Skip to main content
Solved

different types of Time in events

  • October 23, 2024
  • 7 replies
  • 40 views
vanitharaj1208
Forum|alt.badge.img+14

  1. what is the difference between these time fileds?
  2. why start time and end time is same?
  3. which are the important time fields to considered?
  4. where can i find documentation around these udm time fields?

mainly i want to understand what each fields means and where it can be used ?

  • Start Time
  • End Time
  • event_metadata_eventTimestamp
  • event_metadata_ingestedTimestamp
  • event_target_user_attribute_creationTime
  • event_target_user_lastLoginTime
  • event_extracted_id.time
  • createdTime
  • timeWindow_startTime
  • timeWindow_endTime
  • Detection Time

 

 

 

 

 

 

Best answer by dnehoda

https://cloud.google.com/chronicle/docs/reference/udm-field-list

7 replies

dnehoda
Staff
Forum|alt.badge.img+16
  • dnehoda
  • Staff
  • October 23, 2024

Hi again, 

I can get your part of the way here but that screenshot is unreadable when zoomed in. 

 

  • Start Time
  • End Time
  • event_metadata_eventTimestamp - this is the actual security technology timestamp (when it occurred) 
  • event_metadata_ingestedTimestamp - this is when it was ingested into SIEM
  • event_target_user_attribute_creationTime - not sure here but potentially around the time of entity creation for that user
  • event_target_user_lastLoginTime - last time this user logged in 
  • event_extracted_id.time
  • createdTime - when case was created 
  • timeWindow_startTime - assuming your rule has an hour match statement 
  • timeWindow_endTime - this is the end of the hour 
  • Detection Time - when the rule ran to create the detection and subsequent alert
    dnehoda
    Staff
    Forum|alt.badge.img+16
    • dnehoda
    • Staff
    • Answer
    • October 23, 2024

    https://cloud.google.com/chronicle/docs/reference/udm-field-list

      vanitharaj1208
      Forum|alt.badge.img+14

      Hi again, 

      I can get your part of the way here but that screenshot is unreadable when zoomed in. 

       

      • Start Time
      • End Time
      • event_metadata_eventTimestamp - this is the actual security technology timestamp (when it occurred) 
      • event_metadata_ingestedTimestamp - this is when it was ingested into SIEM
      • event_target_user_attribute_creationTime - not sure here but potentially around the time of entity creation for that user
      • event_target_user_lastLoginTime - last time this user logged in 
      • event_extracted_id.time
      • createdTime - when case was created 
      • timeWindow_startTime - assuming your rule has an hour match statement 
      • timeWindow_endTime - this is the end of the hour 
      • Detection Time - when the rule ran to create the detection and subsequent alert

      Time UDM Fields

      event_metadata_eventTimestamp    2024-10-20T01:37:26Z

      event_metadata_ingestedTimestamp     2024-10-21T13:00:05.25165Z

      event_securityResult_1_lastUpdatedTime     2024-10-21T12:54:07Z

      createdTime    2024-10-22T15:30:02.721505Z

      timeWindow_startTime     2024-10-20T01:06:00Z

      timeWindow_endTime    2024-10-20T02:06:00Z

      event_securityResult_about_labels_clickTime   2024-10-20T01:37:26Z

      event_securityResult_about_labels_threatTime 2024-10-21T12:54:07Z

      Detection Time   2024-10-20T02:06:00Z

      • i want to understand these fields event_securityResult_1_lastUpdatedTime, event_securityResult_about_labels_clickTime   and  event_securityResult_about_labels_threatTime
        dnehoda
        Staff
        Forum|alt.badge.img+16
        • dnehoda
        • Staff
        • October 24, 2024

        Time UDM Fields

        event_metadata_eventTimestamp    2024-10-20T01:37:26Z

        event_metadata_ingestedTimestamp     2024-10-21T13:00:05.25165Z

        event_securityResult_1_lastUpdatedTime     2024-10-21T12:54:07Z

        createdTime    2024-10-22T15:30:02.721505Z

        timeWindow_startTime     2024-10-20T01:06:00Z

        timeWindow_endTime    2024-10-20T02:06:00Z

        event_securityResult_about_labels_clickTime   2024-10-20T01:37:26Z

        event_securityResult_about_labels_threatTime 2024-10-21T12:54:07Z

        Detection Time   2024-10-20T02:06:00Z

        • i want to understand these fields event_securityResult_1_lastUpdatedTime, event_securityResult_about_labels_clickTime   and  event_securityResult_about_labels_threatTime

        That screenshot is different from the original question. However it's now readable.  The security result times  

         

         

          vanitharaj1208
          Forum|alt.badge.img+14

          https://cloud.google.com/chronicle/docs/reference/udm-field-list


          Thank you @dnehoda !! 😊

            S
            Forum|alt.badge.img+8
            • skadavSilver 2
            • Silver 2
            • October 24, 2024

            Time UDM Fields

            event_metadata_eventTimestamp    2024-10-20T01:37:26Z

            event_metadata_ingestedTimestamp     2024-10-21T13:00:05.25165Z

            event_securityResult_1_lastUpdatedTime     2024-10-21T12:54:07Z

            createdTime    2024-10-22T15:30:02.721505Z

            timeWindow_startTime     2024-10-20T01:06:00Z

            timeWindow_endTime    2024-10-20T02:06:00Z

            event_securityResult_about_labels_clickTime   2024-10-20T01:37:26Z

            event_securityResult_about_labels_threatTime 2024-10-21T12:54:07Z

            Detection Time   2024-10-20T02:06:00Z

            • i want to understand these fields event_securityResult_1_lastUpdatedTime, event_securityResult_about_labels_clickTime   and  event_securityResult_about_labels_threatTime

            These fields are dependent on the SIEM rule that triggers the alert. Could you please share the rule information or the conditions used, so we can analyze and break down the fields accordingly?

            dnehoda
            Staff
            Forum|alt.badge.img+16
            • dnehoda
            • Staff
            • October 24, 2024

            Your welcome! As Shadav says as well, some of those fields are rule dependent which may never come into play much. 
            The big ones are event timestamp, ingest timestamp, detection timestamp and case creation timestamp.  

              Terms & ConditionsCookie settingsAccessibility statement
              Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

              © 2025 Google. All rights reserved.