[FR] Mailing Functionality

[Ohmsnipe]

Is your feature request related to a problem? Please describe. I want to have the options to use mailing functionality. E.g: When there are questions to special departments in a company, we normaly mail these departments and get answers by mail.

Describe the solution you'd like It would be nice to have a Communication Tab for Cases, Where i can take down notes/ send mails to departments and also recieve answers, which show up in the according case.

Describe alternatives you've considered Simply using a mail programm, but nothing would be documented in the case

Will there be a Mailing Module or something similar in the IRIS Roadmap?

[m-terlinde]

How do you picture the email element in the UI?

Building in a whole "ticketing system" with conversations and so on into DFIR-IRIS doesn't seem very suitable for me.

[whikernel]

Hi @Ohmsnipe

I tend to relate what @m-terlinde said. We're trying to keep IRIS focus on the core features, which is handling incidents. While it would be nice to have this, we might end up with a very complex system.

On the other hand, it is in our plan to add a Command Center tab, where the lead investigator could have an overview of the case, the status, an history of what have been done, communications and so on. This could be plugged to an automation tool that would mimic what you want to do. We don't have an ETA on this tho.

[Ohmsnipe]

Yeah i was hoping that something like a ticketing function over mail will be added at some point to IRIS.

Thank you both for the insights! I think the Command Center is not exactly what I need. Beause I would only see the communication and won't be able to send mails from there or interact with the "Case-Contacts". The communication itself would take place on a third tool then again.

[m-terlinde]

Not sure, if this helps you. Here is what we do:

• Use IRIS as single point of truth for "technical" intrusion details
• We have a ticketing system for our daily work
• The ticketing system is also used for incident communication, because it does this good
• If there is a technical conclusion (which isn't often), we transfer the details to IRIS
• Especially timeline relevant data will mostly produced by ourselves or handed over via some timelining format
• I haven't seen a mail, which only contains one single timelinie event, which we needed to add so far
• Most emails contain data like network diagramms and so on. They will be added to the notes of the case.

[Ohmsnipe]

@m-terlinde Thank you for the provided information. Yeah i think it will be as you describe it above. Using IRIS as single point of truth and using a seperate "Ticketing-System" additionally.

Thank you!