SIEM & UEBA

 View Only
Expand all | Collapse all

Crowdstrike Parser - missing Epoch time conversion.

  • 1.  Crowdstrike Parser - missing Epoch time conversion.

    Posted Jun 24, 2022 05:15 PM
    Hello everyone,

    While going through Crowdstrike events I noticed that FortiSIEM is missing all Time Stamps from all Crowdstrike parsers: "FalconDataRepParser", "FalconStreamingParser", and "CrowdStrikeFalconParser".

    This is a sample of one of the events from falcon data Replicator:

    2022-06-24 11:07:11 [Falcon-data-replicator] [1] [123.ab-west-2.amazonaws.com]:{
    "AllocateVirtualMemoryCount":"0","ArchiveFileWrittenCount":"0","AsepWrittenCount":"0","BinaryExecutableWrittenCount":"0","CLICreationCount":"0","ConHostId":"1280","ConHostProcessId":"919135449436","ConfigBuild":"3","ConfigStateHash":"3256833356","ContextData":"","ContextProcessId":"920464094763","ContextThreadId":"222","ContextTimeStamp":"1656082216.054","CreateProcessCount":"0","CycleTime":"240885703","DirectoryCreatedCount":"0","DirectoryEnumeratedCount":"0","DnsRequestCount":"0","DocumentFileWrittenCount":"0","EffectiveTransmissionClass":"3","Entitlements":"15","ExeAndServiceCount":"0","ExecutableDeletedCount":"0","ExitCode":"0","FileDeletedCount":"0","GenericFileWrittenCount":"0","ImageSubsystem":"2","InjectedDllCount":"0","InjectedThreadCount":"0","KernelTime":"937500","MaxThreadCount":"12","ModuleLoadCount":"101","NetworkBindCount":"0","NetworkCapableAsepWriteCount":"0","NetworkCloseCount":"0","NetworkConnectCount":"0","NetworkConnectCountUdp":"0","NetworkListenCount":"0","NetworkModuleLoadCount":"0","NetworkRecvAcceptCount":"0","NewExecutableWrittenCount":"0","ParentProcessId":"919135449436","PrivilegedProcessHandleCount":"0","ProcessStartTime":"1656082124.965","ProtectVirtualMemoryCount":"0","QueueApcCount":"0","RawProcessId":"2348","RegKeySecurityDecreasedCount":"0","RemovableDiskFileWrittenCount":"0","RunDllInvocationCount":"0","SHA256HashData":"111","ScreenshotsTakenCount":"0","ScriptEngineInvocationCount":"0","ServiceEventCount":"0","SetThreadContextCount":"0","SnapshotFileOpenCount":"0","SuspectStackCount":"0","SuspiciousCredentialModuleLoadCount":"0","SuspiciousDnsRequestCount":"0","SuspiciousFontLoadCount":"0","SuspiciousRawDiskReadCount":"0","TargetProcessId":"920464094763","UTCTimestamp":null,"UnsignedModuleLoadCount":"0","UserMemoryAllocateExecutableCount":"0","UserMemoryAllocateExecutableRemoteCount":"0","UserMemoryProtectExecutableCount":"0","UserMemoryProtectExecutableRemoteCount":"0","UserSid":"S**","UserTime":"312500","aid":"aaaaaa","aip":"1.1.1.1","cid":"aaaaaa","event_platform":"Win","event_simpleName":"EndOfProcess","id":"fffffff","name":"EndOfProcessV15","timestamp":"1656082218100"}

    I would like to know how to convert the "Epoch" format into EST Time. For example:
    "timestamp":"1656082218100"
    "ContextTimeStamp":"1656082216.054"
    "ProcessStartTime":"1656082124.965"

    Thanks in advance!

    Regards,


  • 2.  RE: Crowdstrike Parser - missing Epoch time conversion.

    This message was posted by a user wishing to remain anonymous
    Posted Jun 25, 2022 12:41 PM
    This post was removed