Giters

dfir-iris / iris-web

Collaborative Incident Response platform

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[BUG] API add_alert with comment breaks the comments

barn4k opened this issue · comments

commented

Describe the bug
If I will create a new alert with comments, then they will be broken entirely in that alert (there won't be any way to see them)

To Reproduce
Steps to reproduce the behavior:

  1. Create new alert
{
  "alert_title": "Sample Alert",
  "alert_description": "Sample Alert Description",
  "alert_source": "My source",
  "alert_source_ref": "sid: splunk.sid",
  "alert_source_link": "https://splunkcloud.com/search?sid=1234",
  "alert_source_event_time": "2024-02-11T18:14:00.000+01:00",
  "alert_severity_id": 3,
  "alert_status_id": 2,
  "alert_customer_id": 2,
  "alert_source_content": {
    "splunkData": {
      "_time": "2024-02-11T18:14:00.000+01:00",
      "src_nt_host": "hostname1",
      "src_ip": "10.10.10.10",
      "dest": "1.1.1.1",
      "dest_port": "443",
      "info_min_time": "1707753600.000",
      "info_max_time": "1707759613.164",
      "meta_sid": "3123.1234"
    }
  },
  "alert_tags": "splunk",
  "alert_classification_id": 46,
  "comments": [
    {
      "comment_text": "## Splunk Query\n````\n\nindex=test source=\"network_events\" category=\"my category\" \nearliest=1707753600 latest=1707759613.164 \nsrc_nt_host=hostname1\n| table _time, src_nt_host, src_ip, dest, dest_port\n"
    },
    {
      "comment_text": "test 21213"
    }
  ],
  "alert_iocs": [
    {
      "ioc_type_id": 69,
      "ioc_tlp_id": 2,
      "ioc_description": "Hostname",
      "ioc_value": "hostname1",
      "ioc_tags": "splunk"
    },
    {
      "ioc_type_id": 78,
      "ioc_tlp_id": 3,
      "ioc_description": "Dest IP and port from Splunk",
      "ioc_value": "1.1.1.1|443",
      "ioc_tags": "splunk"
    },
    {
      "ioc_type_id": 79,
      "ioc_tlp_id": 2,
      "ioc_description": "Source IP from Splunk",
      "ioc_value": "10.10.10.10",
      "ioc_tags": "splunk"
    }
  ]
}
  1. Check how comments appear in the alert

And if I try to add any comment in the GUI in such alert, it won't be shown either.

Expected behavior
We can see the comments

Screenshots
Alert page
image

Comments section
image

Real comments
image

Desktop (please complete the following information):

  • OS: docker
  • Browser: edge
  • Version: 2.3.3

Additional context
I suppose some of the mandatory fields for comments are missing.

commented

In order this to work properly, each comment should contain comment_user_id and comment_date fields.