QUESTION

Why am I seeing incorrect or future timestamps in the p_event_time field for CrowdStrike FDR events in Panther?

ANSWER

This is expected behaviour. For Crowdstrike.FDREvent logs, Panther sets p_event_time using:

• ContextTimeStamp - time the event happened on the endpoint

• timestamp - fallback, when CrowdStrike received the event

Because ContextTimeStamp comes from the endpoint, it depends on the device’s clock. If the clock is incorrect, p_event_time can appear in the future, far in the past, or out of sync with ingestion time.

Panther uses ContextTimeStamp because it better reflects when the event actually happened. Using the backend timestamp instead could be misleading if events are delayed — for example, when a device was offline and later sends a batch of logs. The tradeoff is that endpoints with misconfigured clocks can produce inaccurate p_event_time values.

This is documented in the Crowdstrike.FDREvent schema.

If many events are affected, it may be helpful to check:

• endpoint clock settings

• time synchronization (for example, NTP) on the CrowdStrike side