Website Toolbase

IRIS-DFIR / Case Management

DFIR is the open source incidence management tool which can be easily integrated with various other security tools to make the SOC ticketing solutions and case management task easy & very clutter free collaborative space.

Website : https://www.dfir-iris.org

Documentation : https://docs.dfir-iris.org/latest/

Github Repository : https://github.com/dfir-iris/iris-web

Installation :

To install DFIR IRIS we will need docker daemon installed on the local host system , Here is the documentation on docker :

LogoDocker 🛳 | Ghoul's Den

Once docker is installed on the system we can check using : 

sudo docker compose version
sudo docker run hello-world:latest

Now we will start installation of DFIR IRIS

#  Clone the iris-web repository
git clone https://github.com/dfir-iris/iris-web.git
cd iris-web

# Checkout to the last tagged version 
git checkout v2.4.20
# Copy the environment file 
cp .env.model .env

We will make some changes in the environment files to configure passwords & algorithms to use to ensure the data is secured & avoid to use default credentials increasing the attack parameters.

sudo nano .env ## In the root folder of DFIR-IRIS folder
## DATABASE CONNECTIONS : 
POSTGRES_USER=postgres
POSTGRES_PASSWORD=__MUST_BE_CHANGED__
POSTGRES_ADMIN_USER=raptor
POSTGRES_ADMIN_PASSWORD=__MUST_BE_CHANGED__
POSTGRES_DB=iris_db

## IRIS DEPLOYMENT Credentials : 
IRIS_SECRET_KEY=AVerySuperSecretKey-SoNotThisOne
IRIS_SECURITY_PASSWORD_SALT=ARandomSalt-NotThisOneEither

## ## optional
IRIS_ADM_PASSWORD=__MUST_BE__CHANGED__ ## WILL WORK IN INITIAL DEPLOYMENT ONLY

We will now pull and start the docker containers : 

# Pull the dockers
docker compose pull
# Run IRIS  
docker compose up 
## TO RUN IN BACKGROUND
docker compose up -d

Once complete 5 docker instances will be working which we can check using : 

sudo docker ps -a

Iris shall be available on the host interface, port 443, protocol HTTPS - https://<your_instance_ip>. By default, an administrator account is created. The password is printed in stdout the very first time Iris is started. It won't be printed anymore after that. WARNING :: post_init :: create_safe_admin :: >>> can be searched in the logs of the webapp docker to find the password. In case of docker is started as background service we can grep passwords using : 

sudo docker compose logs app | grep admin

In the upcoming sections we will be integrating the IRIS DFIR with wazuh.

PreviousSecurity Operations Center Tools (Wazuh)NextGraylog & ElasticSearch

Last updated