Hi again,
I can get your part of the way here but that screenshot is unreadable when zoomed in.
- Start Time
End Time
event_metadata_eventTimestamp - this is the actual security technology timestamp (when it occurred)
event_metadata_ingestedTimestamp - this is when it was ingested into SIEM
event_target_user_attribute_creationTime - not sure here but potentially around the time of entity creation for that user
- event_target_user_lastLoginTime - last time this user logged in
event_extracted_id.time
- createdTime - when case was created
timeWindow_startTime - assuming your rule has an hour match statement
timeWindow_endTime - this is the end of the hour
Detection Time - when the rule ran to create the detection and subsequent alert
Hi again,
I can get your part of the way here but that screenshot is unreadable when zoomed in.
- Start Time
End Time
event_metadata_eventTimestamp - this is the actual security technology timestamp (when it occurred)
event_metadata_ingestedTimestamp - this is when it was ingested into SIEM
event_target_user_attribute_creationTime - not sure here but potentially around the time of entity creation for that user
- event_target_user_lastLoginTime - last time this user logged in
event_extracted_id.time
- createdTime - when case was created
timeWindow_startTime - assuming your rule has an hour match statement
timeWindow_endTime - this is the end of the hour
Detection Time - when the rule ran to create the detection and subsequent alert
Time UDM Fields
event_metadata_eventTimestamp 2024-10-20T01:37:26Z
event_metadata_ingestedTimestamp 2024-10-21T13:00:05.25165Z
event_securityResult_1_lastUpdatedTime 2024-10-21T12:54:07Z
createdTime 2024-10-22T15:30:02.721505Z
timeWindow_startTime 2024-10-20T01:06:00Z
timeWindow_endTime 2024-10-20T02:06:00Z
event_securityResult_about_labels_clickTime 2024-10-20T01:37:26Z
event_securityResult_about_labels_threatTime 2024-10-21T12:54:07Z
Detection Time 2024-10-20T02:06:00Z
- i want to understand these fields event_securityResult_1_lastUpdatedTime, event_securityResult_about_labels_clickTime and event_securityResult_about_labels_threatTime
Time UDM Fields
event_metadata_eventTimestamp 2024-10-20T01:37:26Z
event_metadata_ingestedTimestamp 2024-10-21T13:00:05.25165Z
event_securityResult_1_lastUpdatedTime 2024-10-21T12:54:07Z
createdTime 2024-10-22T15:30:02.721505Z
timeWindow_startTime 2024-10-20T01:06:00Z
timeWindow_endTime 2024-10-20T02:06:00Z
event_securityResult_about_labels_clickTime 2024-10-20T01:37:26Z
event_securityResult_about_labels_threatTime 2024-10-21T12:54:07Z
Detection Time 2024-10-20T02:06:00Z
- i want to understand these fields event_securityResult_1_lastUpdatedTime, event_securityResult_about_labels_clickTime and event_securityResult_about_labels_threatTime
That screenshot is different from the original question. However it's now readable. The security result times
Time UDM Fields
event_metadata_eventTimestamp 2024-10-20T01:37:26Z
event_metadata_ingestedTimestamp 2024-10-21T13:00:05.25165Z
event_securityResult_1_lastUpdatedTime 2024-10-21T12:54:07Z
createdTime 2024-10-22T15:30:02.721505Z
timeWindow_startTime 2024-10-20T01:06:00Z
timeWindow_endTime 2024-10-20T02:06:00Z
event_securityResult_about_labels_clickTime 2024-10-20T01:37:26Z
event_securityResult_about_labels_threatTime 2024-10-21T12:54:07Z
Detection Time 2024-10-20T02:06:00Z
- i want to understand these fields event_securityResult_1_lastUpdatedTime, event_securityResult_about_labels_clickTime and event_securityResult_about_labels_threatTime
These fields are dependent on the SIEM rule that triggers the alert. Could you please share the rule information or the conditions used, so we can analyze and break down the fields accordingly?
Your welcome! As Shadav says as well, some of those fields are rule dependent which may never come into play much.
The big ones are event timestamp, ingest timestamp, detection timestamp and case creation timestamp.
