cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best Time Field to Query Security Incidents

tipper1510
Brass Contributor

‎Apr 19 2023 03:21 AM

‎Apr 19 2023 03:21 AM

Best Time Field to Query Security Incidents

Hi,

 

What is the best time field to use for querying Security Incidents? I have seen examples using both TimeGenerated and CreatedTime. They produce quite different results.

 

Many thanks,

Tim

Labels:
1,298 Views
0 Likes
3 Replies
Reply
3 Replies
Clive_Watson

‎Apr 19 2023 06:26 AM

‎Apr 19 2023 06:26 AM

Re: Best Time Field to Query Security Incidents

Generally the answer is TimeGenerated https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-standard-columns#timegenerated

CreatedTime is a Sentinel column, and typically appears after TimeGenerated in a Query (as the Log record is subject to latency and processing, and only some activities create an Incident ) .
See these examples:https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-standard-columns#timegenerated

Also https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/get?tabs=HTTP#incident
0 Likes
Reply
Joseph770

‎Oct 02 2023 01:17 PM - edited ‎Oct 02 2023 01:18 PM

‎Oct 02 2023 01:17 PM - edited ‎Oct 02 2023 01:18 PM

Re: Best Time Field to Query Security Incidents

Generally speaking, maybe.  It looks to me like "TimeGenerated" is created when the imported event is written to the Sentinel table.  This may not be helpful when conducting an investigation and or putting together a chain of events.  I have noticed that various event sources have different means of identifying when they captured the activity.  Getting at this information means parsing the data, and perhaps converting from text to a numeric (usually "tolong( )" with what I have seen), then converting that value to a time-date. 

 

I suggest evaluating log sources on a case-by-case basis to determine the most appropriate time-date value for the appropriate use case.

0 Likes
Reply
GBushey

‎Oct 03 2023 11:53 AM

‎Oct 03 2023 11:53 AM

Re: Best Time Field to Query Security Incidents

@tipper1510 If you are unaware, Sentinel will create a new row in the "SecurityIncidents" table each time an incident has been modified. Therefore, if you look at the first time an incident shows up in the table, the TimeGenerated and the CreatedTime should be the same. After that the TimeGenerated will be the time that the row was crearted, but the CreatedTime will stay the same. So, the answer would be it depends.  You can look for the maximum TimeGenerated for a given Incident number to make sure you have the latest changes but if you just look for the CreatedTime, you could end up with multiple rows.  Hope that makes sense.

1 Like
Reply