000032807 - Timestamp field of an alert shown as blank in SecOps 1.3 and older when integrating with RSA Security Analytics 10.6

Document created by RSA Customer Support Employee on Jun 30, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032807
Applies ToRSA Product Set: Security Analytics, Archer
RSA Product/Service Type: Security Analytics, Archer SecOps Solution
RSA Version/Condition: Security Analytics 10.6; SecOps 1.3, 1.2.x and 1.1.x
IssueWhen Alerts are sent through Security Analytics to Archer, (SecOps/Non-SecOps mode) the date parsing errors are seen in the UCF collector log, causing issues to populate Alerts to Archer.
Specifically, the timestamp field for base events of an alert will be shown as blank in the Secops Archer UI.
There is no impact on other functionality. Incident & Alert Timestamps are parsed correctly.  
This issue will only be seen in the alerts coming from SA IM and not alerts coming in via syslog to SecOps.
CauseThis is a known issue due to change of timestamp format for Alerts being presented in ESA and Incident Management from Security Analytics 10.5.
ResolutionThis issue needs to be fixed in both Security Analytics and in the UCF in SecOps, in terms of how the timestamp is presented on Security Analytics and UCF how interprets the time.
This issue has been resolved in Security Analytics, for which SecOps 1.3.x has a dependency.
WorkaroundThe user can click on the Security Analytics Incident Management (IM) link to see the event details in Security Analytics.
It will then be able to obtain the timestamp information.