Skip to content

Commit

Permalink
Updated iris.py to fix issue #1457
Browse files Browse the repository at this point in the history
Copying the record data into a new private variable resolves the issue.
  • Loading branch information
bvirgilioamnh committed Sep 16, 2024
1 parent c991434 commit 52a305e
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 5 deletions.
8 changes: 5 additions & 3 deletions elastalert/alerters/iris.py
Original file line number Diff line number Diff line change
Expand Up @@ -64,9 +64,11 @@ def make_alert_context_records(self, matches):
def make_iocs_records(self, matches):
iocs = []
for record in self.iocs:
record['ioc_value'] = lookup_es_key(matches[0], record['ioc_value'])
if record['ioc_value'] is not None:
iocs.append(record)
# Duplicating match record data so we can update the ioc_value without overwriting record
record_data = record.copy()
record_data['ioc_value'] = lookup_es_key(matches[0], record['ioc_value'])
if record_data['ioc_value'] is not None:
iocs.append(record_data)
return iocs

def make_alert(self, matches):
Expand Down
5 changes: 3 additions & 2 deletions tests/alerters/iris_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ def test_iris_make_iocs_records(caplog):
actual_data = alert.make_iocs_records([match])
assert expected_data == actual_data


def test_iris_handle_multiple_alerts_with_iocs(caplog):
caplog.set_level(logging.INFO)
rule = {
Expand Down Expand Up @@ -166,12 +167,12 @@ def test_iris_handle_multiple_alerts_with_iocs(caplog):
}
]

first_alert_data = alert.make_iocs_records([match])
# Submitting a bogus alert to test follow up alerts
alert.make_iocs_records([match])
actual_data = alert.make_iocs_records([match])
assert expected_data == actual_data



def test_iris_make_alert_minimal(caplog):
caplog.set_level(logging.INFO)
rule = {
Expand Down

0 comments on commit 52a305e

Please sign in to comment.