[#3][FIX] Fixed asset description data validation client side#7
Merged
Conversation
Ektoplasma
approved these changes
Dec 30, 2021
zach115th
added a commit
to zach115th/iris-ng
that referenced
this pull request
May 12, 2026
…t, timeline CSV round-trip
Two large additive features and a CSV round-trip fix:
- **EZ Tools / KAPE CSV ingest** as a second working-timeline source on top
of Hayabusa. `source/app/iris_engine/working_timeline/eztools_parser.py`
auto-detects 11 sub-formats by column-header signature (evtxecmd /
mft-usn / mft-full / prefetch-{timeline,full} / appcompat /
amcache-{unassoc,prog} / recycle-bin / jumplist / lnk). New
POST /api/v2/cases/<cid>/working-timeline/import/eztools. Stream-decoded
via io.TextIOWrapper(io.BytesIO(...)) and csv.field_size_limit(sys.maxsize)
so 800+ MB CSVs with >128 KB cells (PECmd Files/Directories) don't blow
up the parser. PECmd full folds historical runs into the card body
rather than fanning out 9 events per prefetch. AppCompatCache parser
forensically corrected: title says "<basename> present on disk" not
"executed", severity stays None, body steers to Prefetch / Sec 4688 /
Sysmon 1 for execution confirmation. JumpList detector evaluates before
LNK (JL CSV is a superset of LECmd's columns). Generic JS IMPORT_SOURCES
map + dropdown in case_timeline.html.
- **Case import/export portability** — round-trip JSON for case migration.
New `source/app/business/cases_portability.py` (exporter + importer +
per-table name-resolvers). New endpoints:
GET /api/v2/cases/<cid>/export (downloads JSON file) and
POST /api/v2/cases/import (multipart file or JSON body, returns new
case id + per-object insert counts + warnings). UI: Export button in
the Edit case-info modal footer; Import button on the Dashboard header
next to "Create new case" with a small file-picker modal. Export
carries NAMES not IDs (severity / classification / IOC type / TLP /
asset type / analysis status / task status / evidence type / event
category / customer) so cases round-trip across instances with
different lookup IDs; missing names fall back to deployment-safe
defaults (other, amber, Other, Unspecified, To do, Medium) and
accumulate a warnings list rather than failing. Cross-links preserved:
asset↔IOC, event↔asset, event↔IOC, event categories, note directory
paths. Skips evidence file bytes, working-timeline rows (transient),
comments (identity drift), modification history (identity drift), AI
cache (derivable). Live-validated: case dfir-iris#3 → case dfir-iris#7 round-trip
reproduced 4 notes / 34 IOCs / 14 assets / 2 tasks / 1 evidence / 11
events / 71+15+28 cross-links, zero warnings.
- **Master-timeline CSV export ↔ import round-trip.** Harmonized headers
(event_date / event_tz / event_title / event_category / event_content /
event_raw / event_source / event_assets / event_iocs / event_tags) +
separators (assets ';', iocs+tags '|') so a CSV export round-trips
cleanly back through the import endpoint. Two load-bearing fixes:
(1) the master timeline page is fed by /case/timeline/advanced-filter
(line ~450 of case_timeline_routes.py), NOT /case/timeline/events/list
(line ~263) — projection updates needed on the right endpoint or every
row's new column comes back empty. (2) The import endpoint was
unconditionally overwriting per-row event_source with the modal's
default; now the modal default is fallback only.
- **Working-timeline UTC ISO serialization** — _iso_utc() helper appends
'Z' for naive datetimes (Hayabusa --UTC + EZ Tools/KAPE UTC mode store
naive datetimes that represent UTC). Without the 'Z', browser
new Date(iso) interprets as analyst-local time and fmtTime() then
adds the offset back, displaying 15:28 UTC as 22:28Z for a PDT
analyst. Applied to event_date / created_at / reviewed_at in
working-timeline _serialize().
- **Working-timeline promote race fix.** SELECT FOR UPDATE on the
working event row prevents duplicate cases_events when the Promote
button is clicked multiple times in quick succession (was reproducible:
5 clicks in 15s created 5 duplicate timeline events).
- **Case-wide search expansion.** 8 places (was 3): IOCs, notes,
comments, assets, tasks, evidence, timeline events, cases.
Files: 9 changed (+2004 / -45). See iris-ng docs/19 §5b.1.1 (EZ Tools)
and §12 (case portability) + docs/13 progress updates 2026-05-12.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #3