Time difference between Zscaler Web logs and TimeGenerated field in Sentinel

Question

Not sure if this issue is on the Zscaler NSS side or in the sentinel side, but the TimeGenerated field for Zscaler web logs is about 3 minutes behind the time that the log is recorded in Zscaler, does anyone have experience with this?

Answer 1

@Rafael Ruales Thanks for reaching out and apologies for delay on this.

Sentinel acts as SIEM and SOAR on basis of data which is being sent to Sentinel Workspace. We rely on different connectors to send us the data in format we can consume and most likely show only the data which are being sent.

So in your scenario, for Zscaler you would have setup a Linux machine as a CEF collector and then forward the logs to Sentinel.
The only delay here should be with the data flow into the Sentinel after any event has happened, any delay in Timegenerated Field should be investigate at service level (ZScaler) as Sentinel would show the data which is being sent.

Let me know if you need any further help.

-----------------------------------------------------------------------------------------------------------------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 2

Besides this answer having absolutely nothing to do with what I asked about.
I found out that the source logs are always behind. That's why there is a python script to run to make the ingestion time the same
https://learn.microsoft.com/en-us/azure/sentinel/connect-common-event-format
do ctrl+F and type timegenerated.py