Hi
I receive data through the API and by default it comes in JSON format with collections. The data time has the following form - 2024-07-02T22:13:39.714000
Next, I convert this data into CEF format and use the Flex Connector Regex File to send the data to ArcSight.
I have a problem with the time - I want to bring it to the classic format 4 Jul 2024 11:49:36 MSK, but the following lines of the configuration file do not work.
Event - CEF:0|AlienVault|OTX|1.0|667e8d33156b6c38232c9043|SQL Injection attack (S3)|2024-06-28T10:15:15.199000|2024-06-28T10:15:15.199000 pulse_description=SQL Injection attack hitting the server at HTTPS . The same IP should not appear more than once in 24 hours in this list. pulse_author_name=BotnetExposer indicator_id=3912838123 indicator=201.90.79.18 indicator_type=IPv4 indicator_created=2024-06-28T10:15:16 indicator_description= indicator_expiration=2024-07-28T10:00:00 indicator_is_active=1
Configure file -
token[6].name=pulse_created
token[6].type=TimeStamp
token[6].format=yyyy-MM-dd HH:mm:ss.SSS
token[7].name=pulse_modified
token[7].type=TimeStamp
token[7].format=yyyy-MM-dd HH:mm:ss.SSS
token[13].name=indicator_created
token[13].type=TimeStamp
token[13].format=yyyy-MM-dd HH:mm:ss.SSS
token[15].name=indicator_expiration
token[15].type=TimeStamp
token[15].format=yyyy-MM-dd HH:mm:ss.SSS
event.deviceCustomDate1=pulse_created
event.deviceCustomDate2=pulse_modified
event.startTime=indicator_created
event.endTime=indicator_expiration
For deviceCustomDate1/2, the time is not displayed in the active channel at all, and for start/end time it is available, but not the one specified in the event.
Please help to solve the problem
P.S. Separately tested the following option - token[1].name=Date token[1].type=TimeStamp token[1].format=yyyy-MM-dd'T'HH:mm:ss'Z' It works and the time is displayed correctly, but in a slightly different format 5/16 12:36:19 And if it is copied and pasted into anywhere else,
it looks as it should 16 May 2024 12:36:19 MSK
Thanks in advance
Bohdan