Article Content
Article Number | 000032807 |
Applies To | RSA Product Set: Security Analytics, Archer RSA Product/Service Type: Security Analytics, Archer SecOps Solution RSA Version/Condition: Security Analytics 10.6; SecOps 1.3, 1.2.x and 1.1.x |
Issue | When Alerts are sent through Security Analytics to Archer, (SecOps/Non-SecOps mode) the date parsing errors are seen in the UCF collector log, causing issues to populate Alerts to Archer. Specifically, the timestamp field for base events of an alert will be shown as blank in the Secops Archer UI. There is no impact on other functionality. Incident & Alert Timestamps are parsed correctly. This issue will only be seen in the alerts coming from SA IM and not alerts coming in via syslog to SecOps. |
Cause | This is a known issue due to change of timestamp format for Alerts being presented in ESA and Incident Management from Security Analytics 10.5. |
Resolution | This issue needs to be fixed in both Security Analytics and in the UCF in SecOps, in terms of how the timestamp is presented on Security Analytics and UCF how interprets the time. This issue has been resolved in Security Analytics 10.6.0.1, for which SecOps 1.3.x has a dependency. |
Workaround | The user can click on the Security Analytics Incident Management (IM) link to see the event details in Security Analytics. It will then be able to obtain the timestamp information. |