[BUG] API add_alert with comment breaks the comments
barn4k opened this issue · comments
barn4k commented
Describe the bug
If I will create a new alert with comments, then they will be broken entirely in that alert (there won't be any way to see them)
To Reproduce
Steps to reproduce the behavior:
- Create new alert
{
"alert_title": "Sample Alert",
"alert_description": "Sample Alert Description",
"alert_source": "My source",
"alert_source_ref": "sid: splunk.sid",
"alert_source_link": "https://splunkcloud.com/search?sid=1234",
"alert_source_event_time": "2024-02-11T18:14:00.000+01:00",
"alert_severity_id": 3,
"alert_status_id": 2,
"alert_customer_id": 2,
"alert_source_content": {
"splunkData": {
"_time": "2024-02-11T18:14:00.000+01:00",
"src_nt_host": "hostname1",
"src_ip": "10.10.10.10",
"dest": "1.1.1.1",
"dest_port": "443",
"info_min_time": "1707753600.000",
"info_max_time": "1707759613.164",
"meta_sid": "3123.1234"
}
},
"alert_tags": "splunk",
"alert_classification_id": 46,
"comments": [
{
"comment_text": "## Splunk Query\n````\n\nindex=test source=\"network_events\" category=\"my category\" \nearliest=1707753600 latest=1707759613.164 \nsrc_nt_host=hostname1\n| table _time, src_nt_host, src_ip, dest, dest_port\n"
},
{
"comment_text": "test 21213"
}
],
"alert_iocs": [
{
"ioc_type_id": 69,
"ioc_tlp_id": 2,
"ioc_description": "Hostname",
"ioc_value": "hostname1",
"ioc_tags": "splunk"
},
{
"ioc_type_id": 78,
"ioc_tlp_id": 3,
"ioc_description": "Dest IP and port from Splunk",
"ioc_value": "1.1.1.1|443",
"ioc_tags": "splunk"
},
{
"ioc_type_id": 79,
"ioc_tlp_id": 2,
"ioc_description": "Source IP from Splunk",
"ioc_value": "10.10.10.10",
"ioc_tags": "splunk"
}
]
}
- Check how comments appear in the alert
And if I try to add any comment in the GUI in such alert, it won't be shown either.
Expected behavior
We can see the comments
Desktop (please complete the following information):
- OS: docker
- Browser: edge
- Version: 2.3.3
Additional context
I suppose some of the mandatory fields for comments are missing.
barn4k commented
In order this to work properly, each comment should contain comment_user_id and comment_date fields.