Blog Post

Microsoft Sentinel Blog

5 MIN READ

Handling sliding windows in Azure Sentinel rules

Microsoft

Jul 06, 2020

In the article "Azure Sentinel correlation rules: Active Lists out; make_list() in," I presented a rule that detects several sign-in failures to Azure AD, alongside a sign-in success to AWS from the ...

Updated Dec 29, 2020

Version 2.0

Ofer_Shezaf

Microsoft

Joined March 01, 2019

View Profile

Microsoft Sentinel Blog

Follow this blog board to get notified when there's new activity

luizao_lf

Copper Contributor

Apr 04, 2021

Very good content, Ofer_Shezaf .

Thanks.

I have a doubt.

The timegenereted() is the time that the event was generated at the source and is informed in the source payload, right?

If for some reason my source does not send the time the log was created, what will be the timegenereted time?

If I'm not mistaken, for the MMA collector, if I don't have the timegenereted specified in the log, I'll specify _TimeReceived, which is the time that the log arrived at the installed agent. That's it?

What would it be like for firewall logs, for example?