Query an IRIS instance for an indicator.
To learn more about IRIS, see: https://dfir-iris.org/
This artifact can be called from within another artifact to enrich the data made available by that artifact.
NOTE: This artifact queries for all IOCs, and does not associate IOCs to first-order cases. This will be improved in the future.
Ex.
SELECT * from Artifact.Server.IRIS.IOCLookup(IOC=$YOURIOC)
name: Server.Enrichment.IRIS.IOCLookup
description: |
Query an IRIS instance for an indicator.
To learn more about IRIS, see: https://dfir-iris.org/
This artifact can be called from within another artifact to enrich the data made available by that artifact.
NOTE: This artifact queries for all IOCs, and does not associate IOCs to first-order cases. This will be improved in the future.
Ex.
`SELECT * from Artifact.Server.IRIS.IOCLookup(IOC=$YOURIOC)`
type: SERVER
parameters:
- name: IOC
default:
- name: IrisURL
default: https://myiris
- name: IrisKey
type: string
description: API key for DFIR-IRIS. Leave blank here if using server metadata store.
default:
sources:
- query: |
LET URL = if(
condition=IrisURL,
then=IrisURL,
else=server_metadata().IrisURL)
LET Creds = if(
condition=IrisKey,
then=IrisKey,
else=server_metadata().IrisKey)
LET Data = SELECT parse_json(data=Content).data.ioc AS IOCs FROM http_client(
method="GET",
url=URL + '''/case/ioc/list''',
headers=dict(`Content-Type`="application/json", `Authorization`='''Bearer ''' + Creds),
disable_ssl_security=true
)
LET EachIOC = SELECT * from foreach(
row=Data,
query={
SELECT _value.ioc_value AS IOCValue,
_value.ioc_description AS Description,
_value.tlp_name AS TLP,
_value.link AS `Linked Cases`,
_value AS _Content
FROM items(item=IOCs)
})
SELECT * FROM EachIOC WHERE IOCValue =~ IOC