Posts

Introducing iris-ng: A MISP-Native, AI-Assisted Fork of DFIR-IRIS

Image
DFIR-IRIS has long filled an important gap in the incident response ecosystem: a free and open-source platform for managing investigations, sharing technical details, tracking evidence, documenting timelines, and collaborating across active cases. The official DFIR-IRIS project describes itself as a collaborative incident response platform designed to help teams streamline investigations and work together in real time. I have been using DFIR-IRIS as a practical foundation for incident response workflows, automation, and case documentation. Over time, I found myself wanting tighter integration between case management, threat intelligence, MISP, analyst notes, evidence, tasking, and AI-assisted review. That led to iris-ng , my community fork of DFIR-IRIS. Repository: https://github.com/zach115th/iris-ng What is iris-ng? iris-ng is a community fork of DFIR-IRIS v2.5.0-beta.1 focused on continuing practical incident response platform development while preserving compat...
Post a Comment
Read more

Simple Windows Firewall Bouncer (SWFB)

If you've ever spun up a Windows server with RDP exposed, you already know what the logs look like. Within hours, sometimes minutes, Event ID 4625 starts flooding the Security log. Failed logon. Failed logon. Failed logon. Different usernames, same IP. Same username, different IPs. The internet is constantly knocking. On Linux, tools like fail2ban and crowdsec have solved this problem for years. On Windows? You're mostly on your own. There are third-party agents, EDR add-ons, and cloud-based solutions, but if you want something lightweight, auditable, and dependency-free that you can just drop on a box and run, the options are slim. So I built one: Simple Windows Firewall Bouncer (SWFB) . What It Does SWFB is a PowerShell script that runs in a loop, watches Windows Security Event Logs for failed logon attempts (Event ID 4625), and fires off netsh advfirewall rules to block offending IPs, automatically, with no external software required. It handles three distinct...
Post a Comment
Read more

LLM-Augmented DFIR-IRIS Case Templates: Embedding AI Prompts Directly in Your IR Reports

In a previous post I released a library of DFIR-IRIS case templates covering common incident types. Those templates give you a pre-built task list, structured note directories, and a report scaffold, but the actual narrative content still needs to be written by a human analyst at the end of a long and usually exhausting investigation. I've been experimenting with a different approach: embedding structured LLM prompts directly inside the case template's summary field, so that when the investigation is complete, an AI can draft the report narrative from the case data automatically. This post describes the concept, shows how the prompts are structured, and discusses where it works well and where it still needs a human. Experimental status: These are experimental templates. They are not a replacement for analyst judgment and should not be used to generate reports that go to stakeholders without review. The intent is to reduce the time cost of first-draft report writ...
Post a Comment
Read more

DFIR-IRIS Case Templates: A Free, Open-Source Library for Common Incident Types

Every incident starts the same way: a blank case. No structure, no task list, no note framework, just an empty canvas at the moment when you have the least time to think about documentation. Over time I got tired of rebuilding the same scaffolding from scratch, so I built a library of DFIR-IRIS case templates covering the most common incident types we handle in security operations. The templates are free, open-source, and available on GitHub. This post walks through what's included, how they're structured, and how to get started. What's Included The library currently covers 13 incident types: Template File What it covers 💼 Business Email Compromise BEC.json Account takeover, inbox rules, financial fraud, payroll diversion ☁️ Cloud Data Breach CloudDataBreach.json Cloud tenant/storage exposure, IAM investigation, provider coordination 🗃️ Data Breach DataBreach.json Unauthorized access/disclosure, GDPR/HIPAA/PCI-DSS/CCPA obligat...
Post a Comment
Read more