Server.Alerts.Monitor.IRIS :: Velociraptor

Server.Alerts.Monitor.IRIS

Create an IRIS alert when monitored artifacts complete with results. Alerts are available starting in version 2.1.0 of IRIS. https://github.com/dfir-iris/iris-web/releases/tag/v2.1.0

Learn more about IRIS, here: https://dfir-iris.org/

It is recommended to use the Server Metadata section to store credentials, instead of having to store directly inside the artifact.


name: Server.Alerts.Monitor.IRIS
description: |
   Create an IRIS alert when monitored artifacts complete with results. Alerts are available starting in version 2.1.0 of IRIS.
   https://github.com/dfir-iris/iris-web/releases/tag/v2.1.0
  
   Learn more about IRIS, here: https://dfir-iris.org/
  
   It is recommended to use the Server Metadata section to store credentials, instead of having to store directly inside the artifact.

type: SERVER_EVENT

author: Wes Lambert - @therealwlambert

parameters:
  - name: IrisURL
    default: 
  - name: IrisKey
    type: string
    description: API key for DFIR-IRIS. Leave blank here if using server metadata store.
    default:
  - name: VeloServerURL
    default: 
  - name: ArtifactsToAlertOn
    default: .
    type: regex
  - name: DisableSSLVerify
    type: bool
    default: true
  - name: Customer
    default: 1
  - name: Severity 
    default: 1
  - name: Status 
    default: 1
    
sources:
  - query: |
      LET URL <= if(
            condition=IrisURL,
            then=IrisURL,
            else=server_metadata().IrisURL)
      LET Creds = if(
           condition=IrisKey,
           then=IrisKey,
           else=server_metadata().IrisKey)
      LET FlowInfo = SELECT timestamp(epoch=Timestamp) AS Timestamp,
             client_info(client_id=ClientId).os_info.fqdn AS FQDN,
             ClientId, FlowId, Flow.artifacts_with_results[0] AS FlowResults
      FROM watch_monitoring(artifact="System.Flow.Completion")
      WHERE Flow.artifacts_with_results =~ ArtifactsToAlertOn
      
      SELECT * from foreach(row=FlowInfo,
        query={
             SELECT ClientId, FlowId, FQDN, parse_json(data=Content).data.alert_title AS Alert, parse_json(data=Content).data.alert_id AS AlertID  
             FROM http_client(
                data=serialize(item=dict(
                    alert_title=format(format="Hit on %v for %v", args=[FlowResults, FQDN]), 
                    alert_description=format(format="ClientId: %v\n\nFlowID: %v\n\nURL: %v//app/index.html?#/collected/%v/%v", args=[ClientId, FlowId, config.server_urls[0], ClientId, FlowId,]),
                    alert_severity_id=Severity,
                    alert_status_id=Status,
                    alert_customer_id=Customer)),
                headers=dict(`Content-Type`="application/json", `Authorization`=format(format="Bearer %v", args=[Creds])),
                disable_ssl_security=DisableSSLVerify,
                method="POST",
                url=format(format="%v/alerts/add", args=[URL]))})