Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM] @timestamp values without timezone designator are instantiated in browser local time #57649

Closed
spong opened this issue Feb 14, 2020 · 3 comments
Closed

[SIEM] @timestamp values without timezone designator are instantiated in browser local time #57649

spong opened this issue Feb 14, 2020 · 3 comments
Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.6.0

Comments

@spong
Copy link
Member

spong commented Feb 14, 2020
edited
Loading

As highlighted in this discuss topic, when @timestamp values are in a format that do not contain timezone designators, they will be instantiated in browser local time before being formatted as per the users dateFormat:tz Kibana Advanced Setting, which can result in incorrect datetimes throughout the SIEM App.

This can be resolved similarly to what Discover does by specifying

  "docvalue_fields": [
    {
      "field": "@timestamp",
      "format": "date_time"
    }
  ],

when querying ES, that way we ensure a consistent date format.

Note: This should be the case for all datetime fields not explicitly mapped to ISO 8601 with timezone designators.

Steps to reproduce

Run these commands in Kibana Dev Tools

  • Create new index with @timestamp mapping that doesn't contain timezone indicators
PUT timestamp-without-tz-designator
{
  "mappings": {
    "properties": {
      "@timestamp": {
        "type": "date",
        "format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis"
      }
    }
  }
}
  • Add a document without tz designator
PUT timestamp-without-tz-designator/_doc/1
{ "@timestamp": "2020-02-11 23:59:55" }
  • Add timestamp-without-tz-designator index to siem:defaultIndex
  • Ensure dateformat:tz is not set to Browser (use UTC for full effect :)
  • Go to Hosts -> Events Table and verify time difference between Table & Inspect/Network Panel

Hosts_-_Kibana
@spong spong added bug Fixes for quality problems that affect the customer experience Team:SIEM v7.6.0 labels Feb 14, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@wesleyraptor
Copy link

Thanks for filing this ticket Garrett! Looking forward to this fix.

@cnasikas cnasikas mentioned this issue Jul 14, 2020
Merged
2 tasks
@FrankHassanabad
Copy link
Contributor

"Reviewed by Frank Hassanabad on 7/29/2020", This looks complete and will be shippable at this point. Going to close this and associated tickets. Any new bugs/features should be new tickets.

Other notes is that new features, new developers, existing developers with endpoints and data might from time to time forget to add the prescribed fixes as it is counter-intuitive to the natural defaults of date time stamps of features of Elastic Search. If you encounter a new issue, please open that new issue against the new feature/API, or existing one as a regression rather than re-opening this one and we will fix it in those areas and keep a watchful 👁️ to hopefully not introduce this again.

@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.6.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@FrankHassanabad @MindyRS @spong @elasticmachine @wesleyraptor