FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Nishtha_Baria
Article Id 276369
Description This article describes how to parse epoch time in milliseconds into the 'Start Time' and 'End Time' event attributes in FortiSIEM.
Scope FortiSIEM.
Solution

Define a pattern definition that matches the first ten digits:

 

<patternDefinitions>
<pattern name="patEpochSec"><![CDATA[\d{10}]]></pattern>
</patternDefinitions>


 Then extract the first ten digits from the '$_startTime' and '$_endTime' variables with the 'collectFieldsByRegex' function:

 

<when test="exist _startTime">
<switch>
<case>
<!-- timestamp in epoch millis convert to seconds -->
<collectFieldsByRegex src="$_startTime">
<regex><![CDATA[^<startTime:patEpochSec>]]></regex>
</collectFieldsByRegex>
</case>
<default/>
</switch>
</when>
<when test="exist _endTime">
<switch>
<case>
<!-- timestamp in epoch millis convert to seconds -->
<collectFieldsByRegex src="$_endTime">
<regex><![CDATA[^<endTime:patEpochSec>]]></regex>
</collectFieldsByRegex>
</case>
<default/>
</switch>
</when>