Question

EventHubs: Azure AD Identity Protection Timestamp Format

  • 10 June 2022
  • 2 replies
  • 32 views

Userlevel 4
Badge +4

We recently noticed that some Azure EventHubs Applications (e.g. the Azure AD Identity Protection -> https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection) are setting the "time" field not in the ISO 8601 Datetime format, but in the "general date long time" format (see https://docs.microsoft.com/en-us/dotnet/standard/base-types/standard-date-and-time-format-strings#GeneralDateLongTime).

Thus the month and day field seem to be mixed up in these cases, and e.g. events that were actually collected on 6th of april (according to col_ts) are sorted into the repos on 4th of june (because of the wrong log_ts).
Also alert rules on these events are then triggering months later, when the accidentally wrongly sorted events slip into the current window of the search time range.

The following screenshots shows how the timestamp format of the Azure AD Identity Protection differs from the usual ISO 8601 format.

Do you know if it is somehow possible to change this log timestamp format somewhere in the Azure AD settings?

Or has the compiled normalizer of the EventHub events to be adjusted?


2 replies

Userlevel 3
Badge +7

Hi Markus,

I can see that you raised a Support ticket for this, which is probably the best way of dealing with this. The implication in the ticket was that it might be possible to change the date format, but I have a suspicion that this is just how Azure AD Identity Protection is formatting its logs - I have updated our ticket internally with this opinion, let’s see where it goes.

Perhaps someone in the Community is also using Azure AD Identity Protection and could advise whether their logs format the time in the same way - it could be a timezone configuration somewhere after all.

Userlevel 4
Badge +4

Hello @Nils Krumey

thank you for your reply!

I already forwarded some sample logs to the support team. Hopefully they can make something out of it!

 

I used the following query to get the timestamp string out of the raw log, maybe that’s helpful for other community members who want to find out how it looks in their environment:

norm_id="EventHubs" action="*risk*" | norm on msg "time": <real_time:quoted> | fields real_time

Reply