Date and Time 4 hours ahead SOPHOS Central API Log pull

Question

Date and Time 4 hours ahead SOPHOS Central API Log pull

apeximmortal opened this issue 4 years ago · 4 comments

Hello,

Whenever I run the script and pull log files from the sophos central API the date and time of the log files are 4 hours ahead!

For example

(sophos central cloud)
Event register new pc - recorded at 13:29pm on sophos central website
Event update succeeded - recorded at 14:01pm on sophos central website

(alien vault SIEM)
Event register new pc - recorded at 17:29pm in the log pulled down to alienvault
Event update succeeded - recorded at 18:01pm in the log pulled down to alienvault

Any ideas why the log file saves to alienvault 4 hours ahead?

thank you

Answer 1 · 2021-09-14T05:25:24.000Z

Hi @apeximmortal , Can you please help us by providing details of timezone of your server on which this script is executed and also timezone of the server on which your sophos central is deployed

Answer 2 · 2021-09-17T05:38:02.000Z

@apeximmortal, We verified the created_at timestamp from alerts and seems that it's exactly the same as shown in the SophosCentral UI. So you might have to check the configuration on Alien vault SIEM.

Let us know if you still need any help from our side.

Answer 3 · 2021-09-17T06:37:34.000Z

@apeximmortal Moreover value for created_at coming in response is epoch time. So it should be parsed accordingly by SIEM server. Can you please verify the same and update

Answer 4 · 2021-09-29T14:00:41.000Z

Closing this issue as we are unable to repro it. Please reopen if you have more information that might help.