Forum Discussion
How to Ensure No Missed Alerts Using alertReportedTime in Microsoft Defender for Endpoint?
Hi tomokon!
Probably in your case I would use "alertReportedTime" instead of "alertCreationTime" as it is the key to ensuring no missed alerts. The "alertReportedTime" reflects when the alert was actually reported, which is more reliable for detecting alerts from devices that were offline and came back online later. "alertCreationTime" only reflects when the alert was initially created, which might not capture alerts that were generated while the device was offline. By querying based on "alertReportedTime", you can be sure you catch all alerts, even those reported after the device reconnects.
Regards!
Thank you luchete , for your response.
However, I noticed that the `alertReportedTime` property does not exist in the Microsoft Defender for Endpoint API. Instead, there are `alertCreationTime` and `firstEventTime`.
Could you please clarify if using `alertCreationTime` will ensure that no alerts are missed, including those generated while the device was offline and reported later when the device came back online? Or is there another recommended approach to ensure all alerts are captured?
Thank you again for your assistance!