Introduction
New types of modules are introduced in IRIS v1.4.0
IRIS can be extended with modules. They can be split in two types:
- Pipeline modules : Allow upload and process of evidences through modular pipelines (eg: EVTX parsing and injection into a database or data visualiser)
- Processor modules : Allow processing of IRIS data upon predefined actions / hooks. (eg: be notified when a new IOC is created and get VT/MISP insights for it).
Modules (or DIM - DFIR-IRIS Modules) are actually Python packages which must be installed in the Python environment of iris-webapp and the worker (see Quick Start).
Once installed in the Python environment, modules can be managed in Advanced
> Modules
.
Info
This section is only available for users with the Admin role.
By default IRIS is shipped with multiple modules.
- IrisVTModule : Processor module offering VirusTotal insights (installed and registered)
- IrisMispModule : Processor module offering MISP insights (installed and registered)
- IrisWebHooksModule : Processor module offering webhooks support (manual installation)
- IrisCheckModule : A basic processor module logging every hooks. Used to check the good functionning. (installed and registered)
- IrisEVTXModule : A pipeline module offers EVTX import into Splunk through IRIS (installed but not registered)