Issue with a conditional statement

JeremyP · February 4, 2022, 3:52pm

Hello,

I'm debugging my configuration and I'm having an issue comparing two fields, both are date fields and one eventually will become a multi-valued field. All my data is static and once a record is updated, a time stamp is added to a field called "scan_history".

These are the two fields in question:

 "last_assessed_for_vulnerabilities": [
      "2022-02-04T06:52:15.339Z"
    ],
 "temp": [
      "2022-02-04T06:52:15.339Z"
    ],

"last_assessed_for_vulnerabilities" will always contain a single field, while temp could be multi-valued. Temp receives it's value from an Elasticsearch filter by coping scan_history into temp, which I've confirmed works as "temp" is currently populated with a value.

Here it the remainder of the code.

  elasticsearch {
    ssl => true
    ca_file => '/etc/logstash/ca.crt'
    hosts => ["NODE1:9200","NODE2:9200","NODE3:9200","NODE4:9200","NODE5:9200"]
    index => "test_vulnerability"
    user => "logstash_internal"
    password => ""
    query => "_id:%{source_console}-%{asset_id}-%{vulnerability_id}"
    fields => { "scan_history" => "temp" }
  }

  if [last_assessed_for_vulnerabilities] in [temp] {
    mutate { add_field => { "found" => "true" } }
  }

The part currently not working is...

  if [last_assessed_for_vulnerabilities] in [temp] {
    mutate { add_field => { "found" => "true" } }
  }

I've tried many variations of that logic statement and it never matches. Any help would be appreciated.

Thank you!

aaron-nimocks · February 4, 2022, 4:08pm

Your data is in an array. Which is essentially a list of items and there is 1 item in the list. The list items start at 0. So you want to see if the first item of the last_assessed_for_vulnerabilities is anywhere in the array temp. You can't compare an array vs another array.

Would try something like below.

  if [last_assessed_for_vulnerabilities][0] in [temp] {
    mutate { add_field => { "found" => "true" } }
  }

JeremyP · February 4, 2022, 4:28pm

Hi Aaron,

Adjusted the statement to the following:

  if [last_assessed_for_vulnerabilities][0] in [temp] {
    mutate { add_field => { "found" => "true" } }

I'm now receiving the following error:

Blockquote
[2022-02-04T16:21:54,752][ERROR][logstash.javapipeline ][main] Pipeline worker error, the pipeline will be stopped {:pipeline_id=>"main", :error=>"", :exception=>Java::JavaLang::NullPointerException, :backtrace=>["org.logstash.config.ir.compiler.EventCondition$Compiler.contains(EventCondition.java:464)", "org.logstash.config.ir.compiler.EventCondition$Compiler.access$1000(EventCondition.java:80)", "org.logstash.config.ir.compiler.EventCondition$Compiler$FieldInField.fulfilled(EventCondition.java:616)", "org.logstash.config.ir.compiler.Utils.filterEvents(Utils.java:47)", "org.logstash.generated.CompiledDataset3.compute(Unknown Source)", "org.logstash.generated.CompiledDataset2.compute(Unknown Source)", "org.logstash.generated.CompiledDataset5.compute(Unknown Source)", "org.logstash.config.ir.CompiledPipeline$CompiledUnorderedExecution.compute(CompiledPipeline.java:329)", "org.logstash.config.ir.CompiledPipeline$CompiledUnorderedExecution.compute(CompiledPipeline.java:323)", "org.logstash.execution.WorkerLoop.run(WorkerLoop.java:87)", "java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)", "java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)", "java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)", "java.base/java.lang.reflect.Method.invoke(Method.java:566)", "org.jruby.javasupport.JavaMethod.invokeDirectWithExceptionHandling(JavaMethod.java:441)", "org.jruby.javasupport.JavaMethod.invokeDirect(JavaMethod.java:305)", "org.jruby.java.invokers.InstanceMethodInvoker.call(InstanceMethodInvoker.java:32)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.RUBY$block$start_workers$5(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:299)", "org.jruby.runtime.CompiledIRBlockBody.callDirect(CompiledIRBlockBody.java:138)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:58)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:52)", "org.jruby.runtime.Block.call(Block.java:139)", "org.jruby.RubyProc.call(RubyProc.java:318)", "org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:105)", "java.base/java.lang.Thread.run(Thread.java:829)"], :thread=>"#<Thread:0x3e9e9df9 sleep>"}

Just to clarify one thing.... last_assessed_for_vulnerabilities is not an array or never will be. Only the field "temp". So I'm comparing a single value in "last_assessed_for_vulnerabilities" to an array of values in "temp".

Thanks!

aaron-nimocks · February 4, 2022, 4:41pm

The above is an array. If that's not what the data looks like can you post an example?

JeremyP · February 4, 2022, 4:56pm

The data comes from postgres. I'm using a JDBC input. Here is what the data looks like in the db for this particular field. I'm not manipulating this field in a filter. Is it possible to convert this field into a non-array?

DBpg=# select
DBpg-# last_assessed_for_vulnerabilities
DBpg-# from dim_asset
DBpg-# LIMIT 1;
 last_assessed_for_vulnerabilities
-----------------------------------
 2022-01-30 02:05:24.346
(1 row)

aaron-nimocks · February 4, 2022, 5:05pm

Conf

input { generator { codec => json count => 1 lines => [ '{  "last_assessed_for_vulnerabilities": [ "2022-02-04T05:52:15.339Z" ] }' ] } }  
filter {
  mutate {
    copy => { "[last_assessed_for_vulnerabilities][0]" => "[last_assessed_for_vulnerability]" }
  }
}
output {
  stdout { }
}

Output

"last_assessed_for_vulnerability" => "2022-02-04T05:52:15.339Z"

JeremyP · February 4, 2022, 5:09pm

Sorry... I may have given you the wrong snippet of the JSON output. Here is the entire output from Kibana. I had to redact a few items but otherwise it's fully complete. Does your last post still apply?

{
  "_index": "test_vulnerability-163",
  "_type": "_doc",
  "_id": "<REDACTED>-2457-183961",
  "_version": 24,
  "_score": 1,
  "_ignored": [
    "description.keyword"
  ],
  "_source": {
    "pci_status": "Fail",
    "malware_kits": 0,
    "last_assessed_for_vulnerabilities": "2022-02-04T06:57:43.822Z",
    "cvss_availability_impact": "N",
    "cvss_score": 3.5,
    "pci_severity_score": 3,
    "cvss_v3_confidentiality_impact": "L",
    "cvss_v3_score": 4.800000190734863,
    "cvss_vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
    "asset_id": 2457,
    "os_certainty": 0.949999988079071,
    "moderate": 0,
    "cvss_impact_score": 2.8627498149871826,
    "nvd": "https://www.rapid7.com/db/vulnerabilities/hp-ilo-cve-2021-29210",
    "source_console": "<REDACTED>",
    "cvss_integrity_impact": "P",
    "dept_code": "<REDACTED>",
    "@version": "1",
    "title": "HP iLO: CVE-2021-29210: Cross-Site Scripting (XSS), Carriage Return Line Feed",
    "os_type": "Lights Out Management",
    "critical": 0,
    "cvss_v3_integrity_impact": "L",
    "description": "\n    \n<p>A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.</p>\n  ",
    "data_type": "vulnerability",
    "status": "Vulnerable version",
    "exploit": 0,
    "cvss_v3_scope": "C",
    "os_description": "HP iLO 4",
    "summary": "Upgrade HP iLO 4 to the latest version",
    "solution_id": 6677,
    "denial_of_service": false,
    "port": null,
    "service_line": "Undetermined",
    "cvss_v3_attack_complexity": "L",
    "temp": [
      "2022-02-04T06:57:43.822Z"
    ],
    "cvss_access_vector": "N",
    "cvss_authentication": "S",
    "date_published": "2021-05-19T00:00:00.000Z",
    "cvss_access_complexity": "M",
    "data_source": "nexpose",
    "sites": "<REDACTED>",
    "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
    "date_found": "2021-10-02T06:28:29.661Z",
    "@timestamp": "2022-02-04T15:35:42.044Z",
    "service": null,
    "cve": "CVE-2021-29210",
    "host_name": null,
    "pci_adjusted_cvss_score": 4,
    "severity_score": 4,
    "url": null,
    "cvss_v3_user_interaction": "R",
    "cvss_v3_impact_score": 2.7267508506774902,
    "protocol": null,
    "cvss_v3_exploit_score": 1.6677968502044678,
    "risk_score": 59.95520782470703,
    "date_last_seen": "2021-10-02T06:28:29.661Z",
    "os_family": "iLO",
    "mac_address": null,
    "vulnerability_id": 183961,
    "os_name": "iLO",
    "severe": 1,
    "pci_failures": 1,
    "date_added": "2021-05-19T00:00:00.000Z",
    "ip_address": "<REDACTED>",
    "os_vendor": "HP",
    "exploit_skill_level": null,
    "malware_popularity": null,
    "credential_status": "All credentials failed",
    "date_modified": "2021-11-04T00:00:00.000Z",
    "impacted_component": "hp-ilo",
    "severity": "Severe",
    "cvss_v3_attack_vector": "N",
    "cvss_v3_availability_impact": "N",
    "exploits": 0,
    "key": "HP iLO 4",
    "os_version": "4",
    "cvss_exploit_score": 6.832000255584717,
    "nexpose_id": "hp-ilo-cve-2021-29210",
    "cvss_v3_privileges_required": "H",
    "malware_kit": 0,
    "pci_special_notes": "XSS vulnerabilities are a violation of the PCI DSS, and result in an automatic failure. Note this vulnerability's CVSS and severity scores have been modified to comply with PCI ASV program requirements. (Original NVD CVSS score: 3.5) ",
    "proof": "<p><p>Vulnerable OS: HP iLO 4<p><ul><li>The property &quot;firmware.version&quot; contains: 2.70.</li></ul></p></p></p>",
    "scan_type": "internal",
    "os_system": "HP iLO",
    "cvss_confidentiality_impact": "N",
    "scan_history": [
      "2022-02-04T06:57:43.822Z"
    ]
  },
  "fields": {
    "dept_code": [
      "<REDACTED>"
    ],
    "data_source.keyword": [
      "nexpose"
    ],
    "pci_adjusted_cvss_score": [
      4
    ],
    "os_description": [
      "HP iLO 4"
    ],
    "cvss_v3_score": [
      4.8
    ],
    "cvss_vector.keyword": [
      "AV:N/AC:M/Au:S/C:N/I:P/A:N"
    ],
    "asset_id": [
      2457
    ],
    "nexpose_id": [
      "hp-ilo-cve-2021-29210"
    ],
    "os_version.keyword": [
      "4"
    ],
    "service_line.keyword": [
      "Undetermined"
    ],
    "pci_special_notes": [
      "XSS vulnerabilities are a violation of the PCI DSS, and result in an automatic failure. Note this vulnerability's CVSS and severity scores have been modified to comply with PCI ASV program requirements. (Original NVD CVSS score: 3.5) "
    ],
    "nexpose_id.keyword": [
      "hp-ilo-cve-2021-29210"
    ],
    "credential_status": [
      "All credentials failed"
    ],
    "cvss_confidentiality_impact": [
      "N"
    ],
    "date_published": [
      "2021-05-19T00:00:00.000Z"
    ],
    "source_console": [
      "<REDACTED>"
    ],
    "cvss_impact_score": [
      2.8627498
    ],
    "os_description.keyword": [
      "HP iLO 4"
    ],
    "last_assessed_for_vulnerabilities": [
      "2022-02-04T06:57:43.822Z"
    ],
    "cvss_v3_attack_complexity": [
      "L"
    ],
    "proof": [
      "<p><p>Vulnerable OS: HP iLO 4<p><ul><li>The property &quot;firmware.version&quot; contains: 2.70.</li></ul></p></p></p>"
    ],
    "cvss_access_vector": [
      "N"
    ],
    "moderate": [
      0
    ],
    "cvss_v3_integrity_impact": [
      "L"
    ],
    "vulnerability_id": [
      183961
    ],
    "cvss_v3_user_interaction": [
      "R"
    ],
    "pci_severity_score": [
      3
    ],
    "data_source": [
      "nexpose"
    ],
    "cvss_authentication": [
      "S"
    ],
    "date_added": [
      "2021-05-19T00:00:00.000Z"
    ],
    "malware_kits": [
      0
    ],
    "cvss_confidentiality_impact.keyword": [
      "N"
    ],
    "os_type": [
      "Lights Out Management"
    ],
    "cvss_v3_confidentiality_impact": [
      "L"
    ],
    "status": [
      "Vulnerable version"
    ],
    "cvss_score": [
      3.5
    ],
    "os_system.keyword": [
      "HP iLO"
    ],
    "pci_status": [
      "Fail"
    ],
    "cvss_v3_scope": [
      "C"
    ],
    "service_line": [
      "Undetermined"
    ],
    "credential_status.keyword": [
      "All credentials failed"
    ],
    "exploits": [
      0
    ],
    "pci_special_notes.keyword": [
      "XSS vulnerabilities are a violation of the PCI DSS, and result in an automatic failure. Note this vulnerability's CVSS and severity scores have been modified to comply with PCI ASV program requirements. (Original NVD CVSS score: 3.5) "
    ],
    "nvd.keyword": [
      "https://www.rapid7.com/db/vulnerabilities/hp-ilo-cve-2021-29210"
    ],
    "malware_kit": [
      0
    ],
    "cve": [
      "CVE-2021-29210"
    ],
    "os_family.keyword": [
      "iLO"
    ],
    "cvss_vector": [
      "AV:N/AC:M/Au:S/C:N/I:P/A:N"
    ],
    "cvss_v3_attack_vector": [
      "N"
    ],
    "cvss_v3_scope.keyword": [
      "C"
    ],
    "summary.keyword": [
      "Upgrade HP iLO 4 to the latest version"
    ],
    "cvss_v3_exploit_score": [
      1.6677969
    ],
    "os_certainty": [
      0.95
    ],
    "key": [
      "HP iLO 4"
    ],
    "impacted_component.keyword": [
      "hp-ilo"
    ],
    "os_vendor": [
      "HP"
    ],
    "os_version": [
      "4"
    ],
    "cvss_v3_attack_complexity.keyword": [
      "L"
    ],
    "cvss_v3_availability_impact": [
      "N"
    ],
    "date_last_seen": [
      "2021-10-02T06:28:29.661Z"
    ],
    "@timestamp": [
      "2022-02-04T15:35:42.044Z"
    ],
    "severe": [
      1
    ],
    "os_name": [
      "iLO"
    ],
    "cve.keyword": [
      "CVE-2021-29210"
    ],
    "exploit": [
      0
    ],
    "severity_score": [
      4
    ],
    "key.keyword": [
      "HP iLO 4"
    ],
    "scan_type": [
      "internal"
    ],
    "sites": [
      "<REDACTED>"
    ],
    "pci_failures": [
      1
    ],
    "cvss_access_complexity": [
      "M"
    ],
    "solution_id": [
      6677
    ],
    "severity.keyword": [
      "Severe"
    ],
    "cvss_access_complexity.keyword": [
      "M"
    ],
    "os_vendor.keyword": [
      "HP"
    ],
    "title.keyword": [
      "HP iLO: CVE-2021-29210: Cross-Site Scripting (XSS), Carriage Return Line Feed"
    ],
    "os_name.keyword": [
      "iLO"
    ],
    "cvss_v3_privileges_required": [
      "H"
    ],
    "pci_status.keyword": [
      "Fail"
    ],
    "cvss_v3_user_interaction.keyword": [
      "R"
    ],
    "scan_history": [
      "2022-02-04T06:57:43.822Z"
    ],
    "nvd": [
      "https://www.rapid7.com/db/vulnerabilities/hp-ilo-cve-2021-29210"
    ],
    "proof.keyword": [
      "<p><p>Vulnerable OS: HP iLO 4<p><ul><li>The property &quot;firmware.version&quot; contains: 2.70.</li></ul></p></p></p>"
    ],
    "cvss_availability_impact.keyword": [
      "N"
    ],
    "cvss_integrity_impact.keyword": [
      "P"
    ],
    "cvss_exploit_score": [
      6.8320003
    ],
    "@version.keyword": [
      "1"
    ],
    "cvss_v3_privileges_required.keyword": [
      "H"
    ],
    "os_system": [
      "HP iLO"
    ],
    "os_type.keyword": [
      "Lights Out Management"
    ],
    "cvss_availability_impact": [
      "N"
    ],
    "cvss_v3_attack_vector.keyword": [
      "N"
    ],
    "cvss_v3_confidentiality_impact.keyword": [
      "L"
    ],
    "os_family": [
      "iLO"
    ],
    "critical": [
      0
    ],
    "status.keyword": [
      "Vulnerable version"
    ],
    "cvss_v3_vector.keyword": [
      "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"
    ],
    "description": [
      "\n    \n<p>A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.</p>\n  "
    ],
    "title": [
      "HP iLO: CVE-2021-29210: Cross-Site Scripting (XSS), Carriage Return Line Feed"
    ],
    "source_console.keyword": [
      "<REDACTED>"
    ],
    "@version": [
      "1"
    ],
    "date_found": [
      "2021-10-02T06:28:29.661Z"
    ],
    "cvss_v3_integrity_impact.keyword": [
      "L"
    ],
    "scan_type.keyword": [
      "internal"
    ],
    "impacted_component": [
      "hp-ilo"
    ],
    "dept_code.keyword": [
      "<REDACTED>"
    ],
    "summary": [
      "Upgrade HP iLO 4 to the latest version"
    ],
    "severity": [
      "Severe"
    ],
    "temp": [
      "2022-02-04T06:57:43.822Z"
    ],
    "risk_score": [
      59.955208
    ],
    "cvss_authentication.keyword": [
      "S"
    ],
    "cvss_access_vector.keyword": [
      "N"
    ],
    "ip_address": [
      "<REDACTED>"
    ],
    "denial_of_service": [
      false
    ],
    "cvss_v3_availability_impact.keyword": [
      "N"
    ],
    "ip_address.keyword": [
      "<REDACTED>"
    ],
    "data_type.keyword": [
      "vulnerability"
    ],
    "cvss_v3_impact_score": [
      2.7267509
    ],
    "date_modified": [
      "2021-11-04T00:00:00.000Z"
    ],
    "data_type": [
      "vulnerability"
    ],
    "sites.keyword": [
      "<REDACTED>"
    ],
    "cvss_v3_vector": [
      "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"
    ],
    "cvss_integrity_impact": [
      "P"
    ]
  },
  "ignored_field_values": {
    "description.keyword": [
      "\n    \n<p>A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.</p>\n  "
    ]
  }
}

aaron-nimocks · February 4, 2022, 5:18pm

With that data you showed the conditional statement you had is correct and works for me. How do you know it's not working for you?

Conf

input { generator { codec => json count => 1 lines => [ '{  "last_assessed_for_vulnerabilities": "2022-02-03T06:57:43.822Z", "temp": [ "2022-02-04T06:57:43.822Z", "2022-02-03T06:57:43.822Z", "2022-02-02T06:57:43.822Z" ] }' ] } }  
filter {
  if [last_assessed_for_vulnerabilities] in [temp] {
    mutate { add_field => { "found" => "true" } }
  }
}
output {
  stdout { codec => "json" }
}

Output

{
    "sequence": 0,
    "found": "true",
    "@version": "1",
    "@timestamp": "2022-02-04T17:16:18.518Z",
    "host": "Aarons-MacBook-Pro.local",
    "temp": [
        "2022-02-04T06:57:43.822Z",
        "2022-02-03T06:57:43.822Z",
        "2022-02-02T06:57:43.822Z"
    ],
    "last_assessed_for_vulnerabilities": "2022-02-03T06:57:43.822Z"
}

leandrojmp · February 4, 2022, 5:49pm

If this is from Kibana, this is how kibana show the fields now, everything is show as an array even if it is not an array.

JeremyP · February 4, 2022, 5:59pm

Sure....

Two scenarios, one which works, the other does not.

Scenario 1

  if [last_assessed_for_vulnerabilities] in [temp] {
    mutate { add_field => { "found" => "true" } }
  }

Output:

{
       "cvss_v3_confidentiality_impact" => "L",
                          "cvss_vector" => "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "cvss_v3_privileges_required" => "H",
                   "pci_severity_score" => 3,
                       "os_description" => "HP iLO 4",
                                "sites" => "<REDACTED",
          "cvss_confidentiality_impact" => "N",
                         "malware_kits" => 0,
                        "cvss_v3_scope" => "C",
                    "credential_status" => "All credentials failed",
                "cvss_v3_attack_vector" => "N",
                           "risk_score" => 59.95520782470703,
            "cvss_v3_attack_complexity" => "L",
                "cvss_v3_exploit_score" => 1.6677968502044678,
                               "status" => "Vulnerable version",
                                 "temp" => [
        [0] "2022-02-04T06:57:43.822Z"
    ],
                                  "key" => "HP iLO 4",
                             "protocol" => nil,
                                  "cve" => "CVE-2021-29210",
                         "os_certainty" => 0.949999988079071,
                  "exploit_skill_level" => nil,
                "cvss_integrity_impact" => "P",
                    "pci_special_notes" => "XSS vulnerabilities are a violation of the PCI DSS, and result in an automatic failure. Note this vulnerability's CVSS and severity scores have been modified to comply with PCI ASV program requirements. (Original NVD CVSS score: 3.5) ",
                            "dept_code" => "<REDACTED",
                   "impacted_component" => "hp-ilo",
                            "os_vendor" => "HP",
                              "os_type" => "Lights Out Management",
                            "scan_type" => "internal",
                         "service_line" => "Undetermined",
                             "moderate" => 0,
                              "service" => nil,
                             "exploits" => 0,
             "cvss_v3_user_interaction" => "R",
          "cvss_v3_availability_impact" => "N",
                                  "nvd" => "https://www.rapid7.com/db/vulnerabilities/hp-ilo-cve-2021-29210",
                           "ip_address" => "<REDACTED",
                                "title" => "HP iLO: CVE-2021-29210: Cross-Site Scripting (XSS), Carriage Return Line Feed",
                              "os_name" => "iLO",
                           "os_version" => "4",
                             "@version" => "1",
                  "cvss_authentication" => "S",
                           "date_found" => 2021-10-02T06:28:29.661Z,
                             "severity" => "Severe",
                       "cvss_v3_vector" => "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
             "cvss_v3_integrity_impact" => "L",
                              "summary" => "Upgrade HP iLO 4 to the latest version",
                            "data_type" => "vulnerability",
                          "mac_address" => nil,
             "cvss_availability_impact" => "N",
                    "cvss_impact_score" => 2.8627498149871826,
                           "@timestamp" => 2022-02-04T17:48:20.133Z,
              "pci_adjusted_cvss_score" => 4.0,
                            "os_system" => "HP iLO",
                         "pci_failures" => 1,
                                 "port" => nil,
                          "description" => "\n    \n<p>A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.</p>\n  ",
                        "cvss_v3_score" => 4.800000190734863,
                 "cvss_v3_impact_score" => 2.7267508506774902,
                           "cvss_score" => 3.5,
                            "host_name" => nil,
                          "malware_kit" => 0,
                       "severity_score" => 4,
                       "date_last_seen" => 2021-10-02T06:28:29.661Z,
                           "date_added" => 2021-05-19T00:00:00.000Z,
                               "severe" => 1,
                       "source_console" => "<REDACTED",
                    "denial_of_service" => false,
                                "proof" => "<p><p>Vulnerable OS: HP iLO 4<p><ul><li>The property &quot;firmware.version&quot; contains: 2.70.</li></ul></p></p></p>",
                        "date_modified" => 2021-11-04T00:00:00.000Z,
                   "malware_popularity" => nil,
                            "os_family" => "iLO",
                             "critical" => 0,
                          "data_source" => "nexpose",
                   "cvss_access_vector" => "N",
                           "nexpose_id" => "hp-ilo-cve-2021-29210",
                           "pci_status" => "Fail",
                             "asset_id" => 2457,
                          "solution_id" => 6677,
                     "vulnerability_id" => 183961,
    "last_assessed_for_vulnerabilities" => 2022-02-04T06:57:43.822Z,
               "cvss_access_complexity" => "M",
                   "cvss_exploit_score" => 6.832000255584717,
                                  "url" => nil,
                              "exploit" => 0,
                       "date_published" => 2021-05-19T00:00:00.000Z
}

Scenario 2 (using the explicit timestamp in the conditional statement)

if "2022-02-04T06:57:43.822Z" in [temp] {
    mutate { add_field => { "found" => "true" } }
  }

Output:

{
                          "solution_id" => 6677,
                         "service_line" => "Undetermined",
                "cvss_integrity_impact" => "P",
                       "os_description" => "HP iLO 4",
                             "protocol" => nil,
          "cvss_confidentiality_impact" => "N",
                "cvss_v3_attack_vector" => "N",
                                  "cve" => "CVE-2021-29210",
                              "summary" => "Upgrade HP iLO 4 to the latest version",
                                "found" => "true",
                          "description" => "\n    \n<p>A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.</p>\n  ",
                               "severe" => 1,
                    "cvss_impact_score" => 2.8627498149871826,
                             "severity" => "Severe",
             "cvss_v3_user_interaction" => "R",
                            "dept_code" => "<REDACTED",
                       "date_last_seen" => 2021-10-02T06:28:29.661Z,
                            "host_name" => nil,
                            "data_type" => "vulnerability",
                        "cvss_v3_scope" => "C",
                              "os_name" => "iLO",
                             "critical" => 0,
                          "malware_kit" => 0,
                            "os_family" => "iLO",
                       "cvss_v3_vector" => "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                        "date_modified" => 2021-11-04T00:00:00.000Z,
                             "asset_id" => 2457,
                           "@timestamp" => 2022-02-04T17:49:54.132Z,
                          "mac_address" => nil,
                            "scan_type" => "internal",
                              "exploit" => 0,
                              "os_type" => "Lights Out Management",
                                "proof" => "<p><p>Vulnerable OS: HP iLO 4<p><ul><li>The property &quot;firmware.version&quot; contains: 2.70.</li></ul></p></p></p>",
                         "os_certainty" => 0.949999988079071,
                   "impacted_component" => "hp-ilo",
                   "cvss_exploit_score" => 6.832000255584717,
                           "date_found" => 2021-10-02T06:28:29.661Z,
                           "cvss_score" => 3.5,
                             "exploits" => 0,
                   "pci_severity_score" => 3,
                   "malware_popularity" => nil,
          "cvss_v3_availability_impact" => "N",
                            "os_system" => "HP iLO",
                       "severity_score" => 4,
                   "cvss_access_vector" => "N",
                           "os_version" => "4",
                           "risk_score" => 59.95520782470703,
                         "pci_failures" => 1,
                           "pci_status" => "Fail",
             "cvss_availability_impact" => "N",
                 "cvss_v3_impact_score" => 2.7267508506774902,
               "cvss_access_complexity" => "M",
                  "exploit_skill_level" => nil,
            "cvss_v3_attack_complexity" => "L",
                               "status" => "Vulnerable version",
                       "source_console" => "<REDACTED",
                           "date_added" => 2021-05-19T00:00:00.000Z,
                          "data_source" => "nexpose",
                                  "url" => nil,
                                  "nvd" => "https://www.rapid7.com/db/vulnerabilities/hp-ilo-cve-2021-29210",
          "cvss_v3_privileges_required" => "H",
                       "date_published" => 2021-05-19T00:00:00.000Z,
       "cvss_v3_confidentiality_impact" => "L",
                     "vulnerability_id" => 183961,
                  "cvss_authentication" => "S",
                             "moderate" => 0,
                    "credential_status" => "All credentials failed",
              "pci_adjusted_cvss_score" => 4.0,
                                  "key" => "HP iLO 4",
                             "@version" => "1",
                         "malware_kits" => 0,
                            "os_vendor" => "HP",
    "last_assessed_for_vulnerabilities" => 2022-02-04T06:57:43.822Z,
                    "pci_special_notes" => "XSS vulnerabilities are a violation of the PCI DSS, and result in an automatic failure. Note this vulnerability's CVSS and severity scores have been modified to comply with PCI ASV program requirements. (Original NVD CVSS score: 3.5) ",
                                "sites" => "<REDACTED",
                                "title" => "HP iLO: CVE-2021-29210: Cross-Site Scripting (XSS), Carriage Return Line Feed",
             "cvss_v3_integrity_impact" => "L",
                    "denial_of_service" => false,
                                 "port" => nil,
                           "ip_address" => "<REDACTED",
                              "service" => nil,
                           "nexpose_id" => "hp-ilo-cve-2021-29210",
                                 "temp" => [
        [0] "2022-02-04T06:57:43.822Z"
    ],
                "cvss_v3_exploit_score" => 1.6677968502044678,
                        "cvss_v3_score" => 4.800000190734863,
                          "cvss_vector" => "AV:N/AC:M/Au:S/C:N/I:P/A:N"
}

aaron-nimocks · February 4, 2022, 6:08pm

Didn't test but I think it could be due to the data types.

2022-02-04T06:57:43.822Z - last_assessed_for_vulnerabilities
"2022-02-04T06:57:43.822Z" - temp

Ones a string and ones a date/int. Maybe mutate convert last_assessed_for_vulnerabilities to a string before comparing in the if statement.

JeremyP · February 4, 2022, 6:19pm

Thank you very much Aaron. You were right. I just learned something today.

system · March 4, 2022, 6:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.