You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
add a IOC to the case with type identifier 1 and value "some value"
create a second case
add a IOC to the case with type identifier 1 and value "some value" and tags "tag1,tag2"
retrieve the IOC on the second case
=> the value of its tags will be None (because it was not created/updated, because it is the same IOC as the one set on the first case)
Also, because of the permssion system (https://docs.dfir-iris.org/latest/operations/access_control/), a user is not necessarily allowed to have accesses to all cases. However, currently he can still indirectly impact the IOCs of cases he does not have access to. This can also lead to potential data-leaks.
Describe the solution you'd like
IOCs should be associated to a case. Even if an IOC on a case has the same type and value than the IOC on another case, it should be a different object. When one is modified, the other one is left untouched.
Implementation tips
Compare with assets?
The text was updated successfully, but these errors were encountered:
I absolutely second this FR. I think the Linked Cases column in the IOC table can be data breach material as well and therefore should not be part of any downloadable export
Is your feature request related to a problem?
Currently IOCs are shared between different cases. They are are uniquely determined by their type and value (see https://github.com/dfir-iris/iris-web/blob/v2.4.7/source/app/datamgmt/case/case_iocs_db.py#L171).
This is problem in different scenarios.
For instance:
Also, because of the permssion system (https://docs.dfir-iris.org/latest/operations/access_control/), a user is not necessarily allowed to have accesses to all cases. However, currently he can still indirectly impact the IOCs of cases he does not have access to. This can also lead to potential data-leaks.
Describe the solution you'd like
IOCs should be associated to a case. Even if an IOC on a case has the same type and value than the IOC on another case, it should be a different object. When one is modified, the other one is left untouched.
Implementation tips
Compare with assets?
The text was updated successfully, but these errors were encountered: