000029047 - SecOps 1.1 "Alert Timestamp" field displays time in future

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029047
Applies ToRSA Product Set: Archer

RSA Product/Service Type: Archer

RSA Version/Condition: 5.5 SP1

Platform: Windows

Platform (Other): null

O/S Version: null

Secops 1.1, RCF 2.7, ESA on SA 10.3
Archer Solution: Incident Response
Archer Application: Security Alerts
Issue Issue with the “Alert Timestamp” field (Date field) in Archer where the date is set to the future. Giving current platform time-zone (UTC+2), time shifts 2 hours ahead
User-added image
============================ Alert raw data begin ============================
Jul 22 14:00:55 cv-sa-esa-01 FAILURE:TestRCF_ASA_accessDenied_ESA:Event Stream Analytics:CEF:0|RSA|Security Analytics (ESA)|10.3.3|20|This incident is based on the rule "TestRCF_ASA_accessDenied_ESA" and based on the aggregation criteria "Destination IP" where the Destination IP is:|3|externalId=4074441236 src= dst= rt=2014-07-22T14:00Z sourceServiceName= requestClientApplication= destinationDnsDomain= smac= dmac= cs1= cs1Label=destinationcity cs2= cs2Label=destinationcountry cs3=esa-TestRCF_ASA_accessDenied_ESA- cs3Label=aggregationcriteria alertagg=0498b66d-cb67-44e6-bb22-36ba4c46a3e9 cs4=cv-sa-lh-01 cs4Label=decoderid cs5= cs5Label=concentratorid cs6= cs6Label=threatsource cs7= cs7Label=referer cs8=esa cs8Label=RCFApplicationName spt= dpt= cs9= cs9Label=udpsourceport cs10= cs10Label=udptargetport cs11= cs11Label=destinationlattitude cs12= cs12Label=sourcelattitude cs13= cs13Label=destinationlongitude cs14= cs14Label=sourcelongitude cs15= cs15Label=alertid cs16= cs16Label=sourcedomain cs17= cs17Label=destinationdomain cs18=TestRCF_ASA_accessDenied_ESA cs18Label=alert cs19= cs19Label=sourcecountry cs20= cs20Label=sourcecity cs21= cs21Label=deviceid msg=TestRCF_ASA_accessDenied_ESA grouped by Destination IP: cs24= cs24Label=riskinfo cs25= cs25Label=riskwarn cs26= cs26Label=risksusp cs27= cs27Label=threatcategory cs28= cs28Label=threatdesc cat= level=3 devicetype=ciscoasa deviceclass=Firewall suser= eventsource= eventtype= eventdescription=access denied duser= filename= deviceip= esaseverity=9 time=2014-07-22T14:00Z statement=5b1131f8-49e8-4671-a29f-0ca71335dede id=0498b66d-cb67-44e6-bb22-36ba4c46a3e9 moduleType=advanced
============================ Alert raw data end ============================

ResolutionIn the default templates (CEF format) in "SecOps_SA_ESA_Templates.txt", the problematic field is the "rt" key value pair, which needs to be changed to “rt=${time?datetime?iso_utc_nz }” instead of 
rt=${time?datetime}. Time will then be published in UTC format with "No Zone" (which means that the time zone offset is not displayed). Hence, the field 'rt' will be  rt=2014-07-22T14:00 instead of  rt=2014-07-22T14:00Z.