Skip to content

Add log timestamp trust evidence gates#1456

Open
jddark62 wants to merge 1 commit into
UnitOneAI:mainfrom
jddark62:improve/log-analysis-timestamp-skew-1422
Open

Add log timestamp trust evidence gates#1456
jddark62 wants to merge 1 commit into
UnitOneAI:mainfrom
jddark62:improve/log-analysis-timestamp-skew-1422

Conversation

@jddark62

@jddark62 jddark62 commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: log-analysis
Skill path: skills/secops/log-analysis/

What Was Wrong

The skill asks analysts to define a time window and reconstruct timelines, but it did not require a timestamp trust check before cross-source correlation. That can make SIEM timelines look definitive even when Windows/Sysmon, Linux syslog, CloudTrail, Elastic, Splunk, and collector metadata disagree because of local time, missing year/timezone fields, parser choices, ingestion lag, queue backlog, or host clock skew.

Fixes #1422.

What This PR Fixes

  • Adds Step 0: Timestamp Normalization and Clock-Skew Gate before log source taxonomy and correlation.
  • Requires event time, ingestion/index time, parser-selected timestamp field, source timezone, clock synchronization/skew evidence, and a confidence decision.
  • Adds High / Medium / Low / Not Evaluable decision rules for timeline reconstruction.
  • Adds source-specific checks for Windows/Sysmon, Linux syslog/auth logs, AWS CloudTrail, Splunk, and Elastic.
  • Extends the report output with a timestamp evidence matrix, timeline confidence decision, and per-row timestamp confidence.
  • Adds structured edge-case fixtures for Windows local time ambiguity, CloudTrail ingestion delay, Sysmon host clock skew, Linux auth logs missing year/timezone, parser mapping mistakes, and a complete normalized multi-source timeline.

Validation

  • git diff --check
  • Content marker checks for Step 0, event time, ingestion/index time, parser timestamp field, source timezone, clock-skew evidence, confidence decisions, Not Evaluable handling, and all requested fixture cases
  • Markdown fence-balance checks for the updated skill and fixture file
  • Ruby YAML parse for all six fixture blocks
  • ASCII-only check for changed files
  • Privacy scan for local paths/name fragments
  • Live reference URL checks returned HTTP 200 for NIST SP 800-92, AWS CloudTrail record contents, Splunk timestamp recognition, and Elastic ECS event fields

Bounty Request

Requesting Improver Moderate consideration ($100) if accepted. Payment details can be provided privately after maintainer acceptance.

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms.
  • Preferred payment method can be coordinated privately after maintainer acceptance.

/claim #1422

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] log-analysis: add timestamp normalization and clock-skew evidence gates

1 participant

@jddark62