Skip to main content
Panther Knowledge Base

Why does my recently parsed event have an old p_event_time in Panther?

  1. Last updated
  2. Save as PDF

QUESTION

Why does my recently parsed event have an old p_event_time? We didn't backfill any logs so we're wondering what could have happened.

ANSWER

This could have been caused by AWS sending old logs or raw logs with the wrong timestamp.

To verify the timestamp, check the S3 Object itself and compare that with the p_event_time.

You can also check the S3 Object Key, which is formatted with the timestamp in its file name. For example, 111122223333_CloudTrail_us-east-2_20150801T0210Z_Mu0KsOhtH1ar15ZZ.json.gz would be a key dating back to August 1, 2015. See other CloudTrail log file examples in AWS's documentation.