cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best Time Field to Query Security Incidents

tipper1510
Contributor

‎Apr 19 2023 03:21 AM

‎Apr 19 2023 03:21 AM

Best Time Field to Query Security Incidents

Hi,

 

What is the best time field to use for querying Security Incidents? I have seen examples using both TimeGenerated and CreatedTime. They produce quite different results.

 

Many thanks,

Tim

Labels:
117 Views
0 Likes
1 Reply
Reply
1 Reply
Clive_Watson

‎Apr 19 2023 06:26 AM

‎Apr 19 2023 06:26 AM

Re: Best Time Field to Query Security Incidents

Generally the answer is TimeGenerated https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-standard-columns#timegenerated

CreatedTime is a Sentinel column, and typically appears after TimeGenerated in a Query (as the Log record is subject to latency and processing, and only some activities create an Incident ) .
See these examples:https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-standard-columns#timegenerated

Also https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/get?tabs=HTTP#incident
0 Likes
Reply