Create an IRIS case when monitored artifacts complete with results. Adds the ClientId, FlowId as tags to the case. Adds the FQDN as an asset.
Learn more about IRIS, here: https://dfir-iris.org/
It is recommended to use the Server Metadata section to store credentials, instead of having to store directly inside the artifact.
name: Server.Alerts.IRIS.Case.Create
description: |
Create an IRIS case when monitored artifacts complete with results. Adds the ClientId, FlowId as tags to the case. Adds the FQDN as an asset.
Learn more about IRIS, here: https://dfir-iris.org/
It is recommended to use the Server Metadata section to store credentials, instead of having to store directly inside the artifact.
type: SERVER_EVENT
author: Wes Lambert - @therealwlambert
parameters:
- name: IrisURL
default:
- name: IrisKey
type: string
description: API key for DFIR-IRIS. Leave blank here if using server metadata store.
default:
- name: ArtifactsToAlertOn
default: .
type: regex
- name: DisableSSLVerify
type: bool
default: true
- name: Customer
default: 1
- name: SOCId
default: soc_id_demo
sources:
- query: |
LET URL <= if(
condition=IrisURL,
then=IrisURL,
else=server_metadata().IrisURL)
LET Creds = if(
condition=IrisKey,
then=IrisKey,
else=server_metadata().IrisKey)
LET FlowInfo = SELECT timestamp(epoch=Timestamp) AS Timestamp,
client_info(client_id=ClientId).os_info.fqdn AS FQDN,
ClientId, FlowId, Flow.artifacts_with_results[0] AS FlowResults
FROM watch_monitoring(artifact="System.Flow.Completion")
WHERE Flow.artifacts_with_results =~ ArtifactsToAlertOn
LET Cases = SELECT * FROM foreach(row=FlowInfo,
query={
SELECT ClientId, FlowId, FQDN, parse_json(data=Content).data.case_id AS CaseID FROM http_client(
data=serialize(item=dict(
case_name=format(format="Hit on %v for %v", args=[FlowResults, FQDN]), case_soc_id="soc_id_demo", case_customer=1, case_description=format(format="ClientId: %v\n\nFlowID: %v\n\nURL: %v//app/index.html?#/collected/%v/%v", args=[ClientId, FlowId, config.server_urls[0], ClientId, FlowId,])), format="json"),
headers=dict(`Content-Type`="application/json", `Authorization`=format(format="Bearer %v", args=[Creds])),
disable_ssl_security=DisableSSLVerify,
method="POST",
url=format(format="%v/manage/cases/add", args=[URL]))
})
SELECT * from foreach(row=Cases,
query={
SELECT * FROM http_client(
data=serialize(
item=dict(
asset_name=FQDN,
asset_type_id=9,
analysis_status_id=1,
cid=CaseID,
asset_tags=format(format="%v,%v", args=[ClientId, FlowId])
)
,format="json"
),
headers=dict(`Content-Type`="application/json", `Authorization`=format(format="Bearer %v", args=[Creds])),
disable_ssl_security=DisableSSLVerify,
method="POST",
url=format(format="%v/case/assets/add", args=[URL]))
})