search cancel

Data Protection - Discrepancies in date\time-stamps for events seen in the iConsole.


Article ID: 5402


Updated On:


CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting


By default the CA Data Protection (DataMinder) iConsole displays the timestamp associated with the time an event (email) was processed by the Data Protection system.  Where real-time protection is employed (ie End point integration) this usually coincides with the timestamp when the event (email) was sent.  However this can differ if the event is imported at a later stage and occasionally where the timestamps have been manufactured (i.e. spam).  As a result there may be some discrepancies between the timestamp in the iConsole timestamp column and the the timestamp in the event summary pane.


For example;

<Please see attached file for image>




Two common reasons for discrepancies are detailed below:


  • Imported Events - Where an event is processed offline (imported) the timestamp of when the mail was sent\received is likely to be wildly different from the date the event was processed (imported).  Depending upon a customers workflow\ review processed either date can be utilized (See the resolution section for details).  

  • Conflicting timestamps in the email x-header - When CA Data Protection (DataMinder) encounters multiple conflicting dates\times with a large gap between the received date and the event date, it employs a formula that allows a new date in the timestamp to be generated which is 30 days from the ingested date or updatetimestamp (time the event was written to the Database). This process normalises manufactured (spam) dates or systems that have been incorrectly developed or deployed using an incorrect local timestamp (ie a mail system that may have reverted to a default year of 1972 etc.)


Applicable to all Data Protection (DataMinder) builds.


Where an event is ingested via import the import job can be configured to use either the process timestamp or the event timestamp.  This is achieved by editing the import configuration file (i.e. import.ini) and adding the following syntax (Defaults to Yes)


EMail.EventDateFromEMail=Yes or No 


If this parameter is set to 'Yes' the timestamp reflects the time and date in the email, based on the delivery time or time sent, if the email does not contain the delivery time or time sent, the Event Import process sets the timestamp to the time of import. 

If this parameter is set to 'No', the timestamp reflects the time of import. 


1558707274014000005402_sktwi1f5rjvs16qmo.jpeg get_app