Inconsistencies in Incident Monitoring: TimeGenerated vs CreatedTime
Inconsistencies in incident monitoring within Microsoft Sentinel: TimeGenerated (last update time) vs CreatedTime (incident occurrence time). Overview tab shows 225 incidents in 24 hours, but counts vary based on timestamp used. Author suggests using CreatedTime for accurate representation.
There are errors noticed where some of the discrepancies have been when it comes to monitoring the number of incidents. For example, we can see that this environment has had 225 incidents within the last 24 hours according the Overview tab
Now when it comes to running a count for these incidents, we can use the time they were "generated" which is when it was ingested into Sentinel and get their distinct count
This gives us the correct value of 225
Now, what some of the workbooks and I have been using is the "created" time, which is when the incident occurred on the local system
This gives us a count of 68
It looks like many of the incidents are not ingested for almost 24hrs
However, it looks like the word "Ingested" by Microsoft is wrong:
The TimeGenerated
column is actually the last update time (adjusted for timezone)
As seen here (we can see the 4hr difference of UTC to EST(daylight savings))
So I'm thinking that we should be using the CreatedTime
, and not the TimeGenerated
(the time the incident was updated). Depending on what you want to be displaying to the client or monitoring yourselves.