Cortex XDR API data field time extraction

[mattcosa]

Description

When using the Cortex API input, the event time is incorrectly extracted as the index time

Expected behavior

There are available fields in the JSON data set that are more suitable for the _time field.

Specifically the creation_time field would be best given the sourcetype is set as "incident" and represents this event more closely.

Current behavior

The indextime is used for the event which is misleading.

Possible solution

Specify timestamp recognition using props.conf.

"Hacky" example below that I haven't tested:

[pan:xdr_incident]
TIME_PREFIX = "creation_time":
TIME_FORMAT = %s

See this page for more detail.

Steps to reproduce

1. Using the Palo Alto inputs for Cortex XDR, configure an input
2. After successful ingestion, use the following SPL to validate the correct event time (change your index).

index="my_pan_xdr" 
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") 
| eval creationtime=strftime(creation_time/1000,"%Y-%m-%d %H:%M:%S")
| table creationtime indextime _time

Screenshots

N/A. I would have to redact too much data.

(use the SPL above on an example data set).

Context

Accurate time representation is critical to correlated activity.

Decreased API frequency (i.e. longer in-between) will exacerbate time skew.

Your Environment

Splunk Cloud 9.0.2205.1
Palo Alto Networks Add on 7.1.0

[welcome-to-palo-alto-networks]

🎉 Thanks for opening your first issue here! Welcome to the community!