DFIR-IRIS Case Templates: A Free, Open-Source Library for Common Incident Types
Every incident starts the same way: a blank case. No structure, no task list, no note framework, just an empty canvas at the moment when you have the least time to think about documentation. Over time I got tired of rebuilding the same scaffolding from scratch, so I built a library of DFIR-IRIS case templates covering the most common incident types we handle in security operations.
The templates are free, open-source, and available on GitHub. This post walks through what's included, how they're structured, and how to get started.
What's Included
The library currently covers 13 incident types:
| Template | File | What it covers |
|---|---|---|
| 💼 Business Email Compromise | BEC.json | Account takeover, inbox rules, financial fraud, payroll diversion |
| ☁️ Cloud Data Breach | CloudDataBreach.json | Cloud tenant/storage exposure, IAM investigation, provider coordination |
| 🗃️ Data Breach | DataBreach.json | Unauthorized access/disclosure, GDPR/HIPAA/PCI-DSS/CCPA obligations |
| 🌊 DDoS Attack | DDoSAttack.json | Volumetric, protocol, and application-layer attacks; mitigation and recovery |
| 🔑 Identity Provider / SSO Compromise | IdentityProviderCompromise.json | Okta/Entra/ADFS compromise, AiTM outcomes, token revocation |
| 🕵️ Insider Threat | InsiderThreat.json | Misuse of access, HR/legal coordination, chain of custody, intent assessment |
| 📱 Lost or Stolen Device | LostStolenDevice.json | Encryption/MDM status, remote wipe, HIPAA Safe Harbor analysis |
| 🦠 Malware Infection (Non-Ransomware) | MalwareInfection.json | RATs, infostealers, cryptominers, C2 profiling, stealer log analysis |
| 🎣 Phishing Attack | PhishingAttack.json | Email header/auth analysis, SPF/DKIM/DMARC, payload analysis, scope |
| 🔒 Ransomware Attack | RansomwareAttack.json | Full lifecycle: triage → investigation → eradication → recovery → reporting |
| 🔗 Supply Chain / Third-Party Compromise | SupplyChainCompromise.json | Compromised software/updates/MSPs, vendor engagement, downstream impact |
| 🔑 Unauthorized Access / Intrusion | UnauthorizedAccessIntrusion.json | Intrusion validation, lateral movement, persistence, notification obligations |
| 🌐 Web Application Compromise | WebApplicationCompromise.json | Exploitation path analysis, web shell identification, WAF/containment |
Template Structure
Each template is a JSON file compatible with DFIR-IRIS's case template import. Every template follows this structure:
{
"name": "RansomwareAttack",
"display_name": "Ransomware Attack",
"title_prefix": "[RANSOMWARE]",
"tags": ["tlp:amber", "CERT-XLM:malicious-code=\"ransomware\""],
"tasks": [ ... ],
"note_directories": [ ... ]
}
The three key components are tasks, note directories, and a pre-filled case summary.
Tasks
Each template includes a task list aligned to the incident type and structured around a consistent response lifecycle: validate → scope → preserve → contain → investigate → remediate → notify → close. The Ransomware template, for example, includes 16 tasks covering everything from initial validation through to lessons learned, each with descriptive guidance and typed tags like triage, containment, lateral-movement, and eradication.
Note Directories
Notes are where the actual investigation documentation lives. Each template organises notes into directories that map to the response phases. The Ransomware template has six directories:
- Incident Overview — Initial summary, current status, business impact, decision log
- Technical Investigation — Initial access, persistence, lateral movement, credential access, exfiltration, ransomware artifacts, IOCs
- Affected Environment — Host inventory, account inventory, network scope
- Response Actions — Containment log, eradication tracker, recovery log
- Communications and Reporting — Stakeholder log, external notification tracker, ransom communication log
- Post-Incident — Lessons learned, case closure
Every note uses a consistent markdown framework: ## section headers, --- separators, <!-- HTML comment placeholders --> for analyst-populated fields, structured tables for log and inventory data, and - [ ] checklists in status and closure notes.
Pre-filled Case Summary
Each template ships with a pre-built case summary document that doubles as a final report scaffold. The Ransomware summary is a full IR report template, including an executive summary section, a MITRE ATT&CK® framework analysis section with per-tactic evidence tables (TA0001 through TA0040), a CTI findings section with a threat actor profile, and a remediation and recommendations section with both immediate actions and strategic improvements. It is designed to be filled in during the investigation and handed to leadership or regulators at close with minimal reformatting.
MISP and CERT-XLM Integration
The templates are designed with MISP integration in mind. Each template ships with default tags aligned to the CERT-XLM taxonomy and TLP, so that if you are syncing IRIS cases or IOCs to MISP, for example, using n8n automation, the case context and classification can propagate to MISP events automatically.
Examples of the default tags included:
| Template | Default Tags |
|---|---|
| Ransomware Attack | tlp:amber, CERT-XLM:malicious-code="ransomware", CERT-XLM:information-content-security="Unauthorised-information-access" |
| Phishing Attack | tlp:amber, CERT-XLM:fraud="phishing" |
| DDoS Attack | tlp:amber, CERT-XLM:availability="ddos" |
| Data Breach | tlp:amber, CERT-XLM:information-content-security="data-loss" |
How to Import
- Download the desired
.jsonfile from theTemplates/directory on GitHub. - In DFIR-IRIS, navigate to the case template management area (Administration → Case Templates depending on your version).
- Create a new template or use the JSON import option if available.
- Review tasks, note directories, tags, and classification before saving.
- Test by creating a new case from the template and verifying the structure loads correctly.
Before going into production, validate that classifications match your internal taxonomy, tags align with your tagging standard, and note sections match your reporting requirements.
Design Philosophy
These templates are built to be operationally useful without being prescriptive. Each one separates the response lifecycle into discrete phases, validation, scoping, evidence preservation, technical investigation, containment and remediation, communications, and post-incident, so that no phase gets collapsed into another under pressure.
They are meant to be a starting point, not a hard rule. You should clone and adapt them for your environment: add internal escalation paths, legal or privacy requirements, evidence retention standards, your SIEM and EDR specifics, and any automation hooks you want to wire in. The recommended approach is to version-control your customised versions in your own fork, test them in IRIS before operational rollout, and refine them after real incidents.
Get the Templates
The full template library is available on GitHub at https://github.com/zach115th/DFIR-IRIS-Templates/tree/main/Templates. If you find them useful, have suggestions, or want to contribute templates for additional incident types, feel free to open an issue or pull request.
If these templates save you time on your next ransomware call at 2 AM, that's the whole point.