dfir-iris-misp-timesketch

Scripts to integrate DFIR-IRIS, MISP and TimeSketch

Scripts

IRIS

iris_create_case.py

• Create a new IRIS case
• Add default set of notes, based on MD templates (such as "notes_intake.md")
• Add default set of tasks, based on a TheHive template
• Add global task

iris_delete_tasks.py

• Delete tasks from an IRIS case

iris_add_assets.py

• Add assets to IRIS from a CSV file

iris_get_from_ts.py

• Get Timeline events from TimeSketch

iris_add_iocs_misp.py

• Add IOCs from MISP to IRIS

iris_add_evidence.py

• Add evidence to IRIS

iris_get_from_ts_savedsearch.py

• Get timeline events from a Timesketch saved search

iris_get_from_ts_savedsearch_byid.py

• Get timeline events from a TimeSketch saved search (by id)

TimeSketch

ts_import_pcap.py

• Import PCAP file into TimeSketch

ts_ioc_iris_savedsearch.py

• Create a saved search based on IOCs in an IRIS case

ts_add_event.py

• Manually add a TimeSketch event

ts_ioc_misp_savedsearch.py

• Create a saved search based on IOCs from a MISP event

ts_create_sketch.py

• Create a TimeSketch sketch

ts_import_evtx.py

Import EVTX file into TimeSketch

Elastic

https://github.com/cudeso/elastic-dfir-cluster