Where does the timestamp within an SMTP incident stem from?

book

Article ID: 159513

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Where does the timestamp come from that appears in the incident list?

Resolution

Relevant versions:  ALL

SMTP incidents are treated differently than other kinds of DIM incidents. The time that appears in the incident list is the "Sent" time--that is, the time inserted by the email client as the time the user pushed the "Send" button. This is NOT the time that the incident was captured or detected.

For example, if the same email message is passed to a monitor multiple times, that email message will all have the same "time" on the incident list report since the time is based on what was stamped in the email message itself.

Additional information

One of our pre-requisites from the Install Guide states:

Place all servers in the same time zone, independent of their physical location and ensure  that all servers are synchronized with the same time (to the minute). Ensure the servers are updated with DST 2007 patches.


This is highly recommended.

The following applies:

Sent Time- the time at which a message was sent.
Capture Time- the time at which the message was captured by a Vontu system (e.g., in pcap, when the Monitor saw the message)
Detected Time- when the message was processed through the detection chain and the incident was found. This could be significantly later than capture time if there is a backlog in the detection queue. The Detected time appears in the Incident History.