Incident Response Investigation System
It is divided in two main parts, IrisWeb and IrisModules.
- IrisWeb is the web application which contains the core of
Iris (web interface, database management, etc).
- IrisModules are extensions of the core that allow third parties to process
data via Iris (eg upload and injection of EVTX into Splunk).
IrisWeb can work without any modules and by default none are enabled.
A first module called IrisEVTXModule is provided and installed in
IRIS’s Python environment when using the docker-compose building process.
In order to be added to IRIS and configured, see the documentation.
The app has 5 dockers:
app - iriswebapp_app: The core of IrisWeb
db: The Postgres database
rabbitmq: It’s in the name
worker: Jobs handler relying on RabbitMq
nginx: The reverse proxy
The NGINX service uses the certificate pair specified in .env. A pair is provided
./docker/dev_certs repository, but you might want to change with your own certificate.
Below is an example command to generate such self-signed certificates:
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout certificate.key -out certificate.crt
- Clone the repo and cd into it
- (Optional if you just want to try) If used in production, please configure the .env file at
the root of the project:
- Nginx: you might want to specify your own certificate as specified above
- Database credentials: POSTGRES_PASSWORD and DB_PASS (you can also customise the usernames)
- IRIS secrets: SECRET_KEY and SECURITY_PASSWORD_SALT
A first account called administrator is created by default, the password is randomly
created and output in the docker
app service. If you want to define an admin password
at the first start, you can also create and define the environment variable IRIS_ADM_PASSWORD
app docker instance (see webApp Dockerfile).
Once it is up, go to https://<your_instance>:4433, login as administrator, and start using IRIS!
We also recommend immediately changing your administrator’s password, either on its profile page or in the Users management page.
For a more comprehensive overview of the case features,
you can head to tutorials, we’ve put some videos there.
The contents of this repository is available under LGPL3 license.