From c991434c4e549c18ad47b488d296de5da07d5459 Mon Sep 17 00:00:00 2001
From: Ben Virgilio <bvirgilio@amnh.org>
Date: Mon, 16 Sep 2024 16:24:45 -0400
Subject: [PATCH 1/4] Update iris_test.py to test multiple alerts with ioc data

---
 tests/alerters/iris_test.py | 66 +++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/tests/alerters/iris_test.py b/tests/alerters/iris_test.py
index 3b4a97e6..74a9eedd 100644
--- a/tests/alerters/iris_test.py
+++ b/tests/alerters/iris_test.py
@@ -105,6 +105,72 @@ def test_iris_make_iocs_records(caplog):
     actual_data = alert.make_iocs_records([match])
     assert expected_data == actual_data
 
+def test_iris_handle_multiple_alerts_with_iocs(caplog):
+    caplog.set_level(logging.INFO)
+    rule = {
+        'name': 'Test Context',
+        'type': 'any',
+        'iris_type': 'alert',
+        'iris_host': '127.0.0.1',
+        'iris_api_token': 'token 12345',
+        'iris_customer_id': 1,
+        'iris_iocs': [
+            {
+                'ioc_description': 'source address',
+                'ioc_tags': 'ip, ipv4',
+                'ioc_tlp_id': 1,
+                'ioc_type_id': 76,
+                'ioc_value': 'src_ip'
+            },
+            {
+                'ioc_description': 'target username',
+                'ioc_tags': 'login, username',
+                'ioc_tlp_id': 3,
+                'ioc_type_id': 3,
+                'ioc_value': 'username'
+            },
+            {
+                'ioc_description': 'empty ioc',
+                'ioc_tags': 'ioc',
+                'ioc_tlp_id': 3,
+                'ioc_type_id': 3,
+                'ioc_value': 'non_existent_data'
+            }
+        ],
+        'alert': []
+    }
+
+    rules_loader = FileRulesLoader({})
+    rules_loader.load_modules(rule)
+    alert = IrisAlerter(rule)
+
+    match = {
+        '@timestamp': '2023-10-21 20:00:00.000', 'username': 'evil_user', 'src_ip': '172.20.1.1', 'dst_ip': '10.0.0.1',
+        'event_type': 'login', 'event_status': 'success'
+    }
+
+    expected_data = [
+        {
+            'ioc_description': 'source address',
+            'ioc_tags': 'ip, ipv4',
+            'ioc_tlp_id': 1,
+            'ioc_type_id': 76,
+            'ioc_value': '172.20.1.1'
+        },
+        {
+            'ioc_description': 'target username',
+            'ioc_tags': 'login, username',
+            'ioc_tlp_id': 3,
+            'ioc_type_id': 3,
+            'ioc_value': 'evil_user'
+        }
+    ]
+
+    first_alert_data = alert.make_iocs_records([match])
+    actual_data = alert.make_iocs_records([match])
+    assert expected_data == actual_data
+
+
 
 def test_iris_make_alert_minimal(caplog):
     caplog.set_level(logging.INFO)

From 52a305e72d57eecebd41bc6438da023f84ab0546 Mon Sep 17 00:00:00 2001
From: Ben Virgilio <bvirgilio@amnh.org>
Date: Mon, 16 Sep 2024 16:46:53 -0400
Subject: [PATCH 2/4] Updated iris.py to fix issue #1457

Copying the record data into a new private variable resolves the issue.
---
 elastalert/alerters/iris.py | 8 +++++---
 tests/alerters/iris_test.py | 5 +++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/elastalert/alerters/iris.py b/elastalert/alerters/iris.py
index 5dee7b83..8a111b2c 100644
--- a/elastalert/alerters/iris.py
+++ b/elastalert/alerters/iris.py
@@ -64,9 +64,11 @@ def make_alert_context_records(self, matches):
     def make_iocs_records(self, matches):
         iocs = []
         for record in self.iocs:
-            record['ioc_value'] = lookup_es_key(matches[0], record['ioc_value'])
-            if record['ioc_value'] is not None:
-                iocs.append(record)
+            # Duplicating match record data so we can update the ioc_value without overwriting record
+            record_data = record.copy()
+            record_data['ioc_value'] = lookup_es_key(matches[0], record['ioc_value'])
+            if record_data['ioc_value'] is not None:
+                iocs.append(record_data)
         return iocs
 
     def make_alert(self, matches):
diff --git a/tests/alerters/iris_test.py b/tests/alerters/iris_test.py
index 74a9eedd..66af38eb 100644
--- a/tests/alerters/iris_test.py
+++ b/tests/alerters/iris_test.py
@@ -105,6 +105,7 @@ def test_iris_make_iocs_records(caplog):
     actual_data = alert.make_iocs_records([match])
     assert expected_data == actual_data
 
+
 def test_iris_handle_multiple_alerts_with_iocs(caplog):
     caplog.set_level(logging.INFO)
     rule = {
@@ -166,12 +167,12 @@ def test_iris_handle_multiple_alerts_with_iocs(caplog):
         }
     ]
 
-    first_alert_data = alert.make_iocs_records([match])
+    # Submitting a bogus alert to test follow up alerts
+    alert.make_iocs_records([match])
     actual_data = alert.make_iocs_records([match])
     assert expected_data == actual_data
 
 
-
 def test_iris_make_alert_minimal(caplog):
     caplog.set_level(logging.INFO)
     rule = {

From c98c83754f154f005b5034951dff84fc262acaed Mon Sep 17 00:00:00 2001
From: Ben Virgilio <bvirgilio@amnh.org>
Date: Mon, 16 Sep 2024 17:44:41 -0400
Subject: [PATCH 3/4] Update CHANGELOG.md

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8200885b..49f0d5bd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@
 - [Docs] Fixed typo in Alerta docs with incorrect number of seconds in a day. - @jertel
 - Update GitHub actions to avoid running publish workflows on forked branches. - @jertel
 - Rewrite `_find_es_dict_by_key` per [discussion #1450](https://github.com/jertel/elastalert2/discussions/1450) for fieldnames literally ending in `.keyword` [#1459](https://github.com/jertel/elastalert2/pull/1459) - @jmacdone @jertel
+- [IRIS] Fixed NoneType error raised in issue [#1457](https://github.com/jertel/elastalert2/issues/1457) - [#1533](https://github.com/jertel/elastalert2/pull/1533)
 
 # 2.18.0
 

From a239c3f1bce808c21137dc30f9c877624875718f Mon Sep 17 00:00:00 2001
From: Ben Virgilio <bvirgilio@amnh.org>
Date: Mon, 16 Sep 2024 17:45:25 -0400
Subject: [PATCH 4/4] Moved changelog entry to proper TBD version

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 49f0d5bd..d5718dc0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@
 
 ## Other changes
 - [Indexer] Fixed fields types error on instance indexer_alert_config in schema.yml - [#1499](https://github.com/jertel/elastalert2/pull/1499) - @olehpalanskyi
+- [IRIS] Fixed NoneType error raised in issue [#1457](https://github.com/jertel/elastalert2/issues/1457) - [#1533](https://github.com/jertel/elastalert2/pull/1533)
 
 # 2.19.0
 
@@ -22,7 +23,6 @@
 - [Docs] Fixed typo in Alerta docs with incorrect number of seconds in a day. - @jertel
 - Update GitHub actions to avoid running publish workflows on forked branches. - @jertel
 - Rewrite `_find_es_dict_by_key` per [discussion #1450](https://github.com/jertel/elastalert2/discussions/1450) for fieldnames literally ending in `.keyword` [#1459](https://github.com/jertel/elastalert2/pull/1459) - @jmacdone @jertel
-- [IRIS] Fixed NoneType error raised in issue [#1457](https://github.com/jertel/elastalert2/issues/1457) - [#1533](https://github.com/jertel/elastalert2/pull/1533)
 
 # 2.18.0