Merge pull request #1374 from yaksnip425/master

jertel · web-flow · commit b274f7d77904 · 2024-02-17T11:44:09.000-05:00
[IRIS] Remove empty IOC in alerts that are not accepted by the API
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,7 +7,7 @@
 - Add workwechat alerter - [#1367](https://github.com/jertel/elastalert2/pull/1367) - @wufeiqun
 
 ## Other changes
-- TBD
+- [IRIS] Remove empty IOC in alerts that are not accepted by the API - [#1374](https://github.com/jertel/elastalert2/pull/1374) - @yaksnip425
 
 # 2.16.0
 
diff --git a/elastalert/alerters/iris.py b/elastalert/alerters/iris.py
@@ -65,7 +65,8 @@ def make_iocs_records(self, matches):
         iocs = []
         for record in self.iocs:
             record['ioc_value'] = lookup_es_key(matches[0], record['ioc_value'])
-            iocs.append(record)
+            if record['ioc_value'] is not None:
+                iocs.append(record)
         return iocs
 
     def make_alert(self, matches):
diff --git a/tests/alerters/iris_test.py b/tests/alerters/iris_test.py
@@ -64,6 +64,13 @@ def test_iris_make_iocs_records(caplog):
                 'ioc_tlp_id': 3,
                 'ioc_type_id': 3,
                 'ioc_value': 'username'
+            },
+            {
+                'ioc_description': 'empty ioc',
+                'ioc_tags': 'ioc',
+                'ioc_tlp_id': 3,
+                'ioc_type_id': 3,
+                'ioc_value': 'non_existent_data'
             }
         ],
         'alert': []
