Personal blog of Alex Muratov

ESM ArcSight plugin – correct device time

Posted on February 11, 2013 | in ArcSight, SIEM | by

Recently I find out a situation when some device puts time stamps using the GMT time zone. It could be easily fixed by changing connector settings. But here is a problem again – settings are global, so it will fix time stamps for this device and will broke time stamps for all other device. The only solution that I found – create a small plugin that is looking for particular deviceVendor value and fix the time accordingly. See the code below:

TAGS: , , ,

2 Responses to “ESM ArcSight plugin – correct device time”

  1. Gaetan says:

    Thanks for sharing this with us Alex, very interesting example of what can be achieved with an ESM plugin.  Is there any chance you could provide some hint on how to write a plugin in order to populate an activelist with data contained in an event ? This would be extremely useful to import data into active list without having to create a specific rule.

    Gaetan

  2. alex says:

    Gaetan, thank you for your question.

    You are not the first person who asks me about it 🙂

    Unfortunately I don’t know yet, but I do know that ArcSight Professional service implements it and recently I got some clues how to do it. As soon as I will have a working sample, I am going to publish it.

     

    regards,

    Alex.

Leave a Reply

BOINC

BOINC

Ads

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Calendar

February 2013
M T W T F S S
« Dec   May »
 123
45678910
11121314151617
18192021222324
25262728  
%d bloggers like this: