known security vulnerabilities and exploits, which can help investigators to identify the root cause of an incident. IRIS helps to coordinate the resolution of incidents by providing a shared workspace for all stakeholders (the person who has responsibility for resolving the incident).

1. Incident Reporting and Analytics

IRIS generates reports that can be used to identify trends and improve incident response processes. These reports can be used to track the number of incidents, the average time to resolution, and the types of incidents that are occurring. Iris also provides tools for creating custom reports, which can be used to track specific metrics that are important to the organization.