iris-web icon indicating copy to clipboard operation
iris-web copied to clipboard
verified publisher icon dfir-iris

[BUG] Custom Attributes are not applied to escalated/merged Alert Assets and IOCs

Open StaSys846 opened this issue 1 year ago • 2 comments

Describe the bug When an IRIS Alert with asset/IOC information is merged to an existing case or escalated to a new case, Asset and IOCs included for import to the case don't include custom_attribute definitions (e.g. additional GUI elements like tabs/custom fields in the Asset/IOC modal view).

To Reproduce Steps to reproduce the behavior (prerequisite: custom_attributes are defined for IOCs/Assets):

  1. Go to Alerts view
  2. Click on Merge (into new or existing case)
  3. Select alert assets and/or IOCs to be imported in the the selected case
  4. Assets and IOCs are imported to the case, BUT custom attributes are not applied

Expected behavior After alert merging/escalation to a case including assets and/or IOCs, the asset/IOC data should include the defined custom_attributes

Desktop (please complete the following information):

  • OS: ubuntu 22.04
  • Browser: Not browser dependent
  • Version 2.4.7

Additional context In a manual modal view "add asset" the custom attributes are loaded by "get_default_custom_attributes" (e.g. #163 case_asset_routes.py) and provided as additional input to the modal view render template, so that custom attributes are rendered for the "add" modal view and added to the asset data. This default_custom_attribute handling is missing for assets/iocs included in alerts.

StaSys846 avatar May 08 '24 07:05 StaSys846

I am having this same issue, did you manage to solve this?

Noones47 avatar Jul 16 '24 16:07 Noones47

Actually the code is missing the application of custom_attributes for assets included in alerts. My workaround is currently to use the 'on_postload_alert_create' hook in my custom IRIS module to check for missing custom_attributes. This is also the place to add data to asset.custom_attributes included as a potential customized enrichment in the alert data:

  • In the IRIS module handle the on_postload_alert_create event
  • The alert data in the handler function include all assets of the alert
  • Loop through all alert.assets list and check for each asset if asset.custom_attributes is None (not set).
  • If it is None set the custom attributes to the default ones (asset.custom_attributes = get_default_custom_attributes('asset'))
  • get_default_custom_attributes() function is located in 'source/app/datamgmt/manage/manage_attribute_db.py' in the iris sources.

hope that helps

StaSys846 avatar Jul 17 '24 10:07 StaSys846