Best Time Field to Query Security Incidents

Brass Contributor



What is the best time field to use for querying Security Incidents? I have seen examples using both TimeGenerated and CreatedTime. They produce quite different results.


Many thanks,


3 Replies
Generally the answer is TimeGenerated

CreatedTime is a Sentinel column, and typically appears after TimeGenerated in a Query (as the Log record is subject to latency and processing, and only some activities create an Incident ) .
See these examples:


Generally speaking, maybe.  It looks to me like "TimeGenerated" is created when the imported event is written to the Sentinel table.  This may not be helpful when conducting an investigation and or putting together a chain of events.  I have noticed that various event sources have different means of identifying when they captured the activity.  Getting at this information means parsing the data, and perhaps converting from text to a numeric (usually "tolong( )" with what I have seen), then converting that value to a time-date. 


I suggest evaluating log sources on a case-by-case basis to determine the most appropriate time-date value for the appropriate use case.

@tipper1510 If you are unaware, Sentinel will create a new row in the "SecurityIncidents" table each time an incident has been modified. Therefore, if you look at the first time an incident shows up in the table, the TimeGenerated and the CreatedTime should be the same. After that the TimeGenerated will be the time that the row was crearted, but the CreatedTime will stay the same. So, the answer would be it depends.  You can look for the maximum TimeGenerated for a given Incident number to make sure you have the latest changes but if you just look for the CreatedTime, you could end up with multiple rows.  Hope that makes sense.