dfir-iris / iris-doc-src Goto Github PK

We will add this to the documentation repo instead

Originally posted by @whikernel in dfir-iris/iris-web#369 (review)

These remarks are all about the documentation page Processor modules, with respect to a v2.0.0-beta-1 version:

• listing iris_dummy_module/IrisDummyConfig.py: module_version should be a string, rather than a float
• likewise, it would be nice for the attribute _interface_version to have a string, rather than float type
• listing iris_dummy_module/IrisDummyModule.py: the import which defines interface_conf is probably missing?
• listing iris_dummy_module/IrisDummyModule.py, method hooks_handler has the wrong signature: it is missing the hook_ui_name.

Thank you.

As specified here dfir-iris/iris-web#22, by @cudeso :

"""
According to https://dfir-iris.github.io/_static/iris_api_reference.html#operation/post-case-asset-add the fields asset_type_id and analysis_status_id require a string. However the API returns
"data": {"analysis_status_id": ["Not a valid integer."], "asset_type_id": ["Not a valid integer."]}

Supplying integers in the POST results in a successful request.
"""

As reported here dfir-iris/iris-web#20, endpoint manage/assettype/list is missing in the API reference/

These are remarks about documentation page Modules:

• attribute _module_description is not documented, but present of the code of existing modules
• could you please document the list of all possible parameters types that can be used in module configuration? From existing modules, I have collected bool, float, string, sensitive_string, textfield_json and textfield_html. But maybe there are more?

Thank you.

Reported by @c8y3 - see dfir-iris/iris-web#159 (comment)

Here are a few typos found in the documentation pages:

https://docs.dfir-iris.org/development/: The sub-branches of develop contains either => The sub-branches of develop contain either
https://docs.dfir-iris.org/development/: An issue fixe => An issue fix
https://docs.dfir-iris.org/development/: This ensure a smooth migration between versions => This ensures a smooth migration between versions
https://docs.dfir-iris.org/development/environment/: Then Pycharm need to be setup with a dedicated environment, by adding a new configuration => Then Pycharm needs to be setup with a dedicated environment, by adding a new configuration
https://docs.dfir-iris.org/development/environment/: To do so, the app docker need to be erased and rebuilt => To do so, the app docker needs to be erased and rebuilt.
https://docs.dfir-iris.org/development/code-tips/: IRIS does not defines a separate API for users => IRIS does not define a separate API for users
https://docs.dfir-iris.org/development/code-tips/: It's often the page method itself except for modales => It's often the page method itself except for modals

It would be great to have acronyms link to some external explanatory page. For instance on page https://docs.dfir-iris.org/operations/modules/, EVTX could link to https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc. Alternatively, a page with all acronym definitions would be nice. Such as VT: VirusTotal, MISP: Malware Information Sharing Project, IOC: Indicator Of Compromise, IR: Incident Response, DIM: DFIR IRIS Module...
By the way, what is the meaning of DFIR-IRIS?

Lastly, on page https://docs.dfir-iris.org/operations/modules/, it would be nice to have "see Quick Start" be a link to the corresponding documentation page.

Thank you.

CF dfir-iris/iris-web#6 (comment)

Here are a few issues with the REST API documentation.

• The example url provided in section "How to use" of https://docs.dfir-iris.org/operations/api/ has query parameter cid (http://localhost:8000/manage/cases/list?cid=1). But in the API documentation of endpoint /manage/cases/list, cid does not seem to be a query parameter.
• Field cid in the payload of /manage/cases/add is indicated as required. This does not seem to be the case both from the request sample and an experimentation with v2.0.0-beta-1.
• It would be nice to have a response sample for endpoint /case/export
• Endpoint /manage/customers/list to get the list of customers is not documented but seems to be working in version v2.0.0-beta-1
• Endpoint /manage/cases/{cid} to get a case seems not to be working in version v2.0.0-beta-1. It is not documented either, but it is present in the client. What should it be?

Initially opened as dfir-iris/iris-web#165 (comment)

These remarks all concern the documentation page on hooks (https://docs.dfir-iris.org/development/hooks/):

• Method register_hooks is mentioned in this page, but it is only explained later in the Processor modules page (https://docs.dfir-iris.org/development/modules/quick_start/processor/). I suggest to move the documentation page on hooks down in the Modules section and after the Quick Start
• rather than one table with all hooks, it would maybe be more readable to have three lists of hooks: postload, manual and preload
• could you please add a column in the hooks table to document the specific type of data that method hooks_handler will be called with for each hook? This is an import part of the contract between modules code and IRIS.

Thank you.

These remarks are not really bugs in the documentation, but changes which will be needed to do for the future v2.0.0 release. They are discrepancies between the current documentation and the behaviour of the v2.0.0-beta-1:

• https://docs.dfir-iris.org/operations/modules/mod_management/: the + button is now a Add module button. The screenshot should be changed too
• https://docs.dfir-iris.org/operations/modules/mod_management/: in page Manage cases, there is no more Update tab. I guess, this is replaced by button Pipeline in the Case page?