Highlighted
Absent Member.
Absent Member.
466 views

Device time stamp correction - via plugin

Recently I find out a situation when some device puts time stamps using the GMT time zone. It could be easily fixed by changing connector settings. But here is a problem again – settings are global, so it will fix time stamps for this device and will broke time stamps for all other devices. The only solution that I found – create a small plugin that is looking for particular deviceVendor value and fix the time accordingly. See the code below:

package plugins.esm.alex;

import java.util.Iterator;

import java.util.List;

import java.util.Calendar;

import java.util.TimeZone;

import java.util.GregorianCalendar;

import com.arcsight.event.ISecurityEvent;

import com.arcsight.product.manager.extension.event.api.ICustomEventHandler;

import com.arcsight.event.DeviceDescriptor;

public class FireEyeTimeCorHandler implements ICustomEventHandler {

    @Override

    public void onPostPersist(List<ISecurityEvent> arg0) {

        // TODO Auto-generated method stub

    }

    @Override

    public void onPrePersist(List<ISecurityEvent> events) {

      

        for(Iterator<ISecurityEvent>i = events.iterator(); i.hasNext();) {

            ISecurityEvent event = i.next();

          

            String vendor = "";

            DeviceDescriptor ds = event.getDevice();

            if(ds != null)

                vendor = ds.getVendor();

              

            if(vendor.equals("Your device vendor"))

            {

                long endTime = event.getEndTime();

                //this time is GMT, convert to current time zone

              

                // Get TimeZone of user

                TimeZone currentTimeZone = Calendar.getInstance().getTimeZone();

                Calendar currentDt = new GregorianCalendar( currentTimeZone);

                // Get the Offset from GMT taking DST into account

                int gmtOffset = currentTimeZone.getOffset(

                    currentDt.get(Calendar.ERA),

                    currentDt.get(Calendar.YEAR),

                    currentDt.get(Calendar.MONTH),

                    currentDt.get(Calendar.DAY_OF_MONTH),

                    currentDt.get(Calendar.DAY_OF_WEEK),

                    currentDt.get(Calendar.MILLISECOND));

              

                event.setEndTime(endTime+gmtOffset);

            }

        }

    }

Original post:

http://www.infosec.pro/2013/02/11/esm-arcsight-plugin-correct-device-time/

Labels (2)
0 Likes
4 Replies
Highlighted
Contributor.
Contributor.

Hello Alex,

Do you known if it is possible to query an active list from with in the plugin code?

Regards,

Richard

0 Likes
Highlighted
Absent Member.
Absent Member.

Honestly - I don't know (yet). But I believe that it should be possible since a rule can do an active list look up. I am going to investigate it next week.

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Hello Alex,

Where you able to get this working with an active list?

Also with the new pre-persitance rule, do you see a way to get this kind of manipulation working through that. I prefer to stay within the normal framework instead of using a plugin.

Regards,

Richard

0 Likes
Highlighted
Absent Member.
Absent Member.

Unfortunately I did not find a way to access ALs from plugins...

Regarding a pre-persistence rule - yes, you can modify any fields including "end time", but it won't be too flexible.

BTW, I find out an example where using of plugins is much more beneficial than pre-persistance rule. If you need to do some complex actions on selected events (network lookup, external web requests) and you are looking to an external script as an "action" of a rule - forget about it.

It literally "kills" the correlation engine and stops rules' alerts generation.

regards,

Alex.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.