Module 9: Incident Response Case Management

Creating and Managing Incident Cases

Following Along

Just a section for starting the VM group.

Introducing IRIS for Case Management

The IRIS login page

The IRIS dashboard

Navigating to the customer management page

The Customer management page

Entering our customer's information

Our new customer

The IRIS dashboard and Add Case button

The fields for adding a new case in IRIS

The Select customer dropdown

Some of the options under Select classification

All of the fields in our new case

Successful case creation message

Our new case in list of open cases

The page for our case

Adding Assets

The Assets tab

The fields to add an asset

Available asset types

Available compromise statuses

Available analysis statuses

All the fields for our new asset

Our new asset in the list of assets

Creating a Timeline

Navigating to the search feature in Splunk

Querying for our event in Splunk

The Timeline tab in IRIS

The fields to add an event in IRIS

Specifying our event's time

Expanding our Splunk log

Opening the raw log

Locating our raw log

Pasting our raw log into IRIS

Linking our event to an asset

The event category options in IRIS

All of our fields to add our event

Our new event in the timeline

Adding Evidence

Email evidence in lab scenario:

Return-Path: d.miller@gmail.com
Received: from kali (Unknown [172.16.50.254])
	by mail01.tech.com with ESMTP
	; Wed, 18 Oct 2023 08:04:04 -0700
Date: Wed, 18 Oct 2023 11:04:03 -0400
To: a.jones@tech.com
From: d.miller@gmail.com
Subject: Application as UI UX Designer
Message-Id: <20231018110403.1751702@kali>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_1751702"

------=_MIME_BOUNDARY_000_1751702
Content-Type: text/plain

Hey!
I attached my application for the UI/UX design position. It is stored in the .iso file and built when you execute the binary.

David

------=_MIME_BOUNDARY_000_1751702
Content-Type: application/octet-stream; name="application.iso"
Content-Description: application.iso
Content-Disposition: attachment; filename="application.iso"
Content-Transfer-Encoding: BASE64

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
...(CUT)...

The datastore icon

The Summary tab

Adding a file

The fields to upload a file

All of the fields to upload evidence filled out

Our file in the datastore

Our file under the Evidences tab

Communicating and Collaborating

Adding a comment to an event

A series of comments on the event

The tasks tab

The fields to create a task

Our new task

Navigating to Access control

Managing user access

The access of the administrator user

The case options

Access type options

Managing group access

Generating a Report

Navigating to report templates

Report templates list

Downloading the report templates

The cover page of the report templates

The asset list in the report templates

Our case's Summary tab

Generating and downloading our report template

The cover page of our report

The asset list in our report

Closing a Case and Case Retention

The Manage button

Editing the case

Editing the Outcome of the case

Closing the case

Our closed case

Becoming the root user on the IRIS server

offsec@iris01:~$ sudo su
[sudo] password for offsec:

root@iris01:/home/offsec# cd /root/iris-web/

IRIS case database backup step

root@iris01:~/iris-web# docker container ls | grep iriswebapp_db
cd41ed129c5f   iriswebapp_db:v2.3.3           "docker-entrypoint.s..."   6 weeks ago   Up 5 weeks             127.0.0.1:5432->5432/tcp

root@iris01:~/iris-web# docker exec cd41ed129c5f pg_dump -U postgres iris_db | gzip > ../iris_db_backup.gz

Creating a Case Based on Our Lab Incident

Creating a Case For Our Incident

Do it all again for the lab.

Adding Our Compromised and Investigated Assets

Do it all again for the lab.

Creating a Timeline Based on What We Know

Do it all again for the lab.

Adding Evidence from Our Investigation

Do it all again for the lab.