CASB Streaming Investigate logs to Bucket - Unix (epoch) time format questions

search cancel

CASB Streaming Investigate logs to Bucket - Unix (epoch) time format questions

book

Article ID: 275404

calendar_today

Updated On:

Products

CASB Securlet SAAS

Issue/Introduction

Client is streaming CASB Investigate logs to S3 bucket and then to Splunk.

In raw exported logs client sees two time fields - device_time and log_time in Unix time format and asks what the difference is, what does each time represent?

Which one is the time when the event happened?

Example:

device_time: 1698161670000
   feature_name: investigate all
   id: 4
   log_time: 1698161735935

Resolution

INFRA Engineering responded with clarification:

device_time is when the event occurred
log_time is when CASB detected it

Engineering also provided link to schema section, recently added to the CASB Streaming Logs Tech Doc, which provides additional details:

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/symantec-cloudsoc/cloud/investigate-home/stream-logs-to-cloud/streaming-schema-reference.html

Feedback

thumb_up Yes

thumb_down No