Dashboard event counts for the same date and time differ between users with similar permissions
Last Modified: 2022-11-21 09:20:43 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
After December 1, 2024, please log in to the Thrive Portal for support, knowledge articles, tools, and downloads. For information about using the Thrive Portal, view the Trellix Thrive Portal User Guide.
Dashboard event counts for the same date and time differ between users with similar permissions
Technical Articles ID:
KB92307
Last Modified: 2022-11-21 09:20:43 Etc/GMT Environment
SIEM Enterprise Security Manager (ESM) 11.x
Problem
When different users look at the same dashboard for the same time period, the event count differs even though their permissions are the same. The expectation is that different users with the same permissions see identical results when they load the same dashboard.
Cause
Each SIEM user has a timezone offset that can be applied to their profile. When the timezones between different users aren't the same, the results returned by a dashboard query differ for each user.
SolutionThis behavior is by design and is considered a normal part of the product operation.
For example, user A has a local timezone of GMT-7, and user B has a local timezone of GMT-5. They both load a dashboard and set a time period of 12:00–13:00. The query that's run has a two-hour time difference between each user, so it returns different results. Internally, all event times are recorded in UTC time. When a user specifies a time period for a dashboard or query, the system uses the configured local timezone for that user. It offsets the time and date range used by the query so that the results are given in local time. Thus, noon to 1 p.m. for two users that are two timezones apart shows two different time periods that are two hours apart. If you want identical results between two different users in this scenario, you must set the users to the same timezone. Otherwise, a user must manually offset the time and date range of their queries so that they match. The timezone offset is configured in the user profile. Click the user name at the top right of the SIEM dashboard and adjust the timezone offset. Doing so doesn't change the timezone of any data sources or the SIEM itself. It's purely a cosmetic change at the local level to that particular user. Examine the user permissions (in ESM Properties, Users and Groups) when the following is true:
Affected ProductsLanguages:This article is available in the following languages: |
|