Time format

Hi

I receive data through the API and by default it comes in JSON format with collections. The data time has the following form - 2024-07-02T22:13:39.714000
Next, I convert this data into CEF format and use the Flex Connector Regex File to send the data to ArcSight.
I have a problem with the time - I want to bring it to the classic format 4 Jul 2024 11:49:36 MSK, but the following lines of the configuration file do not work.

Event - CEF:0|AlienVault|OTX|1.0|667e8d33156b6c38232c9043|SQL Injection attack (S3)|2024-06-28T10:15:15.199000|2024-06-28T10:15:15.199000 pulse_description=SQL Injection attack hitting the server at HTTPS . The same IP should not appear more than once in 24 hours in this list. pulse_author_name=BotnetExposer indicator_id=3912838123 indicator=201.90.79.18 indicator_type=IPv4 indicator_created=2024-06-28T10:15:16 indicator_description= indicator_expiration=2024-07-28T10:00:00 indicator_is_active=1

Configure file - 

token[6].name=pulse_created
token[6].type=TimeStamp
token[6].format=yyyy-MM-dd HH:mm:ss.SSS

token[7].name=pulse_modified
token[7].type=TimeStamp
token[7].format=yyyy-MM-dd HH:mm:ss.SSS

token[13].name=indicator_created
token[13].type=TimeStamp
token[13].format=yyyy-MM-dd HH:mm:ss.SSS

token[15].name=indicator_expiration
token[15].type=TimeStamp
token[15].format=yyyy-MM-dd HH:mm:ss.SSS

event.deviceCustomDate1=pulse_created
event.deviceCustomDate2=pulse_modified

event.startTime=indicator_created
event.endTime=indicator_expiration

For deviceCustomDate1/2, the time is not displayed in the active channel at all, and for start/end time it is available, but not the one specified in the event.

Please help to solve the problem

P.S.  Separately tested the following option - token[1].name=Date token[1].type=TimeStamp token[1].format=yyyy-MM-dd'T'HH:mm:ss'Z' It works and the time is displayed correctly, but in a slightly different format 5/16 12:36:19 And if it is copied and pasted into anywhere else,
it looks as it should 16 May 2024 12:36:19 MSK

Thanks in advance

Bohdan

Parents
  • Verified Answer

    +1  

    Not sure I fully follow everything here.  But I'll mention that the format you have here looks like it should be correct - token[1].format=yyyy-MM-dd'T'HH:mm:ss'Z' .  

    If you're talking about the way the date is displayed in the ArcSight console, it's usually going to stay consistent with what the configuration is specified for how the date should display.  

Reply
  • Verified Answer

    +1  

    Not sure I fully follow everything here.  But I'll mention that the format you have here looks like it should be correct - token[1].format=yyyy-MM-dd'T'HH:mm:ss'Z' .  

    If you're talking about the way the date is displayed in the ArcSight console, it's usually going to stay consistent with what the configuration is specified for how the date should display.  

Children
No Data