Azure Sentinel’s TimeGenerated field is 3 minutes behind the timestamp on the Zscaler web log’s timestamp, does anyone have any experience with this?
We encountered same issue we were able to find time difference of 1min to 10mins in time generated field for Zscaler web logs
Was your issue resolved ?
@Zscce We found out, that it is by design, where the logs have different timestamps, i have seen 2-3 minutes. however 1-10 minutes, I would definitely check you NSS servers and your syslog collectors and do some traffic analysis
The document below:
contains a python script where you can actually modify the timestamp of events in the syslog collector, to be the same as the actual log’s timestamps. It is an option, however we decided not to use it, and we just know that there is a 2-3 min difference. I am assuming you are setting up the NSS and Syslog collectors in Azure, that may not be your case, but I would definitely investigate the traffic, also, if you happen to use ubuntu for the syslog collectors, and are using rsyslog instead of syslog-ng, make sure you update from the adiscon repo in launchpad.net because the rsyslog service pre-loaded with ubuntu, is not always the latest version.
I also found this article, it may help