From 52a305e72d57eecebd41bc6438da023f84ab0546 Mon Sep 17 00:00:00 2001 From: Ben Virgilio Date: Mon, 16 Sep 2024 16:46:53 -0400 Subject: [PATCH] Updated iris.py to fix issue #1457 Copying the record data into a new private variable resolves the issue. --- elastalert/alerters/iris.py | 8 +++++--- tests/alerters/iris_test.py | 5 +++-- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/elastalert/alerters/iris.py b/elastalert/alerters/iris.py index 5dee7b83..8a111b2c 100644 --- a/elastalert/alerters/iris.py +++ b/elastalert/alerters/iris.py @@ -64,9 +64,11 @@ def make_alert_context_records(self, matches): def make_iocs_records(self, matches): iocs = [] for record in self.iocs: - record['ioc_value'] = lookup_es_key(matches[0], record['ioc_value']) - if record['ioc_value'] is not None: - iocs.append(record) + # Duplicating match record data so we can update the ioc_value without overwriting record + record_data = record.copy() + record_data['ioc_value'] = lookup_es_key(matches[0], record['ioc_value']) + if record_data['ioc_value'] is not None: + iocs.append(record_data) return iocs def make_alert(self, matches): diff --git a/tests/alerters/iris_test.py b/tests/alerters/iris_test.py index 74a9eedd..66af38eb 100644 --- a/tests/alerters/iris_test.py +++ b/tests/alerters/iris_test.py @@ -105,6 +105,7 @@ def test_iris_make_iocs_records(caplog): actual_data = alert.make_iocs_records([match]) assert expected_data == actual_data + def test_iris_handle_multiple_alerts_with_iocs(caplog): caplog.set_level(logging.INFO) rule = { @@ -166,12 +167,12 @@ def test_iris_handle_multiple_alerts_with_iocs(caplog): } ] - first_alert_data = alert.make_iocs_records([match]) + # Submitting a bogus alert to test follow up alerts + alert.make_iocs_records([match]) actual_data = alert.make_iocs_records([match]) assert expected_data == actual_data - def test_iris_make_alert_minimal(caplog): caplog.set_level(logging.INFO) rule = {