work in progress for hart ip integration, idaholab#561

mmguero-dev · Sep 18, 2024 · b7594d9 · b7594d9
1 parent 9029733
commit b7594d9
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 4 deletions.
diff --git a/dashboards/templates/composable/component/zeek_ot.json b/dashboards/templates/composable/component/zeek_ot.json
@@ -475,9 +475,9 @@
         "zeek.hart_ip.header_status_code": { "type": "keyword" },
         "zeek.hart_ip.header_version": { "type": "long" },
         "zeek.hart_ip.message_packet_bytes": { "type": "keyword" },
-        "zeek.hart_ip.read_audit_log_last_security_change": { "type": "long" },
+        "zeek.hart_ip.read_audit_log_last_security_change": { "type": "date" },
         "zeek.hart_ip.read_audit_log_number_of_records": { "type": "long" },
-        "zeek.hart_ip.read_audit_log_power_up_time": { "type": "long" },
+        "zeek.hart_ip.read_audit_log_power_up_time": { "type": "date" },
         "zeek.hart_ip.read_audit_log_server_status_insecure_syslog_connection": { "type": "keyword" },
         "zeek.hart_ip.read_audit_log_server_status_syslog_server_located_but_connection_failed": { "type": "keyword" },
         "zeek.hart_ip.read_audit_log_server_status_unable_to_locate_syslog_server": { "type": "keyword" },
@@ -509,8 +509,8 @@
         "zeek.hart_ip_session_record.session_log_record_client_i_pv4_address": { "type": "ip" },
         "zeek.hart_ip_session_record.session_log_record_client_i_pv6_address": { "type": "ip" },
         "zeek.hart_ip_session_record.session_log_record_client_port": { "type": "long" },
-        "zeek.hart_ip_session_record.session_log_record_connect_time": { "type": "long" },
-        "zeek.hart_ip_session_record.session_log_record_disconnect_time": { "type": "long" },
+        "zeek.hart_ip_session_record.session_log_record_connect_time": { "type": "date" },
+        "zeek.hart_ip_session_record.session_log_record_disconnect_time": { "type": "date" },
         "zeek.hart_ip_session_record.session_log_record_end_configuration_change_count": { "type": "long" },
         "zeek.hart_ip_session_record.session_log_record_num_publish_pdu": { "type": "long" },
         "zeek.hart_ip_session_record.session_log_record_num_request_pdu": { "type": "long" },

diff --git a/logstash/pipelines/zeek/14_zeek_convert.conf b/logstash/pipelines/zeek/14_zeek_convert.conf
@@ -412,4 +412,56 @@ filter {
     }
   }
 
+  # these hart IP date/time fields are not actually Zeek values yet, so track https://github.com/cisagov/icsnpp-hart-ip/issues/15
+  # and adjust this appropriately once that is fixed
+
+  if ([zeek][hart_ip][read_audit_log_power_up_time]) {
+    if ([zeek][hart_ip][read_audit_log_power_up_time] == "0") {
+      mutate { id => "mutate_remove_field_zeek_hart_ip_read_audit_log_power_up_time"
+               remove_field => [ "[zeek][hart_ip][read_audit_log_power_up_time]" ] }
+    } else {
+      date {
+        id => "date_zeek_hart_ip_read_audit_log_power_up_time"
+        match => [ "[zeek][hart_ip][read_audit_log_power_up_time]", "UNIX" ]
+        target => "[zeek][hart_ip][read_audit_log_power_up_time]"
+      }
+    }
+  }
+  if ([zeek][hart_ip][read_audit_log_last_security_change]) {
+    if ([zeek][hart_ip][read_audit_log_last_security_change] == "0") {
+      mutate { id => "mutate_remove_field_zeek_hart_ip_read_audit_log_last_security_change"
+               remove_field => [ "[zeek][hart_ip][read_audit_log_last_security_change]" ] }
+    } else {
+      date {
+        id => "date_zeek_hart_ip_read_audit_log_last_security_change"
+        match => [ "[zeek][hart_ip][read_audit_log_last_security_change]", "UNIX" ]
+        target => "[zeek][hart_ip][read_audit_log_last_security_change]"
+      }
+    }
+  }
+  if ([zeek][hart_ip_session_record][session_log_record_connect_time]) {
+    if ([zeek][hart_ip_session_record][session_log_record_connect_time] == "0") {
+      mutate { id => "mutate_remove_field_zeek_hart_ip_session_record_session_log_record_connect_time"
+               remove_field => [ "[zeek][hart_ip_session_record][session_log_record_connect_time]" ] }
+    } else {
+      date {
+        id => "date_zeek_hart_ip_session_record_session_log_record_connect_time"
+        match => [ "[zeek][hart_ip_session_record][session_log_record_connect_time]", "UNIX" ]
+        target => "[zeek][hart_ip_session_record][session_log_record_connect_time]"
+      }
+    }
+  }
+  if ([zeek][hart_ip_session_record][session_log_record_disconnect_time]) {
+    if ([zeek][hart_ip_session_record][session_log_record_disconnect_time] == "0") {
+      mutate { id => "mutate_remove_field_zeek_hart_ip_session_record_session_log_record_disconnect_time"
+               remove_field => [ "[zeek][hart_ip_session_record][session_log_record_disconnect_time]" ] }
+    } else {
+      date {
+        id => "date_zeek_hart_ip_session_record_session_log_record_disconnect_time"
+        match => [ "[zeek][hart_ip_session_record][session_log_record_disconnect_time]", "UNIX" ]
+        target => "[zeek][hart_ip_session_record][session_log_record_disconnect_time]"
+      }
+    }
+  }
+
 }