Cortex XDR API data field time extraction
mattcosa opened this issue · 1 comments
Description
When using the Cortex API input, the event time is incorrectly extracted as the index time
Expected behavior
There are available fields in the JSON data set that are more suitable for the _time field.
Specifically the creation_time field would be best given the sourcetype is set as "incident" and represents this event more closely.
Current behavior
The indextime is used for the event which is misleading.
Possible solution
Specify timestamp recognition using props.conf.
"Hacky" example below that I haven't tested:
[pan:xdr_incident]
TIME_PREFIX = "creation_time":
TIME_FORMAT = %s
See this page for more detail.
Steps to reproduce
- Using the Palo Alto inputs for Cortex XDR, configure an input
- After successful ingestion, use the following SPL to validate the correct event time (change your
index).
index="my_pan_xdr"
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
| eval creationtime=strftime(creation_time/1000,"%Y-%m-%d %H:%M:%S")
| table creationtime indextime _time
Screenshots
N/A. I would have to redact too much data.
(use the SPL above on an example data set).
Context
Accurate time representation is critical to correlated activity.
Decreased API frequency (i.e. longer in-between) will exacerbate time skew.
Your Environment
Splunk Cloud 9.0.2205.1
Palo Alto Networks Add on 7.1.0
🎉 Thanks for opening your first issue here! Welcome to the community!