Inconsistencies in Incident Monitoring: TimeGenerated vs CreatedTime

Inconsistencies in incident monitoring within Microsoft Sentinel: TimeGenerated (last update time) vs CreatedTime (incident occurrence time). Overview tab shows 225 incidents in 24 hours, but counts vary based on timestamp used. Author suggests using CreatedTime for accurate representation.

Inconsistencies in Incident Monitoring: TimeGenerated vs CreatedTime

There are errors noticed where some of the discrepancies have been when it comes to monitoring the number of incidents. For example, we can see that this environment has had 225 incidents within the last 24 hours according the Overview tab

 

Now when it comes to running a count for these incidents, we can use the time they were "generated" which is when it was ingested into Sentinel and get their distinct count

This gives us the correct value of 225

Now, what some of the workbooks and I have been using is the "created" time, which is when the incident occurred on the local system

This gives us a count of 68

It looks like many of the incidents are not ingested for almost 24hrs

 

However, it looks like the word "Ingested" by Microsoft is wrong:

The TimeGenerated column is actually the last update time (adjusted for timezone)

As seen here (we can see the 4hr difference of UTC to EST(daylight savings))

So I'm thinking that we should be using the CreatedTime, and not the TimeGenerated(the time the incident was updated). Depending on what you want to be displaying to the client or monitoring yourselves.