From 05179b0fbf107f2f5a7d17cad98132a6de435546 Mon Sep 17 00:00:00 2001 From: Sergey Malinkin Date: Mon, 4 Dec 2023 18:43:16 +0300 Subject: [PATCH 1/2] Fix issue in IRIS docs and alerter required options --- CHANGELOG.md | 2 + docs/source/ruletypes.rst | 4 +- elastalert/alerters/iris.py | 4 +- tests/alerters/iris_test.py | 95 ++++++++++++++++++++++++++++++++++++- 4 files changed, 100 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b3f67bc..f56f8174 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,8 @@ - Support hourly index patterns - [#1328](https://github.com/jertel/elastalert2/pull/1328) - @jmacdone - Correction in IRIS and GELF alerter [#1331](https://github.com/jertel/elastalert2/pull/1331) - @malinkinsa - [Docs] Fix broken search function caused by sphinx upgrade a few releases ago - [#1332](https://github.com/jertel/elastalert2/pull/1332) - @jertel +- [Docs] Fix mismatch for parameter iris_customer_id - []() @malinkinsa +- [IRIS] Make parameter iris_customer_id optional with default value - []() @malinkinsa # 2.15.0 diff --git a/docs/source/ruletypes.rst b/docs/source/ruletypes.rst index 13a6579b..1234d7c1 100644 --- a/docs/source/ruletypes.rst +++ b/docs/source/ruletypes.rst @@ -2723,10 +2723,10 @@ The alerter requires the following option: ``iris_api_token``: The API key of the user you created, which will be used to initiate alerts and cases on behalf of this user. -``iris_customer_id``: The user ID associated with the API key mentioned above. You can find it on the same page where the API key is located. - Optional: +``iris_customer_id``: This field represents the unique identifier of the customer for whom an incident/case will be created within the system. Configure and view the existing options in the section ``Advanced -> Customers`` of your IRIS instance. The default value is: ``1`` + ``iris_ca_cert``: Set this option to True or a path to a CA cert bundle or directory (eg: /etc/ssl/certs/ca-certificates.crt) to validate the SSL certificate.The default value is: False. ``iris_ignore_ssl_errors``: Ignore ssl error. The default value is: ``False``. diff --git a/elastalert/alerters/iris.py b/elastalert/alerters/iris.py index 0b23e788..1f20ae5b 100644 --- a/elastalert/alerters/iris.py +++ b/elastalert/alerters/iris.py @@ -9,13 +9,13 @@ class IrisAlerter(Alerter): - required_options = set(['iris_host', 'iris_api_token', 'iris_customer_id']) + required_options = set(['iris_host', 'iris_api_token']) def __init__(self, rule): super(IrisAlerter, self).__init__(rule) self.url = f"https://{self.rule.get('iris_host')}" self.api_token = self.rule.get('iris_api_token') - self.customer_id = self.rule.get('iris_customer_id') + self.customer_id = self.rule.get('iris_customer_id', 1) self.ca_cert = self.rule.get('iris_ca_cert') self.ignore_ssl_errors = self.rule.get('iris_ignore_ssl_errors', False) self.description = self.rule.get('iris_description', None) diff --git a/tests/alerters/iris_test.py b/tests/alerters/iris_test.py index 62257aec..85fd2265 100644 --- a/tests/alerters/iris_test.py +++ b/tests/alerters/iris_test.py @@ -326,7 +326,6 @@ def test_iris_alert_alert(caplog): 'type': 'any', 'iris_host': '127.0.0.1', 'iris_api_token': 'token 12345', - 'iris_customer_id': 1, 'iris_description': 'test description in alert', 'iris_alert_note': 'test note', 'iris_alert_tags': 'test, alert', @@ -413,6 +412,100 @@ def test_iris_alert_alert(caplog): assert ('elastalert', logging.INFO, 'Alert sent to Iris') == caplog.record_tuples[0] +def test_iris_alert_alert_with_custom_customer_id(caplog): + caplog.set_level(logging.INFO) + rule = { + 'name': 'Test Main', + 'type': 'any', + 'iris_host': '127.0.0.1', + 'iris_api_token': 'token 12345', + 'iris_customer_id': 2, + 'iris_description': 'test description in alert', + 'iris_alert_note': 'test note', + 'iris_alert_tags': 'test, alert', + 'iris_overwrite_timestamp': True, + 'iris_alert_source_link': 'https://example.com', + 'iris_iocs': [ + { + 'ioc_description': 'source address', + 'ioc_tags': 'ip, ipv4', + 'ioc_tlp_id': 1, + 'ioc_type_id': 76, + 'ioc_value': 'src_ip' + }, + { + 'ioc_description': 'target username', + 'ioc_tags': 'login, username', + 'ioc_tlp_id': 3, + 'ioc_type_id': 3, + 'ioc_value': 'username' + } + ], + 'iris_alert_context': {'username': 'username', 'ip': 'src_ip', 'login_status': 'event_status'}, + 'alert': [], + } + + rules_loader = FileRulesLoader({}) + rules_loader.load_modules(rule) + alert = IrisAlerter(rule) + + match = { + '@timestamp': '2023-10-21 20:00:00.000', 'username': 'evil_user', 'src_ip': '172.20.1.1', 'dst_ip': '10.0.0.1', + 'event_type': 'login', 'event_status': 'success' + } + + expected_data = { + "alert_title": 'Test Main', + "alert_description": 'test description in alert', + "alert_source": "ElastAlert2", + "alert_severity_id": 1, + "alert_status_id": 2, + "alert_source_event_time": '2023-10-21 20:00:00.000', + "alert_note": 'test note', + "alert_tags": 'test, alert', + "alert_customer_id": 2, + "alert_source_link": 'https://example.com', + "alert_iocs": [ + { + 'ioc_description': 'source address', + 'ioc_tags': 'ip, ipv4', + 'ioc_tlp_id': 1, + 'ioc_type_id': 76, + 'ioc_value': '172.20.1.1' + }, + { + 'ioc_description': 'target username', + 'ioc_tags': 'login, username', + 'ioc_tlp_id': 3, + 'ioc_type_id': 3, + 'ioc_value': 'evil_user' + } + ], + "alert_context": { + 'username': 'evil_user', + 'ip': '172.20.1.1', + 'login_status': 'success' + }, + } + mock_response = mock.Mock() + mock_response.status_code = 200 + with mock.patch('requests.post', return_value=mock_response) as mock_post_request: + alert.alert([match]) + + mock_post_request.assert_called_once_with( + url=f'https://{rule["iris_host"]}/alerts/add', + headers={ + 'Content-Type': 'application/json', + 'Authorization': f'Bearer {rule["iris_api_token"]}' + }, + json=mock.ANY, + verify=True, + ) + + assert expected_data == mock_post_request.call_args_list[0][1]['json'] + assert ('elastalert', logging.INFO, 'Alert sent to Iris') == caplog.record_tuples[0] + + def test_iris_get_info(caplog): caplog.set_level(logging.INFO) rule = { From 02f12c62ed26c24477a587a4568635722cdecc96 Mon Sep 17 00:00:00 2001 From: Sergey Malinkin Date: Mon, 4 Dec 2023 18:47:33 +0300 Subject: [PATCH 2/2] Update Changelog --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f56f8174..c46d219f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,8 +15,8 @@ - Support hourly index patterns - [#1328](https://github.com/jertel/elastalert2/pull/1328) - @jmacdone - Correction in IRIS and GELF alerter [#1331](https://github.com/jertel/elastalert2/pull/1331) - @malinkinsa - [Docs] Fix broken search function caused by sphinx upgrade a few releases ago - [#1332](https://github.com/jertel/elastalert2/pull/1332) - @jertel -- [Docs] Fix mismatch for parameter iris_customer_id - []() @malinkinsa -- [IRIS] Make parameter iris_customer_id optional with default value - []() @malinkinsa +- [Docs] Fix mismatch for parameter iris_customer_id - [1334](https://github.com/jertel/elastalert2/pull/1334) @malinkinsa +- [IRIS] Make parameter iris_customer_id optional with default value - [1334](https://github.com/jertel/elastalert2/pull/1334) @malinkinsa # 2.15.0