DFIR Companion Dashboard

Threat-intel enrichment — choose sources

Pick which sources to query for this case's IOCs (hashes / IPs / domains / URLs). Local = your own self-hosted instances — queries stay on-box (OPSEC-safe). External = third-party services — querying them sends the indicator off-box and can tip off an adversary, so they're off by default. Enabling a source re-checks every IOC on it.

Settings

Investigator name Used as author when posting comments. Saved in this browser.

Dashboard sections — drag to reorder · check to show

Log verbosity — takes effect immediately (no restart) Default from DFIR_LOG_LEVEL. Logs tee to the console AND to files: logs/session-<time>.log (all activity) plus cases/<id>/logs/session-<time>.log (per-case audit trail). A new file is created each time the server starts.

⚠ Fields below require a server restart to take effect

Correlation window (s)DFIR_CORRELATE_WINDOW_S

Phase gap (s)DFIR_PHASE_GAP_S

Auto-synthesizeDFIR_AI_AUTO_SYNTHESIZE (on/off)

Auto-synthesize debounce (ms)DFIR_AI_AUTO_SYNTHESIZE_MS

Anonymize defaultDFIR_ANONYMIZE (on/off)

Screenshot flush interval (ms)DFIR_FLUSH_INTERVAL_MS

Duplicate screenshot detectionDFIR_DEDUP — skips a capture only if it's byte-identical to the one before it (screen didn't change). Any change is analyzed. Set off to analyze every screenshot regardless

Cases rootDFIR_CASES_ROOT

Max body size (MB)DFIR_MAX_BODY_MB

Disk-space warning threshold (%)DFIR_DISK_WARN_PCT — "danger" usage % that triggers the orange disk-space banner; warning is 15 pp below, critical 10 pp above. Leave blank for defaults (70/85/95%). Set to 0 to disable the check

Log directoryDFIR_LOG_DIR — folder for the global session log; blank = logs/ beside the cases root. Per-case logs always stay in the case folder

Bind hostDFIR_HOST — keep 127.0.0.1 (localhost only) unless you know what you're doing

PortDFIR_PORT — the dashboard moves with it; reopen on the new port

⚠ All AI settings require a server restart to take effect

ProviderDFIR_AI_PROVIDER

Model (extraction, must support vision)DFIR_AI_MODEL

API keyDFIR_AI_KEY

Base URL overrideDFIR_AI_BASE_URL — leave blank for provider default

Timeout (ms)DFIR_AI_TIMEOUT_MS

Max tokensDFIR_AI_MAX_TOKENS

Context tokensDFIR_AI_CONTEXT_TOKENS

Synth max eventsDFIR_AI_SYNTH_MAX_EVENTS

Image detailDFIR_AI_IMAGE_DETAIL

Synthesis model (optional — stronger model for one-shot synthesis)

Synth providerDFIR_AI_SYNTH_PROVIDER

Synth modelDFIR_AI_SYNTH_MODEL

Synth API keyDFIR_AI_SYNTH_KEY

Synth base URLDFIR_AI_SYNTH_BASE_URL

Velociraptor hunt model (used ONLY for generating Velociraptor VQL hunts — many models botch VQL)

Dedicated model for ✨ Suggest Velociraptor hunts (and the Fleet Hunts suggester), separate from the synthesis/OCR models. Default: openrouter / anthropic/claude-haiku-4.5. Leave the key blank to reuse the main AI key.

Velo providerDFIR_AI_VELO_PROVIDER

Velo modelDFIR_AI_VELO_MODEL

Velo API keyDFIR_AI_VELO_KEY

Velo base URLDFIR_AI_VELO_BASE_URL

Second opinion model (optional — a DIFFERENT model for the on-demand QA cross-check)

Powers the 2nd opinion button: a second model independently re-synthesizes the case and you review where it disagrees with the primary synthesis. The feature is OFF until a model is set here (the button stays hidden otherwise). For a genuinely independent opinion, pick a different provider than your synthesis model — same-provider models share blind spots. Leave the key blank to reuse the main AI key.

2nd-opinion providerDFIR_AI_SECOND_OPINION_PROVIDER

2nd-opinion modelDFIR_AI_SECOND_OPINION_MODEL

2nd-opinion API keyDFIR_AI_SECOND_OPINION_KEY

2nd-opinion base URLDFIR_AI_SECOND_OPINION_BASE_URL

Debugging & custom prompts

Log token usageDFIR_AI_DEBUG_USAGE — on to log prompt-cache token usage to the console

Point any of the AI prompts at a file to override the built-in default (re-read each call — no restart needed). The inline DFIR_AI_*_PROMPT overrides aren't editable here (they're multi-line); use a file path below or npm run prompts:eject.

System prompt fileDFIR_AI_SYSTEM_PROMPT_FILE

Synthesis prompt fileDFIR_AI_SYNTH_PROMPT_FILE

CSV prompt fileDFIR_AI_CSV_PROMPT_FILE

Log prompt fileDFIR_AI_LOG_PROMPT_FILE

Ask prompt fileDFIR_AI_ASK_PROMPT_FILE

Exec-summary prompt fileDFIR_AI_EXEC_PROMPT_FILE

Narrative prompt fileDFIR_AI_NARRATIVE_PROMPT_FILE

Fleet-hunts prompt fileDFIR_AI_HUNTS_PROMPT_FILE — Suggested Fleet Hunts (#57)

⚠ All enrichment settings require a server restart to take effect

VirusTotal

VirusTotal keyDFIR_VT_KEY

AbuseIPDB

AbuseIPDB keyDFIR_ABUSEIPDB_KEY

Hunting.ch (abuse.ch)

Hunting.ch keyDFIR_HUNTINGCH_KEY — legacy alias DFIR_MB_KEY also works

RockyRaccoon

RockyRaccoon keyDFIR_ROCKYRACCOON_KEY

CrowdStrike Falcon Intelligence

Client IDDFIR_CROWDSTRIKE_CLIENT_ID

Client secretDFIR_CROWDSTRIKE_CLIENT_SECRET

CloudDFIR_CROWDSTRIKE_CLOUD

Base URL overrideDFIR_CROWDSTRIKE_BASE_URL — leave blank to derive from Cloud

MISP

MISP URLDFIR_MISP_URL

MISP keyDFIR_MISP_KEY

CA bundleDFIR_MISP_CA

Distribution (0-3)DFIR_MISP_DISTRIBUTION

Analysis state (0-2)DFIR_MISP_ANALYSIS

Skip TLS verifyDFIR_MISP_INSECURE — true to accept self-signed certs (lab only)

YETI

YETI URLDFIR_YETI_URL

YETI keyDFIR_YETI_KEY

CA bundleDFIR_YETI_CA

Skip TLS verifyDFIR_YETI_INSECURE — true to accept self-signed certs (lab only)

OpenCTI

OpenCTI URLDFIR_OPENCTI_URL

OpenCTI tokenDFIR_OPENCTI_KEY

CA bundleDFIR_OPENCTI_CA

Skip TLS verifyDFIR_OPENCTI_INSECURE — true to accept self-signed certs (lab only)

Malicious score thresholdDFIR_OPENCTI_MALICIOUS_SCORE — x_opencti_score ≥ this → malicious (default 75)

Throttling

Enrich delay (ms)DFIR_ENRICH_DELAY_MS

Max IOCs / runDFIR_ENRICH_MAX

Health TTL (ms)DFIR_ENRICH_HEALTH_TTL_MS

Health poll (ms)DFIR_ENRICH_HEALTH_POLL_MS — re-probe down providers & auto-resume; 0 disables

Per-provider throttle overrides (ms) — blank uses the global delay

VirusTotalDFIR_ENRICH_DELAY_MS_VIRUSTOTAL

AbuseIPDBDFIR_ENRICH_DELAY_MS_ABUSEIPDB

Hunting.chDFIR_ENRICH_DELAY_MS_HUNTINGCH

CrowdStrikeDFIR_ENRICH_DELAY_MS_CROWDSTRIKE

MISPDFIR_ENRICH_DELAY_MS_MISP

YETIDFIR_ENRICH_DELAY_MS_YETI

RockyRaccoonDFIR_ENRICH_DELAY_MS_ROCKYRACCOON

OpenCTIDFIR_ENRICH_DELAY_MS_OPENCTI

⚠ All exposure settings require a server restart to take effect

LeakCheck keyDFIR_LEAKCHECK_KEY

LeakCheck domain limitDFIR_LEAKCHECK_DOMAIN_LIMIT

HIBP keyDFIR_HIBP_KEY

HIBP User-AgentDFIR_HIBP_USER_AGENT

DeHashed keyDFIR_DEHASHED_KEY

DeHashed base URLDFIR_DEHASHED_BASE_URL

Shodan keyDFIR_SHODAN_KEY — attack surface (domain → exposed hosts/ports/CVEs)

Exposure delay (ms)DFIR_EXPOSURE_DELAY_MS

⚠ All integration settings require a server restart to take effect

DFIR-IRIS

IRIS URLDFIR_IRIS_URL

IRIS keyDFIR_IRIS_KEY

CA bundleDFIR_IRIS_CA

Customer IDDFIR_IRIS_CUSTOMER_ID

Classification IDDFIR_IRIS_CLASSIFICATION_ID

Skip TLS verifyDFIR_IRIS_INSECURE — true to accept self-signed certs (lab only)

Timesketch

Timesketch URLDFIR_TIMESKETCH_URL

UsernameDFIR_TIMESKETCH_USER

PasswordDFIR_TIMESKETCH_PASSWORD

Timeline nameDFIR_TIMESKETCH_TIMELINE

CA bundleDFIR_TIMESKETCH_CA

Skip TLS verifyDFIR_TIMESKETCH_INSECURE — true to accept self-signed certs (lab only)

Notion

Integration tokenDFIR_NOTION_TOKEN — internal-integration secret; share the page/database with it

Database IDDFIR_NOTION_DATABASE_ID — default DB for "new page" (investigation template)

Parent page IDDFIR_NOTION_PARENT_PAGE_ID — alternative default parent for "new page"

Managed block titleDFIR_NOTION_CONTAINER_TITLE

Max timeline rowsDFIR_NOTION_MAX_TIMELINE

CA bundleDFIR_NOTION_CA

Skip TLS verifyDFIR_NOTION_INSECURE — true to accept self-signed certs (lab only)

ClickUp

API tokenDFIR_CLICKUP_TOKEN — personal token (Settings › Apps › API Token, pk_…)

Default list IDDFIR_CLICKUP_LIST_ID — optional; pre-fills the push modal (list URL's …/li/<id>)

CA bundleDFIR_CLICKUP_CA

Skip TLS verifyDFIR_CLICKUP_INSECURE — true to accept self-signed certs (lab only)

Velociraptor

API config pathDFIR_VELOCIRAPTOR_API_CONFIG

Binary pathDFIR_VELOCIRAPTOR_BINARY

GUI URLDFIR_VELOCIRAPTOR_GUI_URL

GUI orgDFIR_VELOCIRAPTOR_ORG — for deep links (default root)

Hunt platformsDFIR_HUNT_PLATFORMS — comma-separated; blank = all

Hunt auto-collect wait (min)DFIR_VELO_HUNT_WAIT_MIN — default 10 (clamped 1–1440)

Collection timeout (ms)DFIR_VELOCIRAPTOR_TIMEOUT_MS

Max rowsDFIR_VELOCIRAPTOR_MAX_ROWS

Max output — interactive (bytes)DFIR_VELOCIRAPTOR_MAX_OUTPUT

Max output — collect (bytes)DFIR_VELOCIRAPTOR_COLLECT_MAX_OUTPUT

Upload VQL overrideDFIR_VELOCIRAPTOR_UPLOAD_VQL — version-specific; blank = default

Live monitor poll (sec)DFIR_VELO_MONITOR_POLL_S — default 30 (CLIENT_EVENT poller)

Monitor read VQL overrideDFIR_VELOCIRAPTOR_MONITOR_VQL — version-specific; blank = default source()

Push ingest (webhook)

Let external tools (a SIEM webhook, a Velociraptor client-event poller, a custom script) POST alerts straight into the connected case. The server auto-detects the payload type (same engine as the Import button) and runs the import → synthesize pipeline. Auth is a token in the X-DFIR-Key header — a global one (below) and/or a per-case one (generated here). Push is OFF until a token is configured.

Global push tokenDFIR_PUSH_TOKEN — one secret for every case (optional)

Connect to a case to manage its push token.

Example — POST a Velociraptor monitoring batch / SIEM alert:

connect to a case to see the curl example

Build named bundles of Velociraptor CLIENT artifacts, then run one as a hunt — results (and any uploaded JSON report, e.g. THOR/Hayabusa) are auto-collected after a delay, imported, and synthesized into the case. Bundles are shared across cases; running a bundle uses the case you're connected to. Results appear on the dashboard.

—

Build a new bundle

Click Browse server artifacts to load the list, or add artifact names manually above.

Selected: 0

Advanced: per-artifact tuning (optional)

Parameters (passed to the artifact via the hunt spec)

JSON map of artifact → { param: value } so a heavy artifact emits less at the source (e.g. Hayabusa at high+critical). Only what you set is sent.

Exclude filters (VQL WHERE applied to results before the row cap)

JSON map of artifact → VQL WHERE expression (no WHERE keyword) to drop noisy rows at the source — e.g. exclude pagefile YARA hits, or a specific detection name. Leave blank for none.

🔴 Live Monitoring (Velociraptor client events)

Stream a Velociraptor client-monitoring artifact (e.g. Windows.Events.ProcessCreation, Windows.Events.DNSQueries) into this case as events fire — from one endpoint, or across all enrolled clients at once. The companion polls on an interval and imports new rows automatically; the last-seen cursor is saved so a restart never re-ingests old events. The artifact must also be enabled in Velociraptor → Client Monitoring for the target client(s). Needs the Velociraptor API configured.

Start an all-clients monitor for every artifact already enabled in Velociraptor's Client Monitoring table.

Start a new monitor

All enrolled clients (monitor this artifact across the whole fleet — no specific endpoint)

Known-good patterns that auto-mark matching IOCs as legitimate on import (and on demand). Global — shared across all cases. Reversible: matches appear in Confirmed Legitimate and can be un-marked.

⚠ Whitelisting is opt-in for a reason — auto-excluding internal IP ranges can hide lateral movement. Only add patterns you trust.

Add a rule

Quick add:

Rules

Import (paste CSV or JSON)

Apply to the current case

Scans the loaded case's current IOCs and marks matches legitimate (already auto-runs on every import).

A set of known-software file hashes (NIST NSRL / RDS). A forensic event whose file hash — or an IOC whose value — matches is a known-good file, auto-marked legitimate on import (and on demand), reducing false positives. Global — shared across all cases. Reversible: matches appear in Confirmed Legitimate.

⚠ NSRL lists known, not strictly known-good, software — some RDS sets include hacktools, and a known hash can still be malicious in context (DLL side-loading, a renamed LOLBin). Opt-in for a reason.

Loaded hashes

Loading…

Import known-good hashes

…or load from a file on the server

Reads an NSRLFile.txt / hashdeep CSV / hash list straight off this machine — for big RDS sets you don't want to paste. The in-UI equivalent of the DFIR_NSRL_FILE env var, but on demand: loaded hashes persist, so there's no restart and they survive one.

NSRL RDS database (SQLite)

Loading…

For the full ~160 GB NSRL RDS (too big to load into memory) — queried on demand, no ingest. Download the Modern RDS minimal SQLite set and index the hash column(s) first (CREATE INDEX … ON METADATA(sha256) + ANALYZE; matching keys on sha256/md5, not sha1). See the README's NSRL section for the full setup.

Apply to the current case

Scans the loaded case's IOCs + forensic events and marks known-good matches legitimate (already auto-runs on every import).

Declarative importers let you add support for a new tool's export format without writing code. Drop a JSON definition in the importers/ folder (auto-loaded on startup) or paste one below. Global — shared across all cases. Generate a definition for any file format with an LLM via the prompt button.

⚠ Custom importers run on every matching import. Review a generated definition before adding it — a too-broad match can shadow a built-in importer.

Detection precedence

Built-in-first keeps the shipped importers authoritative; custom-first lets a definition override one.

Loaded importers

Loading…

Load errors

Add an importer (paste JSON)

The CISA Known Exploited Vulnerabilities (KEV) catalog lists CVEs that are actively exploited in the wild. When loaded, the Companion cross-references CVE IDs found in your forensic timeline and IOCs against the catalog and surfaces any matches as high-probability initial access vectors in synthesis context and in report §4.5.1. Global — shared across all cases. Opt-in: starts empty.

⚠ KEV cross-referencing only fires when CVE IDs appear in your evidence. Load the catalog here; the Companion does the rest automatically during synthesis.

Catalog status

Loading…

Load from CISA

Fetches the latest catalog directly from cisa.gov — requires server outbound internet access.

Load from server file

For air-gapped deployments — point to a locally-saved copy of the CISA KEV JSON.

Actions

Removes the catalog from disk. The catalog is global — clearing it affects all cases.

Opt-in check against the project's GitHub Releases page. When enabled, the server checks at most once a day (and on demand) and shows a banner if a newer version exists. It never downloads or installs anything — the banner just links to the release. Off by default. Set DFIR_UPDATE_CHECK=0 to lock it off entirely.

Check for newer releases

Status

Loading…

Push new/escalated findings, playbook updates, and investigation milestones to Slack, MS Teams, Mattermost, Discord, Telegram, or email — with a per-channel severity threshold and per-event toggles. Global — shared across all cases.

⚠ Notifications send case content (finding/task titles) to a third party. Off by default — each channel is opt-in. Don't enable on a sensitive case unless the destination is trusted.

Add a channel

Notify on: findings playbook milestones enabled

Channels

Branded report layouts — accent colour, cover title/subtitle, running header & footer, and which sections appear. Global (shared across cases); pick one per case in Case Details. Built-ins are editable in place — Reset restores the shipped default.

Template — pick one to edit, or create a new one

Name Accent colour

Description

Cover title Cover subtitle Running header Footer / banner

Show company logo Show company name

Placeholders (filled from Case Details): {{organization}} {{companyName}} {{incidentId}} {{restrictions}} {{investigators}} {{date}} {{caseId}} · conditionals: {{#if incidentId}}…{{/if}}

Sections — check to include · ▲▼ to reorder

Operator-facing system state for troubleshooting ingestion / AI problems. Read-only and redacted (no API keys or evidence content). The summary loads fast; per-case disk sizes are computed on demand.

Loading…

Ask the LLM about this case

Query Translator natural language → VQL / KQL / ES|QL / SPL / Sigma / YARA / Suricata

Executive Summary

Recommended Next Steps

Attack Path

Narrative Timeline

Findings

Forensic TimelineCriticalHighMediumLowInfo

Kill Chain

Memory Next Stepsiterative memory-forensics agent — reads the imported Volatility/Rekall evidence, spots process-tree/injection/network anomalies, and suggests the exact next Volatility command

Attack Phasestemporal bursts — activity grouped by time gap, labelled by dominant tactic (derived, no AI)

Timeline Gapssuspicious silent periods — a complete gap (all sources dark) is the classic log-tampering signature (derived, no AI); a lead, not proof

Timeline Swimlanevisual chart — Y-axis: assets · X-axis: time · color: severity (derived, no AI)

Compromised Assets & IoC Graph

Known compromised assets

Evidence Chaincausal links — process trees, lateral movement, file lineage & network flows (derived, no AI)

Beacon Candidatesperiodic outbound channels — too regular to be human traffic (derived, no AI); a hunting lead, not a verdict

IOCs

Customer Exposure

Key Investigative Questions

Investigation Threads

MITRE ATT&CK

Adversary Hintsknown ATT&CK groups by technique overlap + their likely next techniques — hypothesis fuel, not attribution (derived, no AI)

Suggested Fleet HuntsAI-proposed Velociraptor VQL hunts from the findings — sweep the fleet for the same tradecraft

Confirmed Legitimate (excluded from analysis)

Playbook

Analyst Notebook

Investigation Log

Case Details (for the generated report)

Threat-intel enrichment — choose sources

Anonymization

Comments

Tags

Export to Notion

Push playbook to ClickUp

Import case

Import from DFIR-IRIS

Hunt queries

💡 Explain Event

New case

Save as Template

IOC block-list

Redacted case package

Settings

Ask the LLM about this case

Query Translator natural language → VQL / KQL / ES|QL / SPL / Sigma / YARA / Suricata

Executive Summary✨ Generate

Recommended Next Steps

Attack Path

Narrative Timeline✨ Generate✏ Edit

Findings

Forensic Timeline☆ Starred+CriticalHighMediumLowInfo⛏ Sources

Kill Chain

Memory Next Stepsiterative memory-forensics agent — reads the imported Volatility/Rekall evidence, spots process-tree/injection/network anomalies, and suggests the exact next Volatility command✨ Suggest next steps

Attack Phasestemporal bursts — activity grouped by time gap, labelled by dominant tactic (derived, no AI)

Timeline Gapssuspicious silent periods — a complete gap (all sources dark) is the classic log-tampering signature (derived, no AI); a lead, not proof✨ Hypothesize gaps

Timeline Swimlanevisual chart — Y-axis: assets · X-axis: time · color: severity (derived, no AI)

Compromised Assets & IoC Graph+

Known compromised assets

Evidence Chaincausal links — process trees, lateral movement, file lineage & network flows (derived, no AI)

Beacon Candidatesperiodic outbound channels — too regular to be human traffic (derived, no AI); a hunting lead, not a verdict

IOCs⚠ Flagged only+

Customer Exposure

Key Investigative Questions

Investigation Threads

MITRE ATT&CK

Adversary Hintsknown ATT&CK groups by technique overlap + their likely next techniques — hypothesis fuel, not attribution (derived, no AI)

Suggested Fleet HuntsAI-proposed Velociraptor VQL hunts from the findings — sweep the fleet for the same tradecraft✨ Suggest hunts

Confirmed Legitimate (excluded from analysis)

Playbook

Analyst Notebook

Investigation Log

Case Details (for the generated report)

Executive Summary

Narrative Timeline

Forensic TimelineCriticalHighMediumLowInfo

Memory Next Stepsiterative memory-forensics agent — reads the imported Volatility/Rekall evidence, spots process-tree/injection/network anomalies, and suggests the exact next Volatility command

Timeline Gapssuspicious silent periods — a complete gap (all sources dark) is the classic log-tampering signature (derived, no AI); a lead, not proof

Compromised Assets & IoC Graph

IOCs

Suggested Fleet HuntsAI-proposed Velociraptor VQL hunts from the findings — sweep the fleet for the same tradecraft