Can someone help me understand the differences with the detection timestamp and the creation timestamp?
According to this document: https://docs.cloud.google.com/chronicle/docs/detection/timestamp-definitions
Detection Timestamp - The detection timestamp at the end of a match window or the metadata.event_timestamp
Created Timestamp - When the detection was created by detection engine
Why are there such large delays in these times? I have a rules that use a match over 5 minutes and I have the rule frequency run as the quickest it can which is 10 minutes. How come the detection time and creation vary greatly by anywhere from 5 - 40 minutes?
I understand that if the rule logic is met after the rule is run, then it would have to wait 10 minutes before the rule is run again. That doesn’t account for the delays of 20 minutes or more. This is causing us to not be able to respond or contain quickly since we already 20+ minutes behind.
If there is a way to tune the rules to have detection and creation timestamp to be closer, I am open for suggestions.
