ESM ArcSight plugin – correct device time

by

Recently I find out a situation when some device puts time stamps using the GMT time zone. It could be easily fixed by changing connector settings. But here is a problem again – settings are global, so it will fix time stamps for this device and will broke time stamps for all other device. The only solution that I found – create a small plugin that is looking for particular deviceVendor value and fix the time accordingly. See the code below:

package plugins.esm.alex;

import java.util.Iterator;
import java.util.List;
import java.util.Calendar;
import java.util.TimeZone;
import java.util.GregorianCalendar;

import com.arcsight.event.ISecurityEvent;
import com.arcsight.product.manager.extension.event.api.ICustomEventHandler;
import com.arcsight.event.DeviceDescriptor;

public class FireEyeTimeCorHandler implements ICustomEventHandler {

	@Override
	public void onPostPersist(List<ISecurityEvent> arg0) {
		// TODO Auto-generated method stub

	}

	@Override
	public void onPrePersist(List<ISecurityEvent> events) {
		
		for(Iterator<ISecurityEvent>i = events.iterator(); i.hasNext();) {
			ISecurityEvent event = i.next();
			
			String vendor = "";
			DeviceDescriptor ds = event.getDevice();
			if(ds != null)
				vendor = ds.getVendor();
				
			if(vendor.equals("Your device vendor"))
			{
				long endTime = event.getEndTime();
				//this time is GMT, convert to current time zone
				
				// Get TimeZone of user
				TimeZone currentTimeZone = Calendar.getInstance().getTimeZone();
				Calendar currentDt = new GregorianCalendar( currentTimeZone);
				// Get the Offset from GMT taking DST into account
				int gmtOffset = currentTimeZone.getOffset(
				    currentDt.get(Calendar.ERA), 
				    currentDt.get(Calendar.YEAR), 
				    currentDt.get(Calendar.MONTH), 
				    currentDt.get(Calendar.DAY_OF_MONTH), 
				    currentDt.get(Calendar.DAY_OF_WEEK), 
				    currentDt.get(Calendar.MILLISECOND));
				
				event.setEndTime(endTime+gmtOffset);
			}
		}
	}

}

2 thoughts on “ESM ArcSight plugin – correct device time”

  1. Thanks for sharing this with us Alex, very interesting example of what can be achieved with an ESM plugin.  Is there any chance you could provide some hint on how to write a plugin in order to populate an activelist with data contained in an event ? This would be extremely useful to import data into active list without having to create a specific rule.

    Gaetan

    Reply

  2. Gaetan, thank you for your question.

    You are not the first person who asks me about it 🙂

    Unfortunately I don’t know yet, but I do know that ArcSight Professional service implements it and recently I got some clues how to do it. As soon as I will have a working sample, I am going to publish it.

     

    regards,

    Alex.

    Reply

Leave a comment