[FR] Add alert_source_ref as filter parameter for /alerts/filter

[rubiodamian]

Problem

/alerts/filter (and the corresponding Alert.filter_alerts() in
dfir-iris-client) accepts alert_source but not alert_source_ref.
This forces integrations to either:

1. Filter by alert_source server-side and post-filter
   alert_source_ref client-side — paginates the entire source's
   alert history per dedup check.
2. Embed source_ref in the title and filter by alert_title —
   works but couples dedup to title formatting, breaking if titles
   ever change.

Use case

Sync integrations (CarbonBlack → IRIS, Netwitness → IRIS, etc.)
need O(1) "does this source alert already exist in IRIS?" checks.
Today every integration we know of either reinvents one of the
workarounds above or accepts unbounded duplicates.

Proposed change

Add alert_source_ref as an optional query param on
/alerts/filter, mirroring the existing alert_source param. The
DB column already exists (alert_source_ref is part of
alert_create), so this is purely exposing it on the read path.

Workaround we're using today

Filter by alert_title and embed source_ref in the title by
convention ('NW: INC-1234', 'CB_ANALYTICS: abc123'). Functional
but fragile to title changes.