Timeline SNAFU

%3CLINGO-SUB%20id%3D%22lingo-sub-1011785%22%20slang%3D%22en-US%22%3ETimeline%20SNAFU%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011785%22%20slang%3D%22en-US%22%3E%3CP%3EI%20noticed%20when%20looking%20at%20the%20Timeline%20while%20investigating%20an%20indecent%20that%20it%20was%20messed%20up.%26nbsp%3B%20The%20date%2Ftimes%20shown%20do%20not%20match%20what%20what%20I%20see%20in%20the%20Incident%20list%20and%20actually%20some%20of%20the%20dates%20are%20way%20before%20the%20Analytics%20rule%20was%20even%20created%20(like%20anything%20saying%208AM)%26nbsp%3B%20Any%20ideas%20why%20this%20happened%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157445iF3F8832F1014C9BD%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22TImelineSNAFU.png%22%20title%3D%22TImelineSNAFU.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1015757%22%20slang%3D%22en-US%22%3ERe%3A%20Timeline%20SNAFU%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1015757%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20might%20be%20a%20time%20zone%20thing.%26nbsp%3B%20Ill%20share%20with%20the%20team%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Super Contributor

I noticed when looking at the Timeline while investigating an indecent that it was messed up.  The date/times shown do not match what what I see in the Incident list and actually some of the dates are way before the Analytics rule was even created (like anything saying 8AM)  Any ideas why this happened?

 

TImelineSNAFU.png

2 Replies
Highlighted

ill check with the team, this might be the incident created time vs the security alert creation time.

Highlighted

@Gary Bushey 

in the meantime, understand that asking for related alerts in investigation is querying SecurityAlert for that entity.  Not all security alerts are incidents.

 

you dont have other security alerts in the workspace right?  just the ones that are from the incidents shown?