1. Logpoint Service Desk
  2. Community
  3. Data Integration

EventHubs: Azure AD Identity Protection Timestamp Format

Avatar
Follow
0

We recently noticed that some Azure EventHubs Applications (e.g. the Azure AD Identity Protection -> https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection ) are setting the "time" field not in the ISO 8601 Datetime format, but in the "general date long time" format (see https://docs.microsoft.com/en-us/dotnet/standard/base-types/standard-date-and-time-format-strings#GeneralDateLongTime ).

Thus the month and day field seem to be mixed up in these cases, and e.g. events that were actually collected on 6th of april (according to col_ts ) are sorted into the repos on 4th of june (because of the wrong log_ts ).
Also alert rules on these events are then triggering months later, when the accidentally wrongly sorted events slip into the current window of the search time range.

The following screenshots shows how the timestamp format of the Azure AD Identity Protection differs from the usual ISO 8601 format.

ImageNotFound

Do you know if it is somehow possible to change this log timestamp format somewhere in the Azure AD settings?

Or has the compiled normalizer of the EventHub events to be adjusted?

Share This Post:

2 comments

Date Votes
0
Avatar
Nils Krumrey

Hi Markus,

I can see that you raised a Support ticket for this, which is probably the best way of dealing with this. The implication in the ticket was that it might be possible to change the date format, but I have a suspicion that this is just how Azure AD Identity Protection is formatting its logs - I have updated our ticket internally with this opinion, let’s see where it goes.

Perhaps someone in the Community is also using Azure AD Identity Protection and could advise whether their logs format the time in the same way - it could be a timezone configuration somewhere after all.

0
Avatar
Markus Nebel

Hello @Nils Krumey ,

thank you for your reply!

I already forwarded some sample logs to the support team. Hopefully they can make something out of it!

I used the following query to get the timestamp string out of the raw log, maybe that’s helpful for other community members who want to find out how it looks in their environment:

norm_id="EventHubs" action="*risk*" | norm on msg "time": <real_time:quoted> | fields real_time

Please sign in to leave a comment.