How to Ensure No Missed Alerts Using alertReportedTime in Microsoft Defender for Endpoint?

Question

I am developing an application that continuously searches for the latest alerts in Microsoft Defender for Endpoint by querying alerts from 2 minutes ago to 1 minute ago.

My goal is to ensure that no alerts are missed, even if a device was offline and only reported the alert after coming back online.

My question is: If I use `alertCreationTime` for my search, will it ensure that I do not miss any alerts, including those that were generated while the device was offline and reported later when the device came back online?

Any insights or best practices on this approach would be greatly appreciated.

Thank you!

luchete · Answer

Hi tomokon!Probably in your case I would use "alertReportedTime" instead of "alertCreationTime" as it is the key to ensuring no missed alerts. The "alertReportedTime" reflects when the alert was actually reported, which is more reliable for detecting alerts from devices that were offline and came back online later. "alertCreationTime" only reflects when the alert was initially created, which might not capture alerts that were generated while the device was offline. By querying based on "alertReportedTime", you can be sure you catch all alerts, even those reported after the device reconnects.Regards!

tomokon · Answer

Thank you luchete , for your response.However, I noticed that the `alertReportedTime` property does not exist in the Microsoft Defender for Endpoint API. Instead, there are `alertCreationTime` and `firstEventTime`.&nbsp;Could you please clarify if using `alertCreationTime` will ensure that no alerts are missed, including those generated while the device was offline and reported later when the device came back online? Or is there another recommended approach to ensure all alerts are captured?Thank you again for your assistance!

luchete · Answer

Hi tomokon,You're right that alertReportedTime doesn't exist in the Microsoft Defender for Endpoint API, and I appreciate you pointing that out as i took a wrong approach.In this case, alertCreationTime may not fully address your need to capture alerts generated while a device was offline. Instead, I recommend using firstEventTime. This property reflects when the first event in an alert occurred, which is more likely to capture events from when the device was offline and later reported upon reconnecting.You can still reference alertCreationTime, but using firstEventTime should help ensure you capture all relevant alerts.

tomokon · Answer

Hi,I am developing an application that queries alerts from the API within a time window of 2 minutes ago to 1 minute ago. Specifically, I need clarification on the following scenario:Scenario:A device went offline 5 hours ago and then came back online.How are alerts generated during the offline period handled once the device reconnects?Requirement:If&nbsp;firstEventTime&nbsp;reflects the event time 5 hours ago, it won't be captured by my query for the last 2 minutes.If&nbsp;alertCreationTime&nbsp;is set to the moment the device comes back online, it would be captured by my current time query, which is preferable.Conversely, if&nbsp;alertCreationTime&nbsp;is set to a past time, querying by&nbsp;alertCreationTime&nbsp;would not be feasible.I need to confirm whether alertCreationTime is set to the moment the device reconnects in this scenario.Thank you.

Forum Discussion

How to Ensure No Missed Alerts Using alertReportedTime in Microsoft Defender for Endpoint?

Share

Resources