Merge pull request #601 from mdtro/fix-zeek-props

Add Custom props.conf for Zeek Splunk TA

Vagrant/logger_bootstrap.sh

@@ -195,6 +195,10 @@ install_splunk() {
     cp /vagrant/resources/splunk_server/windows_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf
     cp /vagrant/resources/splunk_server/sysmon_ta_props.conf /opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf
 
+    # Add props.conf to Splunk Zeek TA to properly parse timestamp
+    # and avoid grouping events as a single event
+    cp /vagrant/resources/splunk_server/zeek_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_bro/local/props.conf
+
     # Add custom Macro definitions for ThreatHunting App
     cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
     # Fix props.conf in ThreatHunting App

Vagrant/resources/splunk_server/zeek_ta_props.conf

@@ -0,0 +1,12 @@
+[zeek:json]
+DATETIME_CONFIG =
+INDEXED_EXTRACTIONS = json
+KV_MODE = none
+LINE_BREAKER = ([\r\n]+)
+NO_BINARY_CHECK = true
+category = Structured
+description = Zeek JSON sourcetype with fixed timestamp parsing.
+disabled = false
+pulldown_type = true
+TIMESTAMP_FIELDS = ts
+TIME_FORMAT = %s.%6N