Using the SIEM agent to import CASB Investigate, Detect, or History logs into Splunk - the time is recorded in an unexpected time zone.
CASB data exported using the SIEM agent has a GMT timestamp. When the data is imported into Splunk or similar SIEM Product, the data could be imported with a different time zone.
This could cause confusion when querying the SIEM product for times of activities, events, incidents..
Workaround as needed by configuring Splunk or other SIEM product to import logs from CASB in a GMT time zone.
Using the SIEM agent, specify a file and verify that the timestamp compared to the investigate data. The data should be stamped in GMT and when converted back to the time zone of the browser accessing CloudSOC the times should match.