Apr 19 2023 03:21 AM
Hi,
What is the best time field to use for querying Security Incidents? I have seen examples using both TimeGenerated and CreatedTime. They produce quite different results.
Many thanks,
Tim
Apr 19 2023 06:26 AM
Oct 02 2023 01:17 PM - edited Oct 02 2023 01:18 PM
Generally speaking, maybe. It looks to me like "TimeGenerated" is created when the imported event is written to the Sentinel table. This may not be helpful when conducting an investigation and or putting together a chain of events. I have noticed that various event sources have different means of identifying when they captured the activity. Getting at this information means parsing the data, and perhaps converting from text to a numeric (usually "tolong( )" with what I have seen), then converting that value to a time-date.
I suggest evaluating log sources on a case-by-case basis to determine the most appropriate time-date value for the appropriate use case.
Oct 03 2023 11:53 AM
@tipper1510 If you are unaware, Sentinel will create a new row in the "SecurityIncidents" table each time an incident has been modified. Therefore, if you look at the first time an incident shows up in the table, the TimeGenerated and the CreatedTime should be the same. After that the TimeGenerated will be the time that the row was crearted, but the CreatedTime will stay the same. So, the answer would be it depends. You can look for the maximum TimeGenerated for a given Incident number to make sure you have the latest changes but if you just look for the CreatedTime, you could end up with multiple rows. Hope that makes sense.