Noones47
commented
4 months ago I am having this same issue, did you manage to solve this?
Open StaSys846 opened 6 months ago
Noones47
commented
4 months ago I am having this same issue, did you manage to solve this?
StaSys846
commented
4 months ago Actually the code is missing the application of custom_attributes for assets included in alerts. My workaround is currently to use the 'on_postload_alert_create' hook in my custom IRIS module to check for missing custom_attributes. This is also the place to add data to asset.custom_attributes included as a potential customized enrichment in the alert data:
hope that helps
Describe the bug When an IRIS Alert with asset/IOC information is merged to an existing case or escalated to a new case, Asset and IOCs included for import to the case don't include custom_attribute definitions (e.g. additional GUI elements like tabs/custom fields in the Asset/IOC modal view).
To Reproduce Steps to reproduce the behavior (prerequisite: custom_attributes are defined for IOCs/Assets):
Expected behavior After alert merging/escalation to a case including assets and/or IOCs, the asset/IOC data should include the defined custom_attributes
Desktop (please complete the following information):
Additional context In a manual modal view "add asset" the custom attributes are loaded by "get_default_custom_attributes" (e.g. #163 case_asset_routes.py) and provided as additional input to the modal view render template, so that custom attributes are rendered for the "add" modal view and added to the asset data. This default_custom_attribute handling is missing for assets/iocs included in alerts.