[BUG] Alert escalation using a case template doesn't assign classification #1055
Description
Describe the bug
Im trying to merge an alert into a new case using a pre-defined case template. The template is barebone with only this definition:
{
"name": "Template Suspicious User Activity",
"display_name": "Template Suspicious user Activity",
"description": "",
"author": "",
"title_prefix": "",
"summary": "",
"tags": [],
"tasks": [],
"note_directories": [],
"classification": "suspicious-user-activity"
}The classification is a custom one. My goal is to have a case with that classification assigned, mainly to be used via API.
This doesn't work, as the case get's created without classification.
To Reproduce
Steps to reproduce the behavior:
- Create a custom case classification
- Create a custom case template which assigns that classification
- From an already created alert, merge it into a new case using the custom template
- Observe the missing classification in the newly created case
- Try to create a new case from scratch with the custom template
- Observe the classification correctly assigned
Expected behavior
Template's classification to be assigned to escalated alerts
Screenshots
Escalated alert:
Case created from scratch:
Desktop (please complete the following information):
- OS: Windows 11 25H2
- Browser Firefox 148
Smartphone (please complete the following information):
N/A
Additional context
IRIS v2.4.27