topic Re: What field has the creation of the alert in "Alerts" dataset in XSIAM in Cortex XSIAM Discussions

What field has the creation of the alert in "Alerts" dataset in XSIAM

Vinay-AS — Fri, 19 Jan 2024 07:18:15 GMT

Hello Everyone,

We wanted to calculate the Mean time to detection in XSIAM. Hence we require fields name which has creation time of the alert and actual event generated time of event related to that alert. I believe the difference between these two will provide us the expected result.

Reagrds,

Vinay

Re: What field has the creation of the alert in "Alerts" dataset in XSIAM

afurze — Fri, 19 Jan 2024 14:51:12 GMT

Vinay-AS,

This metric may not give you what you're really after, as your essentially only going to be measuring the latency between a message being sent to XSIAM and the time it takes XSIAM to process the event to a dataset and run the correlation rule to create the alert. Calculating a true MTTD may require log analysis on the affected systems to determine when a threat truly first began affecting the endpoint and when we first generated an alert. Just because an alert was fired, doesn't mean that is the first time the endpoint was affected.

All that being said, there isn't a simple query to do this, as the alert dataset does not have information about the raw contributing events, it only knows when the alert was created. You would have to determine what the first contributing event was and then query that data to determine what the timestamp was for that event and compare with the creation time of the alert.

Re: What field has the creation of the alert in "Alerts" dataset in XSIAM

Vinay-AS — Fri, 19 Jan 2024 15:48:38 GMT

I have tried to analyze the different fields available in the "Alerts" dataset. After analyzing multiple alerts and correlating with the actual events, i came up with the following conclusion.

Field

_time: This field has timestamp of the actual event which qualified as alert.

event_timestamp: this field has the event timestamp in epoch time format. This value is same as _time most of the time.

local_insert_ts: This field seems to be having alert creation timestamp.

Based on my analysis, i think "local_insert_ts" - "_time" will give us the detection time.

Can anyone verify and let me know your inputs and validation.

Re: What field has the creation of the alert in "Alerts" dataset in XSIAM

PA_nts — Wed, 05 Feb 2025 10:55:18 GMT

Bit late in this chat.. .. but have you ever managed to figure how to do this?

was this the solution in the end ie "local_insert_ts" - "_time" ?

thanks

Re: What field has the creation of the alert in "Alerts" dataset in XSIAM

Vinay-AS — Mon, 10 Feb 2025 08:57:58 GMT

In the "alerts" dataset, "_time" field holds the actual event timestamp of the event related to this alert and "local_insert_ts" holds the arrival time(creation time) of the alert. So calculation for detection time of alerts is "local_insert_ts" - "_time".