search

dfir-iris / iris-web

Collaborative Incident Response platform
GNU Lesser General Public License v3.0
1.08k stars 184 forks source link

[BUG] API add_alert with comment breaks the comments #408

Open barn4k opened 9 months ago

barn4k commented 9 months ago

Describe the bug If I will create a new alert with comments, then they will be broken entirely in that alert (there won't be any way to see them)

To Reproduce Steps to reproduce the behavior:

  1. Create new alert 
    {
"alert_title": "Sample Alert",
"alert_description": "Sample Alert Description",
"alert_source": "My source",
"alert_source_ref": "sid: splunk.sid",
"alert_source_link": "https://splunkcloud.com/search?sid=1234",
"alert_source_event_time": "2024-02-11T18:14:00.000+01:00",
"alert_severity_id": 3,
"alert_status_id": 2,
"alert_customer_id": 2,
"alert_source_content": {
"splunkData": {
  "_time": "2024-02-11T18:14:00.000+01:00",
  "src_nt_host": "hostname1",
  "src_ip": "10.10.10.10",
  "dest": "1.1.1.1",
  "dest_port": "443",
  "info_min_time": "1707753600.000",
  "info_max_time": "1707759613.164",
  "meta_sid": "3123.1234"
}
},
"alert_tags": "splunk",
"alert_classification_id": 46,
"comments": [
{
  "comment_text": "## Splunk Query\n````\n\nindex=test source=\"network_events\" category=\"my category\" \nearliest=1707753600 latest=1707759613.164 \nsrc_nt_host=hostname1\n| table _time, src_nt_host, src_ip, dest, dest_port\n"
},
{
  "comment_text": "test 21213"
}
],
"alert_iocs": [
{
  "ioc_type_id": 69,
  "ioc_tlp_id": 2,
  "ioc_description": "Hostname",
  "ioc_value": "hostname1",
  "ioc_tags": "splunk"
},
{
  "ioc_type_id": 78,
  "ioc_tlp_id": 3,
  "ioc_description": "Dest IP and port from Splunk",
  "ioc_value": "1.1.1.1|443",
  "ioc_tags": "splunk"
},
{
  "ioc_type_id": 79,
  "ioc_tlp_id": 2,
  "ioc_description": "Source IP from Splunk",
  "ioc_value": "10.10.10.10",
  "ioc_tags": "splunk"
}
]
}
  2. Check how comments appear in the alert

And if I try to add any comment in the GUI in such alert, it won't be shown either.

Expected behavior We can see the comments

Screenshots Alert page

image

Comments section

image

Real comments

image

Desktop (please complete the following information):

Additional context I suppose some of the mandatory fields for comments are missing.

barn4k commented 9 months ago

In order this to work properly, each comment should contain comment_user_id and comment_date fields.