Forum Discussion

majo01's avatar
majo01
Brass Contributor
Aug 06, 2020
Solved

Timestamps in AlertTable

Hello,   In Sentinel Alert table, there are StartTime, EndTime, ProcessingEndTime. What do these refer to ? Looking into sample alerts, in many cases StartTime and Endtime seem to correpsond to "s...
  • Ofer_Shezaf's avatar
    Ofer_Shezaf
    Aug 09, 2020

    majo01 

     

    Timestamps behave differently depending on the relevant alert provider and specific alert.

     

    For alerts that aren’t Sentinel scheduled alerts the alert provider determines the start time, end time and processing time of the alert. 

     

    For scheduled alerts it depends whether the query results contain the TimeGenerated of the events or not – if it does then the start and end times of the alert will be determined based on the earliest and last events, if it doesn’t they will be based on the time period that was queried to create the alert. TimeGeneraged and ProcessingEndTime are identical and refer to the time in which the query ran and the alert was created.

Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Aug 09, 2020

majo01 

 

Timestamps behave differently depending on the relevant alert provider and specific alert.

 

For alerts that aren’t Sentinel scheduled alerts the alert provider determines the start time, end time and processing time of the alert. 

 

For scheduled alerts it depends whether the query results contain the TimeGenerated of the events or not – if it does then the start and end times of the alert will be determined based on the earliest and last events, if it doesn’t they will be based on the time period that was queried to create the alert. TimeGeneraged and ProcessingEndTime are identical and refer to the time in which the query ran and the alert was created.

Resources