Technical Tip: Reveal events and agent/operator timezones

Each Reveal agent should take the timestamp of all events from the operating system clock, applying any timezone offset in line with the configured on the system. The event itself will be recorded in the Reveal platform using UTC. 

The timestamps for all events shown in the Reveal web UI are shown in the local timezone for the operator.

Example

A user logs in to their machine in New York City at 5 pm local time on the 10th of January 2021.

• The machine's local time is 17:00 UTC -5.
• The UTC timestamp for the event is 2021-01-10 T 22:00:00.

An operator in Stockholm logs in the next day (11th Jan) at 2 pm and views the login events.

• The operator's local time is 14:00 UTC +1.
• The UTC time is 2021-01-11 T 13:00.
• The UTC timestamp for the login event is still 2021-01-10 T 22:00:00.
• This corresponds to 2021-01-10 T 23:00:00 UTC+1.
• The operator in Stockholm will see the login event as happening at 11 pm on the 10th of January.

Note:

The Reveal UI time range filters are based on local operator time also. As such, relative times like 'Today' or 'Yesterday' should be used carefully if investigating events from machines in other timezones.