For example, user A has a local timezone of GMT-7. User B has a local timezone of GMT-5. They both load a dashboard and set a time period of 12:00–13:00. The query that is run has a two-hour time difference between each user, so it returns different results.

Internally, all event times are recorded in UTC time. When a user specifies a time period for a dashboard or query, the system uses the configured local timezone for that user. It offsets the time and date range used by the query so that the results are given in local time. Thus, noon to 1 p.m. for two users that are two timezones apart shows two different time periods that are two hours apart.

If you want identical results between two different users in this scenario, you must set the users to the same timezone. Otherwise, a user must manually offset the time and date range of their queries so that they match.

The timezone offset is configured in the user profile. Click the user name at the top right of the SIEM dashboard and adjust the timezone offset. Doing so does not change the timezone of any data sources or the SIEM itself. It is purely a cosmetic change at the local level to that particular user.

Examine the user permissions (in ESM Properties, Users and Groups) when the following is true:

• The users are using the same timezone.
• The dashboards are using the same time period.
• Results are still different between the users.