Adding fields to zeek.modbus and zeek.modbus_detailed for visibility in the Hunt module

[HBadger0017]

@dougburks or @weslambert...

I want to add fields from zeek.modbus and zeek.modbus_detailed. My efforts to add tid, unit, pdu_type fields to modbus and unit, tid, value (the whole array) to modbus_detailed have failed. These fields are vital to be able to write Sigma rules and other detections.

The fields are being ingested properly into SecO as they are present in the "message" field. How/where do I add the desired:
"field": "message2.<field>", "target_field":<new field> for them to show in the Hunt module?

so that they appear here:

Documentation is kinda light on modifying these files to add fields, but I'm willing to do the research if there is a source.

Also, the current versions of zeek.modbus and zeek.modbus_detailed already include { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit_id","ignore_missing": true } }, but I don't think this entry has correct syntax.

Thanks for any help.

(other pertinent details: using Import in AWS on t3a.2xlarge with default settings)

[cm-ops]

Are there any errors in the logstash.log for issues parsing modbus_detailed logs?

[HBadger0017]

I'll check but as this is an Import instance, I'm not sure there would be any logstash logs.

[HBadger0017]

ran find / -iname *logstash.log 2>/dev/null with no results. Any place else? I'm working on how to re-index the pcap I already have ingested. Also, working on how to "reboot" elasticsearch to take into account updated zeek.modbus and zeek.modbus_detailed files.

These files have the fields I need to show in the Hunt Module. From there, I can dev Sigma rules/correlations on those new fields.

Any recommendations on a workflow?

[cm-ops]

Okay, if that is an import node there won't be a Logstash log. You could edit the zeek.modbus_detailed ingest pipeline in Kibana > Stack Management > Ingest Pipelines > zeek.modbus_detailed and add your processors there. If you don't upgrade the node, that should be fine. If you upgrade, it is probably easier to create a custom pipeline in this format <type>-<dataset>@custom so for example, logs-zeek.modbus_detailed@custom create your processors in there and call the custom pipeline in the ingest pipeline with a pipeline processor.

[NicoPang]

I'm also trying to add a similar feature to my setup. Would I have to re-add the zeek-dataset@custom pipeline to the zeek-dataset pipeline every time the node gets upgraded, or is there a way to have the custom pipeline persist?