https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-xdr-api/m-p/545487#M4524 <P>Thank you&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/256101">@nsinghvirk</a>&nbsp;for the quick response. Really appreciate it.&nbsp;</P> <P>Followup to your response, currently we query based on creation time to pull logs and to keep a pointer of the log fetched.. If&nbsp;<STRONG data-stringify-type="bold">local_insert_ts </STRONG>is the time when XDR agent ingests an alert, can we use this field in the API query to pull the logs?&nbsp;</P> <P>&nbsp;</P> <P>Thank you again for your response.&nbsp;</P> <P>&nbsp;</P> Fri, 09 Jun 2023 16:50:11 GMT sushant1601 2023-06-09T16:50:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-xdr-api/m-p/545472#M4522 <P>Hello Everyone,&nbsp;</P> <P>&nbsp;</P> <P>We are pulling alerts from the XDR API using below endpoint:</P> <DIV class="sl-flex-1 sl-font-semibold">/public_api/v1/alerts/get_alerts</DIV> <DIV class="sl-flex-1 sl-font-semibold">&nbsp;</DIV> <DIV class="sl-flex-1 sl-font-semibold">We query based on creation time which is shown as detection_timestamp in the log.&nbsp;</DIV> <DIV class="sl-flex-1 sl-font-semibold">I am looking for clarity on below points:&nbsp;</DIV> <DIV class="sl-flex-1 sl-font-semibold">&nbsp;</DIV> <DIV class="sl-flex-1 sl-font-semibold">1. what is&nbsp;local_insert_ts field? What is the significance of this field? How it is different from creation time?</DIV> <DIV class="sl-flex-1 sl-font-semibold">2. Without&nbsp;local_insert_ts, is the log available in API to fetch?</DIV> <DIV class="sl-flex-1 sl-font-semibold">3. Is it possible that the&nbsp;local_insert_ts value may get changed for the same event? If it get changed, in what condition it happens?</DIV> <DIV class="sl-flex-1 sl-font-semibold">&nbsp;</DIV> <DIV class="sl-flex-1 sl-font-semibold">Thank you.&nbsp;</DIV> <DIV class="sl-flex-1 sl-font-semibold">&nbsp;</DIV> <DIV class="sl-flex-1 sl-font-semibold"><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</DIV> Fri, 09 Jun 2023 13:31:07 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-xdr-api/m-p/545472#M4522 sushant1601 2023-06-09T13:31:07Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-xdr-api/m-p/545486#M4523 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/293860">@sushant1601</a>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>Please find below answers to your queries.</P> <OL class="p-rich_text_list p-rich_text_list__ordered" data-stringify-type="ordered-list" data-indent="0" data-border="0"> <LI data-stringify-indent="0" data-stringify-border="0"><STRONG data-stringify-type="bold">local_insert_ts<SPAN>&nbsp;</SPAN></STRONG>field contains the date and time when XDR agent ingests an alert into cortex XDR tenant. In other words, it is the date and time when Cortex XDR’s Investigation and response became aware about an alert.&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <STRONG style="font-family: inherit;" data-stringify-type="bold">Creation_time</STRONG><SPAN>&nbsp;</SPAN><SPAN>field represents the date and time when an alert was created on the&nbsp;</SPAN><SPAN>endpoint.</SPAN></LI> <LI data-stringify-indent="0" data-stringify-border="0"><SPAN>For the log to be available to fetch , it will be created with insertion time, that is when the log is ingested.</SPAN></LI> <LI data-stringify-indent="0" data-stringify-border="0">No, each log has its local_insert_ts, once the value is created it wont be changed , when&nbsp; a new log is ingested into XDR then a new local_insert_ts will be present in the log for that specific event</LI> </OL> Fri, 09 Jun 2023 16:25:40 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-xdr-api/m-p/545486#M4523 nsinghvirk 2023-06-09T16:25:40Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-xdr-api/m-p/545487#M4524 <P>Thank you&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/256101">@nsinghvirk</a>&nbsp;for the quick response. Really appreciate it.&nbsp;</P> <P>Followup to your response, currently we query based on creation time to pull logs and to keep a pointer of the log fetched.. If&nbsp;<STRONG data-stringify-type="bold">local_insert_ts </STRONG>is the time when XDR agent ingests an alert, can we use this field in the API query to pull the logs?&nbsp;</P> <P>&nbsp;</P> <P>Thank you again for your response.&nbsp;</P> <P>&nbsp;</P> Fri, 09 Jun 2023 16:50:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-xdr-api/m-p/545487#M4524 sushant1601 2023-06-09T16:50:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-xdr-api/m-p/545557#M4528 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/293860">@sushant1601</a>&nbsp;</P> <P>Use of a field depends on the use case or type of data that you want to obtain. Please take help from&nbsp;<A href="https://cortex-panw.stoplight.io/docs/cortex-xdr/0c82b9a6e79d9-get-all-alerts" target="_self">API reference guide</A>&nbsp;according to your use case.</P> <P>I hope this answers your question.</P> Sat, 10 Jun 2023 12:12:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-xdr-api/m-p/545557#M4528 nsinghvirk 2023-06-10T12:12:24Z