Forum Discussion
Best Time Field to Query Security Incidents
Hi, What is the best time field to use for querying Security Incidents? I have seen examples using both TimeGenerated and CreatedTime. They produce quite different results. Many thanks, Tim
tipper1510 If you are unaware, Sentinel will create a new row in the "SecurityIncidents" table each time an incident has been modified. Therefore, if you look at the first time an incident shows up in the table, the TimeGenerated and the CreatedTime should be the same. After that the TimeGenerated will be the time that the row was crearted, but the CreatedTime will stay the same. So, the answer would be it depends. You can look for the maximum TimeGenerated for a given Incident number to make sure you have the latest changes but if you just look for the CreatedTime, you could end up with multiple rows. Hope that makes sense.