Wes Lambert🦖Day 91 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange.IRIS.Sync.Asset
Author: @StephMikiss
Link: https://docs.velociraptor.app/exchange/artifacts/pages/iris.sync.asset
----
This artifact synchronizes clients from Velociraptor to DFIR-IRIS (https://dfir-iris.org/). It will parse available information of clients such as network interfaces, IP addresses, asset type and applied labels.
----
For those unfamiliar with DFIR-IRIS (@dfir_iris), it is a free, open source incident response platform that includes a host of useful and innovative features even many commercial platforms don't possess. Check it out here using the link below!
----
Once a client has been added to DFIR-IRIS, the asset ID from DFIR-IRIS will be added as client metadata and ‘IRIS’ will be added as label.
If a client already possesses an asset ID, it will be updated; in general, labels and the compromised status will by synchronized.
----
This artifact is very powerful due to the fact that we can quickly add clients to DFIR-IRIS from Velociraptor with very little effort.
This means that we can spend less time on managerial tasks, and more time on investigating and remediating the hosts we deem compromised.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖