While searching for an entity in UDM search, we get two different sections upon result. One is TimedData and other is Timeless Data .
What does mean of timed data and timeless data, whats is the difference?
Page 1 / 1
Hi,
Timed data sources have a time range associated with each entry. This means that if a detection is generated on day 1, on any day in the future the same detection is expected to be generated for day 1 during a retro-hunt.
Timeless data sources have no time range associated with them. This is because only the latest set of data is what should be considered. Timeless data sources are frequently used for data such as file hashes that are not expected to change. If no detection is generated on day 1, on day 2 a detection might be generated for day 1 during a retro-hunt because a new entry was added.
Putting this into practice, here are some types of data that you find in the entity graph and where they would sit in regards to timed or timeless.
Timed Data
- User, asset, resource, group metadata - entity context
- 3rd party threat intel (I ingested MISP data into Entity graph for instance) - entity context
- Prevalence - derived context
- TOR Exit Nodes, Remote Access Tools, Benign Binaries - global context
- WHOIS - global context
Timeless
- First Seen - derived context
- VirusTotal Relationships - global context
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.