cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Timestamps in AlertTable

majo01
Brass Contributor

‎Aug 06 2020 08:13 AM

‎Aug 06 2020 08:13 AM

Timestamps in AlertTable

Hello,

 

In Sentinel Alert table, there are StartTime, EndTime, ProcessingEndTime. What do these refer to ?

Looking into sample alerts, in many cases StartTime and Endtime seem to correpsond to "set query_datetimescope_from" "set query_datetimescope_to " respectively which makes sense, but in other cases they don't map. The ProcessingEndTime seems to map to the end of LA rule execution time (i.e. after it starts running), any confirmation ?

 

majo01_0-1596726628364.png

 

2,308 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by majo01 (Brass Contributor)
Ofer_Shezaf

‎Aug 09 2020 07:37 AM

‎Aug 09 2020 07:37 AM

Solution

Re: Timestamps in AlertTable

@majo01 

 

Timestamps behave differently depending on the relevant alert provider and specific alert.

 

For alerts that aren’t Sentinel scheduled alerts the alert provider determines the start time, end time and processing time of the alert. 

 

For scheduled alerts it depends whether the query results contain the TimeGenerated of the events or not – if it does then the start and end times of the alert will be determined based on the earliest and last events, if it doesn’t they will be based on the time period that was queried to create the alert. TimeGeneraged and ProcessingEndTime are identical and refer to the time in which the query ran and the alert was created.

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by majo01 (Brass Contributor)
Ofer_Shezaf

‎Aug 09 2020 07:37 AM

‎Aug 09 2020 07:37 AM

Solution

Re: Timestamps in AlertTable

@majo01 

 

Timestamps behave differently depending on the relevant alert provider and specific alert.

 

For alerts that aren’t Sentinel scheduled alerts the alert provider determines the start time, end time and processing time of the alert. 

 

For scheduled alerts it depends whether the query results contain the TimeGenerated of the events or not – if it does then the start and end times of the alert will be determined based on the earliest and last events, if it doesn’t they will be based on the time period that was queried to create the alert. TimeGeneraged and ProcessingEndTime are identical and refer to the time in which the query ran and the alert was created.

View solution in original post

1 Like
Reply