Merge pull request #235198 from yoninalmsft/patch-63

prmerger-automator[bot] · web-flow · commit 2dd30f3871c0 · 2023-04-20T12:48:23.000Z
forwarding rules time zone issue - date and time update
diff --git a/articles/defender-for-iot/organizations/how-to-forward-alert-information-to-partners.md b/articles/defender-for-iot/organizations/how-to-forward-alert-information-to-partners.md
@@ -162,15 +162,15 @@ The following sections describe the syslog output syntax for each format.
 | Name | Description |
 |--|--|
 | Priority | User.Alert |
-| Date and time | Date and time that sensor sent the information |
+| Date and time | Date and time that the sensor sent the information, in UTC format |
 | Hostname | Sensor hostname |
 | Message | CEF:0 <br />Microsoft Defender for IoT/CyberX <br />Sensor name <br />Sensor version <br />Microsoft Defender for IoT Alert <br />Alert title <br />Integer indication of severity. 1=**Warning**, 4=**Minor**, 8=**Major**, or 10=**Critical**.<br />msg= The message of the alert. <br />protocol= The protocol of the alert. <br />severity= **Warning**, **Minor**, **Major**, or **Critical**. <br />type= **Protocol Violation**, **Policy Violation**, **Malware**, **Anomaly**, or **Operational**. <br />UUID= UUID of the alert  (Optional) <br /> start= The time that the alert was detected. <br />Might vary from the time of the syslog server machine, and depends on the time-zone configuration of the forwarding rule. <br />src_ip= IP address of the source device. (Optional) <br />src_mac= MAC address of the source device. (Optional)  <br />dst_ip= IP address of the destination device. (Optional)<br />dst_mac= MAC address of the destination device. (Optional)<br />cat= The alert group associated with the alert.  |
 
 #### Syslog LEEF output fields
 
 | Name | Description |
 |--|--|
-| Date and time | Date and time that the syslog server machine received the information. |
+| Date and time | Date and time that the sensor sent the information, in UTC format |
 | Priority | User.Alert |
 | Hostname | Sensor IP |
 | Message | Sensor name: The name of the Microsoft Defender for IoT appliance. <br />LEEF:1.0 <br />Microsoft Defender for IoT <br />Sensor  <br />Sensor version <br />Microsoft Defender for IoT Alert <br />title: The title of the alert. <br />msg: The message of the alert. <br />protocol: The protocol of the alert.<br />severity: **Warning**, **Minor**, **Major**, or **Critical**. <br />type: The type of the alert: **Protocol Violation**, **Policy Violation**, **Malware**, **Anomaly**, or **Operational**. <br />start: The time of the alert. It may be different from the time of the syslog server machine, and depends on the time-zone configuration. <br />src_ip: IP address of the source device.<br />dst_ip: IP address of the destination device. <br />cat: The alert group associated with the alert. |
