update documentation and changelog

fkie-cad · Aug 15, 2024 · 253372f · 253372f
1 parent 7a2bd0f
commit 253372f
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,7 @@
 ### Features
 ### Improvements
 
-* predetector now normalizes timestamps so they can be read correctly by opensearch
+* pre_detector now normalizes timestamps with configurable parameters timestamp_field, source_formats, source_timezone and target_timezone
 
 ### Bugfix
 

diff --git a/logprep/processor/pre_detector/rule.py b/logprep/processor/pre_detector/rule.py
@@ -88,6 +88,31 @@
     ip_fields:
     - some_ip_field
 
+The pre_detector also has the option to normalize the timestamp. 
+To configure this the following parameters can be set in the rule configuration.
+
+..  code-block:: yaml
+    :linenos:
+    :caption: Example
+
+    filter: 'some_field: "very malicious!"'
+    pre_detector:
+      case_condition: directly
+      id: RULE_ONE_ID
+      mitre:
+      - attack.something1
+      - attack.something2
+      severity: critical
+      title: Rule one
+      timestamp_field: <field which includes the timestamp to be normalized>
+      source_formats: [<the format of the timestamp>]
+      sorce_timezone: <the timezone of the timestamp>
+      target_timezone: <the timezone after normalization>
+    description: Some malicious event.
+
+All of these new parameters are configurable and default to 
+standard values if not explicitly set.
+
 .. autoclass:: logprep.processor.pre_detector.rule.PreDetectorRule.Config
    :members:
    :undoc-members:
@@ -142,17 +167,17 @@ class Config(Rule.Config):  # pylint: disable=too-many-instance-attributes
             default=["ISO8601"],
             converter=lambda x: x if isinstance(x, list) else [x],
         )
-        """list of the source formats that can be given for normalizing the timestamp"""
+        """list of the source formats that can be given for normalizing the timestamp defaults to :code:`ISO8601`"""
         timestamp_field: str = field(validator=validators.instance_of(str), default="@timestamp")
-        """the field which has the given timestamp to be normalized"""
+        """the field which has the given timestamp to be normalized defaults to :code:`@timestamp`"""
         source_timezone: ZoneInfo = field(
             validator=[validators.instance_of(ZoneInfo)], converter=ZoneInfo, default="UTC"
         )
-        """ timezone of source_fields. defaults to :code:`UTC`"""
+        """ timezone of source_fields defaults to :code:`UTC`"""
         target_timezone: ZoneInfo = field(
             validator=[validators.instance_of(ZoneInfo)], converter=ZoneInfo, default="UTC"
         )
-        """ timezone for target_field. defaults to :code:`UTC`"""
+        """ timezone for target_field defaults to :code:`UTC`"""
 
     def __eq__(self, other: "PreDetectorRule") -> bool:
         return all(