I have integrated websense proxy to siem, and the issue I am facing with timestamp. In packet it is showing real time, but in console time is -5.30 hrs.
Kindly suggest me on the same.
Santosh B Siddanaikar
in the upper part of the screenshot you see the time that the event came in the SIEM
in the lower oaer (the row packet) you see the original time, the time that the device wrote the packet.
if the time in the packet is not correct and dosn't make sensse... check with the Websense Admin
if the local device time is correct.
if the time on the top (the SIEM timestamp) dosn't make sensse, check the NTP settings on the ESM.
Are there any other timestamps in the packet, such as rt=.?
Copy the packet, open open policy and go to the ASP for the event in question and make sure the timestamp field that is being parsed is the one you are expecting to be parsed.
copy a packet in order to test it agenst the REGEX rule un the policy
then look what is matching the Time field- the reall time? or a different time...
if it's getting a wrong time you will need to play around and fix the regex syntex in order to match the desired time.
In addition to what David1111 said, check the FIeld Assignment tab too. This will show you which date/time field is being used in First TIme and Last TIme. You should also check the mapping tab to make sure the date/time is correctly formatted.
You cah check the date/time of rt by going to this site and pasting it in: https://www.epochconverter.com/
More than likely, it is GMT and the data source will need to be changed to GMT.