CASB logs imported into Splunk are recorded in the wrong time zone
search cancel

CASB logs imported into Splunk are recorded in the wrong time zone

book

Article ID: 236417

calendar_today

Updated On:

Products

CASB Security Premium CASB Gateway CASB Security Advanced CASB Security Advanced IAAS CASB Security Standard CASB Securlet SAAS

Issue/Introduction

Using the SIEM agent to import CASB Investigate, Detect, or History logs into Splunk - the time is recorded in an unexpected time zone.

Resolution

CASB data exported using the SIEM agent has a GMT timestamp.  When the data is imported into Splunk or similar SIEM Product, the data could be imported with a different time zone.

This could cause confusion when querying the SIEM product for times of activities, events, incidents..

Workaround as needed by configuring Splunk or other SIEM product to import logs from CASB in a GMT time zone.

Additional Information

Using the SIEM agent, specify a file and verify that the timestamp compared to the investigate data. The data should be stamped in GMT and when converted back to the time zone of the browser accessing CloudSOC the times should match.