IRIS is a web collaborative platform for incident response analysts allowing to share investigations at a technical level.
It is divided in two main parts, IrisWeb and IrisModules.
- IrisWeb is the web application which contains the core of Iris (web interface, database management, etc).
- IrisModules are extensions of the core that allow third parties to process data via Iris (eg upload and injection of EVTX into Splunk).
IrisWeb can work without any modules and by default none are enabled.
A first module called IrisEVTXModule is provided and installed in IRIS’s Python environment when using the docker-compose building process. In order to be added to IRIS and configured, see the documentation.
The app has 5 dockers:
app - iriswebapp_app: The core of IrisWeb
db: The Postgres database
rabbitmq: It’s in the name
worker: Jobs handler relying on RabbitMq
nginx: The reverse proxy
The NGINX service uses the certificate pair specified in .env. A pair is provided in the
./docker/dev_certs repository, but you might want to change with your own certificate. Below is an example command to generate such self-signed certificates:
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout certificate.key -out certificate.crt
- Clone the repo and cd into it
- (Optional if you just want to try) If used in production, please configure the .env file at the root of the project:
- Nginx: you might want to specify your own certificate as specified above
- Database credentials: POSTGRES_PASSWORD and DB_PASS (you can also customise the usernames)
- IRIS secrets: SECRET_KEY and SECURITY_PASSWORD_SALT
A first account called administrator is created by default, the password is randomly created and output in the docker
app service. If you want to define an admin password at the first start, you can also create and define the environment variable IRIS_ADM_PASSWORD in the
app docker instance (see webApp Dockerfile).
Once it is up, go to https://<your_instance>:4433, login as administrator, and start using IRIS! We also recommend immediately changing your administrator’s password, either on its profile page or in the Users management page.
For a more comprehensive overview of the case features, you can head to tutorials, we’ve put some videos there.
You can reach us on Discord if you have any question, issue or idea !