Forum Discussion
Solved
Timestamps in AlertTable
Hello,
In Sentinel Alert table, there are StartTime, EndTime, ProcessingEndTime. What do these refer to ?
Looking into sample alerts, in many cases StartTime and Endtime seem to correpsond to "set query_datetimescope_from" "set query_datetimescope_to " respectively which makes sense, but in other cases they don't map. The ProcessingEndTime seems to map to the end of LA rule execution time (i.e. after it starts running), any confirmation ?
Timestamps behave differently depending on the relevant alert provider and specific alert.
For alerts that aren’t Sentinel scheduled alerts the alert provider determines the start time, end time and processing time of the alert.
For scheduled alerts it depends whether the query results contain the TimeGenerated of the events or not – if it does then the start and end times of the alert will be determined based on the earliest and last events, if it doesn’t they will be based on the time period that was queried to create the alert. TimeGeneraged and ProcessingEndTime are identical and refer to the time in which the query ran and the alert was created.
- Ofer_Shezaf
Microsoft
Timestamps behave differently depending on the relevant alert provider and specific alert.
For alerts that aren’t Sentinel scheduled alerts the alert provider determines the start time, end time and processing time of the alert.
For scheduled alerts it depends whether the query results contain the TimeGenerated of the events or not – if it does then the start and end times of the alert will be determined based on the earliest and last events, if it doesn’t they will be based on the time period that was queried to create the alert. TimeGeneraged and ProcessingEndTime are identical and refer to the time in which the query ran and the alert was created.
