Skip to content

Commit

Permalink
Merge pull request #1334 from malinkinsa/issue-in-iris-docs
Browse files Browse the repository at this point in the history
Fix issue in IRIS docs and alerter required options
  • Loading branch information
jertel authored Dec 5, 2023
2 parents ec60b30 + 02f12c6 commit f52a926
Show file tree
Hide file tree
Showing 4 changed files with 100 additions and 5 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
- Support hourly index patterns - [#1328](https://github.com/jertel/elastalert2/pull/1328) - @jmacdone
- Correction in IRIS and GELF alerter [#1331](https://github.com/jertel/elastalert2/pull/1331) - @malinkinsa
- [Docs] Fix broken search function caused by sphinx upgrade a few releases ago - [#1332](https://github.com/jertel/elastalert2/pull/1332) - @jertel
- [Docs] Fix mismatch for parameter iris_customer_id - [1334](https://github.com/jertel/elastalert2/pull/1334) @malinkinsa
- [IRIS] Make parameter iris_customer_id optional with default value - [1334](https://github.com/jertel/elastalert2/pull/1334) @malinkinsa

# 2.15.0

Expand Down
4 changes: 2 additions & 2 deletions docs/source/ruletypes.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2723,10 +2723,10 @@ The alerter requires the following option:

``iris_api_token``: The API key of the user you created, which will be used to initiate alerts and cases on behalf of this user.

``iris_customer_id``: The user ID associated with the API key mentioned above. You can find it on the same page where the API key is located.

Optional:

``iris_customer_id``: This field represents the unique identifier of the customer for whom an incident/case will be created within the system. Configure and view the existing options in the section ``Advanced -> Customers`` of your IRIS instance. The default value is: ``1``

``iris_ca_cert``: Set this option to True or a path to a CA cert bundle or directory (eg: /etc/ssl/certs/ca-certificates.crt) to validate the SSL certificate.The default value is: False.

``iris_ignore_ssl_errors``: Ignore ssl error. The default value is: ``False``.
Expand Down
4 changes: 2 additions & 2 deletions elastalert/alerters/iris.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@


class IrisAlerter(Alerter):
required_options = set(['iris_host', 'iris_api_token', 'iris_customer_id'])
required_options = set(['iris_host', 'iris_api_token'])

def __init__(self, rule):
super(IrisAlerter, self).__init__(rule)
self.url = f"https://{self.rule.get('iris_host')}"
self.api_token = self.rule.get('iris_api_token')
self.customer_id = self.rule.get('iris_customer_id')
self.customer_id = self.rule.get('iris_customer_id', 1)
self.ca_cert = self.rule.get('iris_ca_cert')
self.ignore_ssl_errors = self.rule.get('iris_ignore_ssl_errors', False)
self.description = self.rule.get('iris_description', None)
Expand Down
95 changes: 94 additions & 1 deletion tests/alerters/iris_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -326,7 +326,6 @@ def test_iris_alert_alert(caplog):
'type': 'any',
'iris_host': '127.0.0.1',
'iris_api_token': 'token 12345',
'iris_customer_id': 1,
'iris_description': 'test description in alert',
'iris_alert_note': 'test note',
'iris_alert_tags': 'test, alert',
Expand Down Expand Up @@ -413,6 +412,100 @@ def test_iris_alert_alert(caplog):
assert ('elastalert', logging.INFO, 'Alert sent to Iris') == caplog.record_tuples[0]


def test_iris_alert_alert_with_custom_customer_id(caplog):
caplog.set_level(logging.INFO)
rule = {
'name': 'Test Main',
'type': 'any',
'iris_host': '127.0.0.1',
'iris_api_token': 'token 12345',
'iris_customer_id': 2,
'iris_description': 'test description in alert',
'iris_alert_note': 'test note',
'iris_alert_tags': 'test, alert',
'iris_overwrite_timestamp': True,
'iris_alert_source_link': 'https://example.com',
'iris_iocs': [
{
'ioc_description': 'source address',
'ioc_tags': 'ip, ipv4',
'ioc_tlp_id': 1,
'ioc_type_id': 76,
'ioc_value': 'src_ip'
},
{
'ioc_description': 'target username',
'ioc_tags': 'login, username',
'ioc_tlp_id': 3,
'ioc_type_id': 3,
'ioc_value': 'username'
}
],
'iris_alert_context': {'username': 'username', 'ip': 'src_ip', 'login_status': 'event_status'},
'alert': [],
}

rules_loader = FileRulesLoader({})
rules_loader.load_modules(rule)
alert = IrisAlerter(rule)

match = {
'@timestamp': '2023-10-21 20:00:00.000', 'username': 'evil_user', 'src_ip': '172.20.1.1', 'dst_ip': '10.0.0.1',
'event_type': 'login', 'event_status': 'success'
}

expected_data = {
"alert_title": 'Test Main',
"alert_description": 'test description in alert',
"alert_source": "ElastAlert2",
"alert_severity_id": 1,
"alert_status_id": 2,
"alert_source_event_time": '2023-10-21 20:00:00.000',
"alert_note": 'test note',
"alert_tags": 'test, alert',
"alert_customer_id": 2,
"alert_source_link": 'https://example.com',
"alert_iocs": [
{
'ioc_description': 'source address',
'ioc_tags': 'ip, ipv4',
'ioc_tlp_id': 1,
'ioc_type_id': 76,
'ioc_value': '172.20.1.1'
},
{
'ioc_description': 'target username',
'ioc_tags': 'login, username',
'ioc_tlp_id': 3,
'ioc_type_id': 3,
'ioc_value': 'evil_user'
}
],
"alert_context": {
'username': 'evil_user',
'ip': '172.20.1.1',
'login_status': 'success'
},
}
mock_response = mock.Mock()
mock_response.status_code = 200
with mock.patch('requests.post', return_value=mock_response) as mock_post_request:
alert.alert([match])

mock_post_request.assert_called_once_with(
url=f'https://{rule["iris_host"]}/alerts/add',
headers={
'Content-Type': 'application/json',
'Authorization': f'Bearer {rule["iris_api_token"]}'
},
json=mock.ANY,
verify=True,
)

assert expected_data == mock_post_request.call_args_list[0][1]['json']
assert ('elastalert', logging.INFO, 'Alert sent to Iris') == caplog.record_tuples[0]


def test_iris_get_info(caplog):
caplog.set_level(logging.INFO)
rule = {
Expand Down

0 comments on commit f52a926

Please sign in to comment.