From 8570189b8f176b4dbf4a30e8223e6860aa752448 Mon Sep 17 00:00:00 2001
From: SG <13872653+mmguero@users.noreply.github.com>
Date: Tue, 17 Aug 2021 14:41:06 -0600
Subject: [PATCH] work on idaholab/Malcolm#19, assigning severity to certain
 types of events

---
 docker-compose-standalone.yml                  | 2 +-
 docker-compose.yml                             | 2 +-
 logstash/pipelines/enrichment/19_severity.conf | 7 +++----
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
index 11ee028b5..ec7e9d524 100644
--- a/docker-compose-standalone.yml
+++ b/docker-compose-standalone.yml
@@ -229,7 +229,7 @@ services:
       - 9600
     volumes:
       - ./logstash/certs/logstash.keystore:/usr/share/logstash/config/logstash.keystore:rw
-      - ./logstash/maps/malcolm_severity.yaml:/etc/logstash/maps/malcolm_severity.yaml:ro
+      - ./logstash/maps/malcolm_severity.yaml:/etc/malcolm_severity.yaml:ro
       - ./nginx/ca-trust:/usr/share/logstash/ca-trust:ro
       - ./logstash/certs/ca.crt:/certs/ca.crt:ro
       - ./logstash/certs/server.crt:/certs/server.crt:ro
diff --git a/docker-compose.yml b/docker-compose.yml
index 00ffb25cd..a5a95ddc4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -242,7 +242,7 @@ services:
     volumes:
       - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro
       - ./logstash/pipelines:/usr/share/logstash/malcolm-pipelines.available:ro
-      - ./logstash/maps/malcolm_severity.yaml:/etc/logstash/maps/malcolm_severity.yaml:ro
+      - ./logstash/maps/malcolm_severity.yaml:/etc/malcolm_severity.yaml:ro
       - ./logstash/certs/logstash.keystore:/usr/share/logstash/config/logstash.keystore:rw
       - ./nginx/ca-trust:/usr/share/logstash/ca-trust:ro
       - ./logstash/certs/ca.crt:/certs/ca.crt:ro
diff --git a/logstash/pipelines/enrichment/19_severity.conf b/logstash/pipelines/enrichment/19_severity.conf
index d7aedd072..38036a75b 100644
--- a/logstash/pipelines/enrichment/19_severity.conf
+++ b/logstash/pipelines/enrichment/19_severity.conf
@@ -206,7 +206,9 @@ filter {
   # in addition to insecure/outdated protocols, append PROTOCOL_XXX to the
   # severity_tags list, where XXX is the uppercased value of zeek.service,
   # so that if the user wants to add PROTOCOL_SSH or whatever to their mapping
-  # for a custom severity value it will just work
+  # for a custom severity value it will just work. if it's not in their
+  # mapping file, it'll return with a nil value and will be removed
+  # in ruby_calculate_final_severity_score
   if (!([zeek][logType] =~ /^known/)) {
     ruby {
       id => "ruby_add_field_severity_insecure_protocols"
@@ -287,8 +289,5 @@ filter {
       end"
   }
 
-
-
-
 } # filter