Hi @dooyoung, 

I couldn´t find any official documentation besides this one, which isn´t explaining everything: https://cloud.google.com/chronicle/docs/detection/timestamp-definitions

But from my understanding it is as follows (if there´s anyone who can refute this, please correct me)

• Detection Time:

  • This is the exact timestamp when the suspicious activity was initially detected. It indicates when the event or behavior that triggered the alert occurred (event timestamp) 
  • It helps in understanding when the potential threat started, which is crucial for analysis.
  • For single-event rules it´s the event timestamp
  • For multi-event rules it´s the end of the time window

• Created:

  • This timestamp shows when the alert was created in Google SecOps after the Rules Engine runs. Essentially, it represents the time when the system logged the detection and generated an alert for further investigation.
  • As there can be consecutive runs, this timestamp is updated

• Last Modified:

  • This indicates the most recent time the alert was modified or updated. Modifications can occur due to several reasons, such as updates from further analysis, changes in the alert status, or additional data being appended like another detection.
  • The Last Modified timestamp updates when there is any change in the alert's status, information, or when the alert is updated by a security analyst (for instance, if the severity is changed, or notes are added).

Hi Maxjunker

According to your explanation, the Alert STATE found as NEW by the detection rule has been changed to OPEN, so Last modified is changed and a Case is automatically created. For some logs, cases are automatically created and for some logs, cases are not created automatically. I don't know the difference.