|Applies To||RSA Product Set: RSA NetWitness Logs & Network|
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 220.127.116.11
The RSA Live Event Stream Analysis rule, Web DOS Alert, produces events with timestamps of 1970-01-01 00:00:00. As seen on the screenshot below.
|Resolution||RSA NetWitness Respond shows the timestamp of 1970-01-01 00:00 AM if the event generated does not have time meta created.|
The events do not have the time meta because the rule does not select time meta during event generation.
For example, this is the part of 'Web DOS Alert' Live Rule in question. It selects ip.src, ip.dst and tcp.dstport, but not time.
To resolve this issue, please add time meta to the select statement, as shown below.
|Notes||'Web DOS Alert' Rule is modified soon by the RSA NetWitness Content team. Ensure that all rules are up to date.|