Merge branch 'master' into bugfix/1457-fixing-iris-ioc-NoneType

jertel · Sep 18, 2024 · b4ca698 · b4ca698
2 parents a239c3f + 928746b
commit b4ca698
Show file tree

Hide file tree

Showing 6 changed files with 200 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,14 +2,17 @@
 
 ## Breaking changes
 - Drop python3.9, python3.10, python3.11 from `python_requires` - [#1528](https://github.com/jertel/elastalert2/pull/1528) - @kmurphy4
+- [IRIS] Updated alert_title to leverage ElastAlert built-in ``create_title`` function. Updated alert_description to use ElastAlert2 built-in function ``create_alert_body`` if alert_description is not set within the rule - [#1532](https://github.com/jertel/elastalert2/pull/1532) - @bvirgilioamnh
 
 ## New features
 - [MS Power Automate] New Alert Channel with Microsoft Power Automate - [#1505](https://github.com/jertel/elastalert2/pull/1505)  [#1513](https://github.com/jertel/elastalert2/pull/1513) [#1519](https://github.com/jertel/elastalert2/pull/1519) - @marssilva, @jertel
 - [Matrix Hookshot] New Alerter for sending alerts to Matrix via Hookshot - [#1525](https://github.com/jertel/elastalert2/pull/1525) - @jertel
 
 ## Other changes
 - [Indexer] Fixed fields types error on instance indexer_alert_config in schema.yml - [#1499](https://github.com/jertel/elastalert2/pull/1499) - @olehpalanskyi
-- [IRIS] Fixed NoneType error raised in issue [#1457](https://github.com/jertel/elastalert2/issues/1457) - [#1533](https://github.com/jertel/elastalert2/pull/1533)
+- [IRIS] Changed alert_source field from static 'ElastAlert2' value to field iris_alert_source value with default of 'ElastAlert2' - [#1531](https://github.com/jertel/elastalert2/pull/1531) - @bvirgilioamnh
+- [IRIS] Fixed NoneType error raised in issue [#1457](https://github.com/jertel/elastalert2/issues/1457) - [#1533](https://github.com/jertel/elastalert2/pull/1533) - @bvirgilioamnh
+
 
 # 2.19.0
 

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -14,6 +14,7 @@ Before submitting the PR review that you have included the following changes, wh
 - Helm Chart: If your new feature introduces settings consider adding those to the Helm chart [README.md](chart/elastalert2/README.md) and [values.yaml](chart/elastalert2/values.yaml)
 - Examples: If your new feature includes new configuration options, review the [Example config file](examples/config.yaml.example) to see if they should be added there for consistency with other configuration options.
 - Change log: Describe your contribution to the appropriate section(s) for the _Upcoming release_, in the [CHANGELOG.md](CHANGELOG.md) file.
+- Schema: Update the schema.yaml file with new parameters for existing and new alerters and rule types.
 
 ## Releases
 

diff --git a/docs/source/alerts.rst b/docs/source/alerts.rst
@@ -1191,7 +1191,7 @@ Optional:
 
 ``iris_ignore_ssl_errors``: Ignore ssl error. The default value is: ``False``.
 
-``iris_description``: Description of the alert or case.
+``iris_description``: Description of the alert or case. If left blank and ``iris_type`` is ``alert`` (default value) description will automatically be generated utilizing the ``alert_text``, and optionally ``alert_text_args``/``alert_text_type``, field(s) to generate a description.
 
 ``iris_overwrite_timestamp``: Should the timestamp be overridden when creating an alert. By default, the alert's creation time will be the trigger time. If you want to use the event's timestamp as the ticket creation time, set this value to ``True``. Default value is ``False``.
 
@@ -1201,6 +1201,8 @@ Optional:
 
 ``iris_alert_note``: Note for the alert.
 
+``iris_alert_source``: Source of the alert. Default value is ``ElastAlert2``.
+
 ``iris_alert_tags``: List of tags.
 
 ``iris_alert_status_id``: The alert status of the alert, default value is ``2``. This parameter requires an integer input.

diff --git a/elastalert/alerters/iris.py b/elastalert/alerters/iris.py
@@ -27,6 +27,7 @@ def __init__(self, rule):
             'Authorization': f'Bearer {self.rule.get("iris_api_token")}'
         }
         self.alert_note = self.rule.get('iris_alert_note', None)
+        self.alert_source = self.rule.get('iris_alert_source', 'ElastAlert2')
         self.alert_tags = self.rule.get('iris_alert_tags', None)
         self.alert_status_id = self.rule.get('iris_alert_status_id', 2)
         self.alert_source_link = self.rule.get('iris_alert_source_link', None)
@@ -77,10 +78,14 @@ def make_alert(self, matches):
         else:
             event_timestamp = datetime.now().strftime("%Y-%m-%dT%H:%M:%S")
 
+        # If no description is supplied use the built-in alert body generator which accounts for alert_text and alert_text_args
+        if not self.description:
+            self.description = self.create_alert_body(matches)
+
         alert_data = {
-            "alert_title": self.rule.get('name'),
+            "alert_title": self.create_title(matches),
             "alert_description": self.description,
-            "alert_source": "ElastAlert2",
+            "alert_source": self.alert_source,
             "alert_severity_id": self.alert_severity_id,
             "alert_status_id": self.alert_status_id,
             "alert_source_event_time": event_timestamp,

diff --git a/elastalert/schema.yaml b/elastalert/schema.yaml
@@ -597,6 +597,7 @@ properties:
   iris_alert_note: {type: string}
   iris_alert_tags: {type: string}
   iris_alert_status_id: {type: integer, enum: [1, 2, 3, 4, 5, 6, 7]}
+  iris_alert_source: {type: string}
   iris_alert_source_link: {type: string}
   iris_alert_severity_id: {type: integer, enum: [1, 2, 3, 4, 5, 6]}
   iris_iocs: *arrayOfIrisIocFields

diff --git a/tests/alerters/iris_test.py b/tests/alerters/iris_test.py
@@ -195,7 +195,8 @@ def test_iris_make_alert_minimal(caplog):
 
     expected_data = {
         "alert_title": 'Test Minimal Alert Body',
-        "alert_description": None,
+        "alert_description": "Test Minimal Alert Body\n\n@timestamp: 2023-10-21 20:00:00.000\ndst_ip: 10.0.0.1\n\
+event_status: success\nevent_type: login\nsrc_ip: 172.20.1.1\nusername: evil_user\n",
         "alert_source": "ElastAlert2",
         "alert_severity_id": 1,
         "alert_status_id": 2,
@@ -222,6 +223,7 @@ def test_iris_make_alert_maximal(caplog):
         'iris_alert_tags': 'test, alert',
         'iris_overwrite_timestamp': True,
         'iris_alert_source_link': 'https://example.com',
+        'iris_alert_source': "TestSource",
         'iris_iocs': [
             {
                 'ioc_description': 'source address',
@@ -254,6 +256,185 @@ def test_iris_make_alert_maximal(caplog):
     expected_data = {
         "alert_title": 'Test Maximal Alert Body',
         "alert_description": 'test description in alert',
+        "alert_source": "TestSource",
+        "alert_severity_id": 1,
+        "alert_status_id": 2,
+        "alert_source_event_time": '2023-10-21 20:00:00.000',
+        "alert_note": 'test note',
+        "alert_tags": 'test, alert',
+        "alert_customer_id": 1,
+        "alert_source_link": 'https://example.com',
+        "alert_iocs": [
+            {
+                'ioc_description': 'source address',
+                'ioc_tags': 'ip, ipv4',
+                'ioc_tlp_id': 1,
+                'ioc_type_id': 76,
+                'ioc_value': '172.20.1.1'
+            },
+            {
+                'ioc_description': 'target username',
+                'ioc_tags': 'login, username',
+                'ioc_tlp_id': 3,
+                'ioc_type_id': 3,
+                'ioc_value': 'evil_user'
+            }
+        ],
+        "alert_context": {
+            'username': 'evil_user',
+            'ip': '172.20.1.1',
+            'login_status': 'success'
+        },
+    }
+
+    actual_data = alert.make_alert([match])
+    assert expected_data == actual_data
+
+
+def test_iris_make_alert_auto_description(caplog):
+    """Test for the built-in elastalert2 create_title and create_body functions
+
+    These functions use the alert_subject and alert_text fields to automatically
+    build the title and description based on alert match data if available.
+    """
+
+    caplog.set_level(logging.INFO)
+    rule = {
+        'name': 'Test Maximal Alert Body',
+        'alert_subject': 'Test Alert Subject',
+        'alert_text': 'Test alert text',
+        'type': 'any',
+        'iris_host': '127.0.0.1',
+        'iris_api_token': 'token 12345',
+        'iris_customer_id': 1,
+        'iris_alert_note': 'test note',
+        'iris_alert_tags': 'test, alert',
+        'iris_overwrite_timestamp': True,
+        'iris_alert_source_link': 'https://example.com',
+        'iris_iocs': [
+            {
+                'ioc_description': 'source address',
+                'ioc_tags': 'ip, ipv4',
+                'ioc_tlp_id': 1,
+                'ioc_type_id': 76,
+                'ioc_value': 'src_ip'
+            },
+            {
+                'ioc_description': 'target username',
+                'ioc_tags': 'login, username',
+                'ioc_tlp_id': 3,
+                'ioc_type_id': 3,
+                'ioc_value': 'username'
+            }
+        ],
+        'iris_alert_context': {'username': 'username', 'ip': 'src_ip', 'login_status': 'event_status'},
+        'alert': [],
+    }
+
+    rules_loader = FileRulesLoader({})
+    rules_loader.load_modules(rule)
+    alert = IrisAlerter(rule)
+
+    match = {
+        '@timestamp': '2023-10-21 20:00:00.000', 'username': 'evil_user', 'src_ip': '172.20.1.1', 'dst_ip': '10.0.0.1',
+        'event_type': 'login', 'event_status': 'success'
+    }
+
+    expected_data = {
+        "alert_title": 'Test Alert Subject',
+        "alert_description": 'Test alert text\n\n@timestamp: 2023-10-21 20:00:00.000\ndst_ip: 10.0.0.1\n\
+event_status: success\nevent_type: login\nsrc_ip: 172.20.1.1\nusername: evil_user\n',
+        "alert_source": "ElastAlert2",
+        "alert_severity_id": 1,
+        "alert_status_id": 2,
+        "alert_source_event_time": '2023-10-21 20:00:00.000',
+        "alert_note": 'test note',
+        "alert_tags": 'test, alert',
+        "alert_customer_id": 1,
+        "alert_source_link": 'https://example.com',
+        "alert_iocs": [
+            {
+                'ioc_description': 'source address',
+                'ioc_tags': 'ip, ipv4',
+                'ioc_tlp_id': 1,
+                'ioc_type_id': 76,
+                'ioc_value': '172.20.1.1'
+            },
+            {
+                'ioc_description': 'target username',
+                'ioc_tags': 'login, username',
+                'ioc_tlp_id': 3,
+                'ioc_type_id': 3,
+                'ioc_value': 'evil_user'
+            }
+        ],
+        "alert_context": {
+            'username': 'evil_user',
+            'ip': '172.20.1.1',
+            'login_status': 'success'
+        },
+    }
+
+    actual_data = alert.make_alert([match])
+    assert expected_data == actual_data
+
+
+def test_iris_make_alert_auto_description_args(caplog):
+    """Test for the built-in elastalert2 create_title and create_body functions
+
+    These functions use the alert_subject and alert_text fields to automatically
+    build the title and description based on alert match data if available.
+
+    This test specifically uses _args for the alert_text to ensure match args
+    are passed through properly.
+    """
+    caplog.set_level(logging.INFO)
+    rule = {
+        'name': 'Test Maximal Alert Body',
+        'alert_subject': 'Test Alert Subject',
+        'alert_text': 'Username: {0} from {1}',
+        'alert_text_type': 'alert_text_only',
+        'alert_text_args': ['username', 'src_ip'],
+        'type': 'any',
+        'iris_host': '127.0.0.1',
+        'iris_api_token': 'token 12345',
+        'iris_customer_id': 1,
+        'iris_alert_note': 'test note',
+        'iris_alert_tags': 'test, alert',
+        'iris_overwrite_timestamp': True,
+        'iris_alert_source_link': 'https://example.com',
+        'iris_iocs': [
+            {
+                'ioc_description': 'source address',
+                'ioc_tags': 'ip, ipv4',
+                'ioc_tlp_id': 1,
+                'ioc_type_id': 76,
+                'ioc_value': 'src_ip'
+            },
+            {
+                'ioc_description': 'target username',
+                'ioc_tags': 'login, username',
+                'ioc_tlp_id': 3,
+                'ioc_type_id': 3,
+                'ioc_value': 'username'
+            }
+        ],
+        'iris_alert_context': {'username': 'username', 'ip': 'src_ip', 'login_status': 'event_status'},
+        'alert': [],
+    }
+
+    rules_loader = FileRulesLoader({})
+    rules_loader.load_modules(rule)
+    alert = IrisAlerter(rule)
+
+    match = {
+        '@timestamp': '2023-10-21 20:00:00.000', 'username': 'evil_user', 'src_ip': '172.20.1.1', 'dst_ip': '10.0.0.1',
+        'event_type': 'login', 'event_status': 'success'
+    }
+
+    expected_data = {
+        "alert_title": 'Test Alert Subject',
+        "alert_description": 'Username: evil_user from 172.20.1.1\n\n',
         "alert_source": "ElastAlert2",
         "alert_severity_id": 1,
         "alert_status_id": 2,
@@ -302,6 +483,7 @@ def test_iris_make_alert_maximal_with_nested_json(caplog):
         'iris_alert_tags': 'test, alert',
         'iris_overwrite_timestamp': True,
         'iris_alert_source_link': 'https://example.com',
+        'iris_alert_source': "TestSource",
         'iris_iocs': [
             {
                 'ioc_description': 'source address',
@@ -334,7 +516,7 @@ def test_iris_make_alert_maximal_with_nested_json(caplog):
     expected_data = {
         "alert_title": 'Test Maximal Alert Body',
         "alert_description": 'test description in alert',
-        "alert_source": "ElastAlert2",
+        "alert_source": "TestSource",
         "alert_severity_id": 1,
         "alert_status_id": 2,
         "alert_source_event_time": '2023-10-21 20:00:00.000',