Automate DFIRe forensic case management and IOC indicator synchronization from Cortex XSIAM and Cortex XSOAR.
DFIRe
DFIRe is a self-hosted Digital Forensics and Incident Response (DFIR) case management platform built for security professionals. It provides structured investigation workflows, evidence tracking with full chain of custody, IOC indicator management, and NIST-aligned incident response phases β all running on your own infrastructure with AES-256 encryption.
What does this pack do?
This pack integrates Cortex XSIAM with a DFIRe instance to automate your forensics and incident response workflows, including:
- Case management β Create, update, list, and close DFIRe cases directly from playbooks. Supports severity levels, assignees, and custom case types.
- IOC indicator synchronization β Push indicators (IPs, domains, hashes, URLs) from Cortex XSIAM into DFIRe's global IOC registry, and link them to specific cases.
- Evidence item tracking β Create and manage evidence items with type classification and flag tagging to maintain chain of custody.
- File attachments β Upload War Room files as encrypted attachments to cases or evidence items.
- Timeline enrichment β Add forensic timeline events to DFIRe cases, and retrieve existing timelines for investigation context.
- Full-text search β Query across cases, indicators, notes, evidence items, and entities in one call.
- User & lookup data β Retrieve users, case types, evidence types, and flag definitions to drive dynamic playbook logic.
Use Cases
- Automatically open a DFIRe case when a high-severity Cortex XSIAM issue fires and assign it to the on-call analyst.
- Enrich a DFIRe case with IOC indicators extracted during triage, keeping the forensics case and the Cortex XSOAR investigation in sync.
- Upload memory dumps, logs, or forensic artifacts from a War Room investigation directly into DFIRe with a single playbook task.
- Add incident timeline entries from automated response actions so the forensic record reflects the full response lifecycle.
Configuration
The integration requires a running DFIRe instance (self-hosted) and an API key generated in System Settings β Integrations within DFIRe. See the integration README for full setup instructions.
DFIRe
DFIRe is a self-hosted Digital Forensics and Incident Response (DFIR) case management platform built for security professionals. It provides structured investigation workflows, evidence tracking with full chain of custody, IOC indicator management, and NIST-aligned incident response phases β all running on your own infrastructure with AES-256 encryption.
What does this pack do?
This pack integrates Cortex XSIAM with a DFIRe instance to automate your forensics and incident response workflows, including:
- Case management β Create, update, list, and close DFIRe cases directly from playbooks. Supports severity levels, assignees, and custom case types.
- IOC indicator synchronization β Push indicators (IPs, domains, hashes, URLs) from Cortex XSIAM into DFIRe's global IOC registry, and link them to specific cases.
- Evidence item tracking β Create and manage evidence items with type classification and flag tagging to maintain chain of custody.
- File attachments β Upload War Room files as encrypted attachments to cases or evidence items.
- Timeline enrichment β Add forensic timeline events to DFIRe cases, and retrieve existing timelines for investigation context.
- Full-text search β Query across cases, indicators, notes, evidence items, and entities in one call.
- User & lookup data β Retrieve users, case types, evidence types, and flag definitions to drive dynamic playbook logic.
Use Cases
- Automatically open a DFIRe case when a high-severity Cortex XSIAM issue fires and assign it to the on-call analyst.
- Enrich a DFIRe case with IOC indicators extracted during triage, keeping the forensics case and the Cortex investigation in sync.
- Upload memory dumps, logs, or forensic artifacts from a War Room investigation directly into DFIRe with a single playbook task.
- Add incident timeline entries from automated response actions so the forensic record reflects the full response lifecycle.
Configuration
The integration requires a running DFIRe instance (self-hosted) and an API key generated in System Settings β Integrations within DFIRe. See the integration README for full setup instructions.
