topic Re: Details Regarding XDR Query Fields: server_creation_time and creation_time in Cortex XDR Discussions

Details Regarding XDR Query Fields: server_creation_time and creation_time

sushant1601 — Mon, 12 Jun 2023 07:27:36 GMT

Hello Everyone,

We use below endpoint to collect the alerts:

/public_api/v1/alerts/get_alerts

Currently, we use creation_time to query alerts. But recently with the help of community answers only we found that creation_time is the time when an alert was created on the endpoint and not the time when the alert was ingested in XDR. For real time log collection if we use creation_time, we are missing few alerts.

In the API guide we can see that we can query based on server_creation_time.

We want to know which field in the alert does this server_creation_time represents? Does it represents the field local_insert_ts?

Could you please also confirm if we use server_creation_time instead of creation_time, will it solve our issue of missing alerts if we fetch real time alerts?

Any help in this is appreciated.

Thank you.

Re: Details Regarding XDR Query Fields: server_creation_time and creation_time

neelrohit — Tue, 13 Jun 2023 15:20:06 GMT

Hi @sushant1601 ,

In a recent discussion you had here : https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-xdr-api/td-p/545472

It was mentioned that the local_insert_ts is the timestamp for the data ingestion for the alert event in XDR and you were also provided a reference for API documentation. The field in the API shows the same. However, if you would go down further in the same document, you should have been able to find the fields captured using the same API which clearly refers to the local_insert_ts which corresponds to the creation time for the alert in Cortex XDR.

I have attached screenshot of an excerpt out of the same and would request you to look into the documentation details in the response fields sample section.

Re: Details Regarding XDR Query Fields: server_creation_time and creation_time

zarnous — Tue, 13 Jun 2023 15:24:55 GMT

Hi @sushant1601 ,

Happy to hear from you!

So a quick summary as below:

event_timestamp = creation_time = indicating when the event occurred and registered by the XDR agent.
insert_timestamp = server_creation_time = local_insert_ts = Ingestion timestamp, when the event was ingested into XDR server

So, to answer the second part of your use case, yes, the server_creation_time is going to help you fetching the alerts using the API.

I hope that was helpful to you and answered your question, please let me know if any!
Thanks,
Z

Re: Details Regarding XDR Query Fields: server_creation_time and creation_time

sushant1601 — Tue, 13 Jun 2023 17:02:50 GMT

Thank you for your response @neelrohit

In the recent discussion https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-xdr-api/td-p/545472, I asked about creation time and local_insert_time. The response there was clear about it, but what was not clear is that if server creation time is the local insert time. I couldn't find this link in documentation. I could able to see we can use server creation time, but my doubt was if the field in the logs for it is local insert time.

Anyways, thank you for your response.

Re: Details Regarding XDR Query Fields: server_creation_time and creation_time

sushant1601 — Tue, 13 Jun 2023 17:03:44 GMT

Thank you so much @zarnous .

Appreciate the clarification.