Forum Discussion

tomokon's avatar
tomokon
Copper Contributor
Feb 10, 2025

How to Ensure No Missed Alerts Using alertReportedTime in Microsoft Defender for Endpoint?

I am developing an application that continuously searches for the latest alerts in Microsoft Defender for Endpoint by querying alerts from 2 minutes ago to 1 minute ago. My goal is to ensure that no...
luchete's avatar
luchete
Steel Contributor
Feb 11, 2025

Hi tomokon!

Probably in your case I would use "alertReportedTime" instead of "alertCreationTime" as it is the key to ensuring no missed alerts. The "alertReportedTime" reflects when the alert was actually reported, which is more reliable for detecting alerts from devices that were offline and came back online later. "alertCreationTime" only reflects when the alert was initially created, which might not capture alerts that were generated while the device was offline. By querying based on "alertReportedTime", you can be sure you catch all alerts, even those reported after the device reconnects.

Regards!

tomokon's avatar
tomokon
Copper Contributor
Feb 17, 2025

Thank you luchete , for your response.

However, I noticed that the `alertReportedTime` property does not exist in the Microsoft Defender for Endpoint API. Instead, there are `alertCreationTime` and `firstEventTime`. 

Could you please clarify if using `alertCreationTime` will ensure that no alerts are missed, including those generated while the device was offline and reported later when the device came back online? Or is there another recommended approach to ensure all alerts are captured?

Thank you again for your assistance!

  • luchete's avatar
    luchete
    Steel Contributor
    Feb 18, 2025

    Hi tomokon,

    You're right that alertReportedTime doesn't exist in the Microsoft Defender for Endpoint API, and I appreciate you pointing that out as i took a wrong approach.

    In this case, alertCreationTime may not fully address your need to capture alerts generated while a device was offline. Instead, I recommend using firstEventTime. This property reflects when the first event in an alert occurred, which is more likely to capture events from when the device was offline and later reported upon reconnecting.

    You can still reference alertCreationTime, but using firstEventTime should help ensure you capture all relevant alerts.

    • tomokon's avatar
      tomokon
      Copper Contributor
      Feb 18, 2025

      Hi,

      I am developing an application that queries alerts from the API within a time window of 2 minutes ago to 1 minute ago. Specifically, I need clarification on the following scenario:

      1. Scenario:
        • A device went offline 5 hours ago and then came back online.
        • How are alerts generated during the offline period handled once the device reconnects?
      2. Requirement:
        • If firstEventTime reflects the event time 5 hours ago, it won't be captured by my query for the last 2 minutes.
        • If alertCreationTime is set to the moment the device comes back online, it would be captured by my current time query, which is preferable.
        • Conversely, if alertCreationTime is set to a past time, querying by alertCreationTime would not be feasible.

      I need to confirm whether alertCreationTime is set to the moment the device reconnects in this scenario.
      Thank you.