The SIEM 4th Dimension – Timestamp: Unlocking the Secrets of SIEM Log Timestamps


When dealing with timestamps in SIEM logs, it is crucial to understand the origin and context of each specific timestamp. In SIEM events, multiple timestamps can be encountered, including:

1. End Time – The moment when the event indeed took place.

2. Device Receipt Time – The point when the device obtained the event from its source.

3. Agent Receipt Time – The instant when the SIEM Connector received the event.

4. Manager Receipt Time – When the event reaches the SIEM.
5. Start Time – In the case of aggregation, the Start Time signifies the first event in the aggregation series, while the End Time denotes the final event.

Accurately managing and correlating these timestamps is essential for identifying and addressing security incidents.


Challenges in Timestamp Handling

Various challenges can arise when working with timestamps in SIEM logs:

1  Multiple time zones in global companies
2. Inaccurate device clock settings
3. Timestamps lacking time zone information
4. Incorrect timestamp parsing
5. Clock drift
6. High log volume and traffic
7. Log format variations
8. Human errors in configuration
9. Latency in external dependencies
10. Daylight Saving Time (DST) transitions

These challenges, if not accurately accounted for, can result in missing crucial alerts, overlooking important events, or misinterpreting security incidents.


Ensuring Proper Functioning and Correcting Timestamp Issues

To ensure the proper functioning of your SIEM system and handle timestamp issues effectively, consider the following:


1. Determine the latencies (Manager Receipt Time – End Time = Latency) and address the issue as close to its origin as possible.
2. When device clock settings are the core problem, adjust the device settings rather than modify the log or agent.
3. Reach out to the vendor to resolve timestamp issues if they are not provided correctly.
4. Synchronize clocks across all devices and applications in your network using Network Time Protocol (NTP).
5. Regularly review and monitor clock settings on devices and applications.
6. Train and educate personnel on the importance of accurate timestamp handling and best practices.
7. Implement automated validation rules and checks in your SIEM system to identify and correct timestamp anomalies.


Timestamp corrections can be made at various stages and in different ways within the SIEM:


1. Assign the correct timezone to the device.
2. Rectify the timezone by adding or subtracting a fixed number of seconds.
3. Assign the local agent or SIEM system’s timestamp.
4. Create custom parsing rules to accurately extract and process timestamps from non-standard log entries.
5. Enrich log data with additional contexts, such as geographical information.
6. Utilize SIEM correlation rules to identify and remediate timestamp-related issues.


By understanding the importance of accurate timestamps in SIEM logs, addressing potential challenges, and implementing best practices, organizations can ensure timely detection and effective management of security incidents.

Elevate Your Security with the #1 Experts in Log Collection, Monitoring, and Detection!

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration