ir.mlab.sh ir.mlab.sh
Overview
Features
Workflow
Pricing
Docs
Changelog
  Sign in
Capabilities

Everything your SOC actually needs.

Not 200 half-baked features. The 30 that move the needle on real incidents.

Alert pipeline

Ingest. Deduplicate. Route.

Multi-source ingestion

REST endpoint for SIEM, EDR, email gateway, custom scripts. Webhook signatures supported.

Auto-dedup & enrich

Hash-based dedup over a configurable window. Enrich with org context, asset tags, owner.

Analyst routing

Round-robin or rule-based. Out-of-office and shift-aware assignment.

Severity scoring

Manual or rule-driven (asset criticality + source confidence). Override per alert.

Triage queue

Saved filters, bulk actions, dismiss-with-reason. Reduce queue depth in minutes, not hours.

Linked alerts

Correlate by observable, host or rule. See the cluster, not the noise.

Case management

Structured investigations

Cases & sub-cases

Promote alerts to cases. Group related work under a parent. Full lifecycle states.

Activity timeline

Every status change, comment, attachment and observable addition — logged, immutable, timestamped.

Evidence storage

Attach files, screenshots, PCAPs. Stored on your disk volume, never on a third-party service.

Comments & mentions

@-mention analysts. Markdown supported. Stays inside the case — no more lost Slack threads.

SLA tracking

Per-severity targets (acknowledge, triage, resolve). Breach warnings, escalation rules.

Report export

Generate Markdown / PDF investigation reports. Templated, with all observables and timeline.

Observables & intel

Build institutional knowledge

IOC tracking

IPs, domains, hashes, URLs, email addresses, user accounts — tagged, scoped, searchable.

Cross-case correlation

"This IP showed up in three other cases" — surfaced automatically.

MITRE ATT&CK mapping

Tag cases with techniques. Coverage heat-map across the matrix.

STIX/MISP export

Push observables out in standard formats. Plug into your threat intel platform.

Tagging & labels

Free-form tags, scoped labels (campaign, actor, malware family). Filter the entire backlog.

Suppression lists

Known-good observables won't escalate. Reviewed and revoked when staleness threshold hits.

Platform & operations

Built for the people who run it

RBAC

Admin, Analyst, Viewer plus custom roles. Permissions per case if you need them.

SSO ready

OIDC support. Map external groups to internal roles.

Audit log

Every action, every actor, every timestamp. Exportable, immutable, append-only.

REST & webhooks

Every entity exposed. Outbound webhooks on state transitions for downstream automation.

Metrics & reporting

MTTA, MTTR, queue depth, top observables. Built-in dashboards — no Grafana required.

Backups & export

Volume-mounted data. One-command DB dump. Restore-tested every release.

Want to see how the stages connect?

The workflow page walks through the alert-to-resolution lifecycle in detail.

  See the workflow Quick start