Dec 28 2023 08:20 AM
We have recently noticed that an Azure AD a user had (18) events that spanned over 7 minutes, whereas Sentinel morphed this into (35) events spanning over 2 days. We have been told by support that "by design" it is rare but entirely possible for this to happen. We have also been told that "TimeGenerated" reflects the time Sentinel received the event, not the time when the event was created on the actual data source. This seems to conflict with Microsoft's definition of "TimeGenerated", which is "The TimeGenerated column contains the date and time that the record was created by the data source".
Many SIEMs track three time parameters for an Event (McAfee, Splunk, ArcSight):
My own experience has lead me to believe that the "Event Time" is what should be used for Security Analytics, while the other two are important for understanding SIEM performance, for example latency.
We're curious to know if anyone else has noticed this and how it's being handled.
J-
Dec 29 2023 05:46 AM
Jan 02 2024 04:44 AM