Forum Discussion
Best Time Field to Query Security Incidents
Hi, What is the best time field to use for querying Security Incidents? I have seen examples using both TimeGenerated and CreatedTime. They produce quite different results. Many thanks, Tim
Generally the answer is TimeGenerated https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-standard-columns#timegenerated
CreatedTime is a Sentinel column, and typically appears after TimeGenerated in a Query (as the Log record is subject to latency and processing, and only some activities create an Incident ) .
See these examples:https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-standard-columns#timegenerated
Also https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/get?tabs=HTTP#incident
CreatedTime is a Sentinel column, and typically appears after TimeGenerated in a Query (as the Log record is subject to latency and processing, and only some activities create an Incident ) .
See these examples:https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-standard-columns#timegenerated
Also https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/get?tabs=HTTP#incident
Generally speaking, maybe. It looks to me like "TimeGenerated" is created when the imported event is written to the Sentinel table. This may not be helpful when conducting an investigation and or putting together a chain of events. I have noticed that various event sources have different means of identifying when they captured the activity. Getting at this information means parsing the data, and perhaps converting from text to a numeric (usually "tolong( )" with what I have seen), then converting that value to a time-date.
I suggest evaluating log sources on a case-by-case basis to determine the most appropriate time-date value for the appropriate use case.
