Module 9: Incident Response Case Management

Creating and Managing Incident Cases

Following Along

Just a section for starting the VM group.

Introducing IRIS for Case Management

The IRIS login page
The IRIS dashboard
Navigating to the customer management page
The Customer management page
Entering our customer's information
Our new customer
The IRIS dashboard and Add Case button
The fields for adding a new case in IRIS
The Select customer dropdown
Some of the options under Select classification
All of the fields in our new case
Successful case creation message
Our new case in list of open cases
The page for our case

Adding Assets

The Assets tab
The fields to add an asset
Available asset types
Available compromise statuses
Available analysis statuses
All the fields for our new asset
Our new asset in the list of assets

Creating a Timeline

Navigating to the search feature in Splunk
Querying for our event in Splunk
The Timeline tab in IRIS
The fields to add an event in IRIS
Specifying our event's time
Expanding our Splunk log
Opening the raw log
Locating our raw log
Pasting our raw log into IRIS
Linking our event to an asset
The event category options in IRIS
All of our fields to add our event
Our new event in the timeline

Adding Evidence

Email evidence in lab scenario:

Return-Path: d.miller@gmail.com
Received: from kali (Unknown [172.16.50.254])
	by mail01.tech.com with ESMTP
	; Wed, 18 Oct 2023 08:04:04 -0700
Date: Wed, 18 Oct 2023 11:04:03 -0400
To: a.jones@tech.com
From: d.miller@gmail.com
Subject: Application as UI UX Designer
Message-Id: <20231018110403.1751702@kali>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_1751702"

------=_MIME_BOUNDARY_000_1751702
Content-Type: text/plain

Hey!
I attached my application for the UI/UX design position. It is stored in the .iso file and built when you execute the binary.

David

------=_MIME_BOUNDARY_000_1751702
Content-Type: application/octet-stream; name="application.iso"
Content-Description: application.iso
Content-Disposition: attachment; filename="application.iso"
Content-Transfer-Encoding: BASE64

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
...(CUT)...
The datastore icon
The Summary tab
Adding a file
The fields to upload a file
All of the fields to upload evidence filled out
Our file in the datastore
Our file under the Evidences tab

Communicating and Collaborating

Adding a comment to an event
A series of comments on the event
The tasks tab
The fields to create a task
Our new task
Navigating to Access control
Managing user access
The access of the administrator user
The case options
Access type options
Managing group access

Generating a Report

Navigating to report templates
Report templates list
Downloading the report templates
The cover page of the report templates
The asset list in the report templates
Our case's Summary tab
Generating and downloading our report template
The cover page of our report
The asset list in our report

Closing a Case and Case Retention

The Manage button
Editing the case
Editing the Outcome of the case
Closing the case
Our closed case

Becoming the root user on the IRIS server

offsec@iris01:~$ sudo su
[sudo] password for offsec:

root@iris01:/home/offsec# cd /root/iris-web/

IRIS case database backup step

root@iris01:~/iris-web# docker container ls | grep iriswebapp_db
cd41ed129c5f   iriswebapp_db:v2.3.3           "docker-entrypoint.s..."   6 weeks ago   Up 5 weeks             127.0.0.1:5432->5432/tcp

root@iris01:~/iris-web# docker exec cd41ed129c5f pg_dump -U postgres iris_db | gzip > ../iris_db_backup.gz

Creating a Case Based on Our Lab Incident

Creating a Case For Our Incident

Do it all again for the lab.

Adding Our Compromised and Investigated Assets

Do it all again for the lab.

Creating a Timeline Based on What We Know

Do it all again for the lab.

Adding Evidence from Our Investigation

Do it all again for the lab.

PreviousModule 8: Digital Forensics for Incident RespondersNextModule 10: Active Incident Containment

Last updated