FortiSIEM Discussions
TonyC
New Contributor

Crowdstrike Parser - missing Epoch time conversion.

Hello everyone,

While going through Crowdstrike events I noticed that FortiSIEM is missing all Time Stamps from all Crowdstrike parsers: "FalconDataRepParser", "FalconStreamingParser", and "CrowdStrikeFalconParser".

This is a sample of one of the events from falcon data Replicator:

2022-06-24 11:07:11 [Falcon-data-replicator] [1] [123.ab-west-2.amazonaws.com]:{
"AllocateVirtualMemoryCount":"0","ArchiveFileWrittenCount":"0","AsepWrittenCount":"0","BinaryExecutableWrittenCount":"0","CLICreationCount":"0","ConHostId":"1280","ConHostProcessId":"919135449436","ConfigBuild":"3","ConfigStateHash":"3256833356","ContextData":"","ContextProcessId":"920464094763","ContextThreadId":"222","ContextTimeStamp":"1656082216.054","CreateProcessCount":"0","CycleTime":"240885703","DirectoryCreatedCount":"0","DirectoryEnumeratedCount":"0","DnsRequestCount":"0","DocumentFileWrittenCount":"0","EffectiveTransmissionClass":"3","Entitlements":"15","ExeAndServiceCount":"0","ExecutableDeletedCount":"0","ExitCode":"0","FileDeletedCount":"0","GenericFileWrittenCount":"0","ImageSubsystem":"2","InjectedDllCount":"0","InjectedThreadCount":"0","KernelTime":"937500","MaxThreadCount":"12","ModuleLoadCount":"101","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkConnectCountUdp":"0","NetworkListenCount":"0","NetworkModuleLoadCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","ParentProcessId":"919135449436","PrivilegedProcessHandleCount":"0","ProcessStartTime":"1656082124.965","ProtectVirtualMemoryCount":"0","QueueApcCount":"0","RawProcessId":"2348","RegKeySecurityDecreasedCount":"0","RemovableDiskFileWrittenCount":"0","RunDllInvocationCount":"0","SHA256HashData":"111","ScreenshotsTakenCount":"0","ScriptEngineInvocationCount":"0","ServiceEventCount":"0","SetThreadContextCount":"0","SnapshotFileOpenCount":"0","SuspectStackCount":"0","SuspiciousCredentialModuleLoadCount":"0","SuspiciousDnsRequestCount":"0","SuspiciousFontLoadCount":"0","SuspiciousRawDiskReadCount":"0","TargetProcessId":"920464094763","UTCTimestamp":null,"UnsignedModuleLoadCount":"0","UserMemoryAllocateExecutableCount":"0","UserMemoryAllocateExecutableRemoteCount":"0","UserMemoryProtectExecutableCount":"0","UserMemoryProtectExecutableRemoteCount":"0","UserSid":"S**","UserTime":"312500","aid":"aaaaaa","aip":"1.1.1.1","cid":"aaaaaa","event_platform":"Win","event_simpleName":"EndOfProcess","id":"fffffff","name":"EndOfProcessV15","timestamp":"1656082218100"}

I would like to know how to convert the "Epoch" format into EST Time. For example:
"timestamp":"1656082218100"
"ContextTimeStamp":"1656082216.054"
"ProcessStartTime":"1656082124.965"

Thanks in advance!

Regards,
1 REPLY 1
premchanderr
Staff
Staff

Hi,


The parser is enhanced to parse this from FortiSIEM 6.6.0 .

Regards,
Prem Chander R
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"