This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

different types of Time in events

Posted on 10-23-2024 12:27 PM
vanitharaj1208
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

vanitharaj1208_0-1729711267693.png

  1. what is the difference between these time fileds?
  2. why start time and end time is same?
  3. which are the important time fields to considered?
  4. where can i find documentation around these udm time fields?

mainly i want to understand what each fields means and where it can be used ?

  • Start Time
  • End Time
  • event_metadata_eventTimestamp
  • event_metadata_ingestedTimestamp
  • event_target_user_attribute_creationTime
  • event_target_user_lastLoginTime
  • event_extracted_id.time
  • createdTime
  • timeWindow_startTime
  • timeWindow_endTime
  • Detection Time

 

 

 

 

 

 

Solved Solved
0 7 318
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

https://cloud.google.com/chronicle/docs/reference/udm-field-list

View solution in original post

Jump to Solution
7 REPLIES 7

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

Hi again, 

I can get your part of the way here but that screenshot is unreadable when zoomed in. 

 

  • Start Time
  • End Time
  • event_metadata_eventTimestamp - this is the actual security technology timestamp (when it occurred) 
  • event_metadata_ingestedTimestamp - this is when it was ingested into SIEM
  • event_target_user_attribute_creationTime - not sure here but potentially around the time of entity creation for that user
  • event_target_user_lastLoginTime - last time this user logged in 
  • event_extracted_id.time
  • createdTime - when case was created 
  • timeWindow_startTime - assuming your rule has an hour match statement 
  • timeWindow_endTime - this is the end of the hour 
  • Detection Time - when the rule ran to create the detection and subsequent alert
Jump to Solution

Posted on --/--/---- --:-- AM
vanitharaj1208
Silver 2
Silver 2
In response to dnehoda
Reply posted on --/--/---- --:-- AM

2024-10-24_14-52-09.png

Time UDM Fields

event_metadata_eventTimestamp    2024-10-20T01:37:26Z

event_metadata_ingestedTimestamp     2024-10-21T13:00:05.25165Z

event_securityResult_1_lastUpdatedTime     2024-10-21T12:54:07Z

createdTime    2024-10-22T15:30:02.721505Z

timeWindow_startTime     2024-10-20T01:06:00Z

timeWindow_endTime    2024-10-20T02:06:00Z

event_securityResult_about_labels_clickTime   2024-10-20T01:37:26Z

event_securityResult_about_labels_threatTime 2024-10-21T12:54:07Z

Detection Time   2024-10-20T02:06:00Z

  • i want to understand these fields event_securityResult_1_lastUpdatedTime, event_securityResult_about_labels_clickTime   and  event_securityResult_about_labels_threatTime
Jump to Solution

Posted on --/--/---- --:-- AM
dnehoda
Staff
In response to vanitharaj1208
Reply posted on --/--/---- --:-- AM

That screenshot is different from the original question. However it's now readable.  The security result times  

 

 

Jump to Solution

Posted on --/--/---- --:-- AM
skadav
Silver 1
Silver 1
In response to vanitharaj1208
Reply posted on --/--/---- --:-- AM

These fields are dependent on the SIEM rule that triggers the alert. Could you please share the rule information or the conditions used, so we can analyze and break down the fields accordingly?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

https://cloud.google.com/chronicle/docs/reference/udm-field-list

Jump to Solution

Posted on --/--/---- --:-- AM
vanitharaj1208
Silver 2
Silver 2
In response to dnehoda
Reply posted on --/--/---- --:-- AM

Thank you @dnehoda !! ๐Ÿ˜Š

Jump to Solution

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

Your welcome! As Shadav says as well, some of those fields are rule dependent which may never come into play much. 
The big ones are event timestamp, ingest timestamp, detection timestamp and case creation timestamp.  

Jump to Solution
Top Solution Authors
View all