7.4.1. IRIS Integration

This integration is a report module that will allow you to push the bad items to an existing DFIR IRIS case and asset.

It will create:

  • IOCs for any hash, IP, Path or URL

  • Timeline entries for each time

This requires Team and a special license.

7.4.1.1. Installation

  • Setup a DFIR IRIS server

  • Add the license file to Cyber Triage as outlined with the instructions.

  • Start the Cyber Triage Server

  • Go to the Options panel and navigate to Integrations → DFIR IRIS

  • Choose to “Enable DFIR IRIS Integration”. If you cannot enable it, then double check your license file is in the correct location.

../../_images/integ_iris_option.png
  • Add the information for the server address and authorization token for the server’s API.

    • Note: the IRIS API Key can be found under the IRIS User’s “My Settings”

  • Press “Test Connection” to verify the server can be contacted and the token works.

7.4.1.2. Using the Module

For best use of this integration: * Create a DFIR IRIS Case with the same name as the Cyber Triage Incident * Create a DFIR IRIS Asset with the same name as the Cyber Triage Host * At the end of an investigation, run the host-level report module.

../../_images/integ_iris_report1.png

  • It will prompt you for the case and asset names. You can change them if needed.

../../_images/integ_iris_report2.png
  • The data sent from Cyber Triage to IRIS can be found in the case under the following sections:

    • Assets

    • IOC

    • Timeline