[FR] Import and export case details

dfir-iris / iris-web

Collaborative Incident Response platform

GNU Lesser General Public License v3.0

1.09k stars 186 forks source link

[FR] Import and export case details #67

Open cudeso opened 2 years ago

cudeso commented 2 years ago

Is your feature request related to a problem? Please describe. Have an option to export and import all case details.

Describe the solution you'd like

Export all case details in JSON file
- ID, summary, notes, events, assets, ...
- In structured JSON format
- Also see https://github.com/dfir-iris/iris-web/issues/66 for export
Import case details from a JSON file

whikernel commented 2 years ago

Thanks @cudeso ! This is indeed a subject we're looking into. Unfortunately it appears to be a little more complex than we thought at first. The export should not be an issue and is already partial possible with the case/export?cid=xxx endpoint. However the import is something else. Because almost everything is tied up to a case ID and multiple users ID, this make the import tricky, especially if the same users do not exists in the target plateforme. The case ID should be easily transferable, however as multiple users are involved it's more complex. You can see below a graph of the DB.

One easy solution would be to replace every non-existant users with a selected target user. I'm not sure if that's the right way. We welcome any ideas on that matter :)

sjtrotter commented 1 year ago

Edit: - background: I have an interest in the import and export of the database as well. In our use case, we may have one or more instance of IRIS in separate locations, but which when they come back to one place it would be really helpful to be able to export their databases and import them into a central IRIS.

What if you created the user in the import database, as a disabled user and a random password within the requirements?

Alternatively, you could provide an interface that would allow the importing-person to re-assign users, with a checkbox if none are selected to create the user if needed.

re-edit: also wanted to note, it would be more helpful if all database objects were exportable/importable, not just case details. for example, the customer as well as IOCs and assets.

59e5aaf4 commented 8 months ago

Hello, while we're talking about exporting objects (assets, iocs, events), the last_update field is really important to use (to ensure sync with third party threat intel locations), and looks like it's not always included in all object serializations that exist. I reviewed case/export, case/<object>/list and couldn't find them exported reliably. If you're going to check out the export code, feel free to expose object_last_update everywhere for all kind of objects. If we could have an API that just tells us the last moment a case was touched that would be great. I'll open an issue. Thanks for the good work !

EDIT : opened #443