This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Details Regarding XDR Query Fields: server_creation_time and creation_time

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Details Regarding XDR Query Fields: server_creation_time and creation_time

Go to solution
sushant1601
L2 Linker

‎06-12-2023 12:27 AM

Hello Everyone,

 

We use below endpoint to collect the alerts:

/public_api/v1/alerts/get_alerts
 
Currently, we use creation_time to query alerts. But recently with the help of community answers only we found that creation_time is the time when an alert was created on the endpoint and not the time when the alert was ingested in XDR. For real time log collection if we use creation_time, we are missing few alerts. 
 
In the API guide we can see that we can query based on server_creation_time.
We want to know which field in the alert does this server_creation_time represents? Does it represents the field local_insert_ts?
 
Could you please also confirm if we use server_creation_time instead of creation_time, will it solve our issue of missing alerts if we fetch real time alerts?
 
Any help in this is appreciated.
 
Thank you.
 
Cortex XDR 
Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
Preview file
43 KB
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
zarnous
L2 Linker

‎06-13-2023 08:24 AM

Hi @sushant1601 ,

 

Happy to hear from you!

 

So a quick summary as below:

  • event_timestamp = creation_time = indicating when the event occurred and registered by the XDR agent.

  • insert_timestamp = server_creation_time = local_insert_ts = Ingestion timestamp, when the event was ingested into XDR server

    So, to answer the second part of your use case, yes, the server_creation_time is going to help you fetching the alerts using the API. 

I hope that was helpful to you and answered your question, please let me know if any!
Thanks,
Z

Z

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
neelrohit
L5 Sessionator

‎06-13-2023 08:20 AM

Hi @sushant1601 ,

 

In a recent discussion you had here : https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-x...

It was mentioned that the local_insert_ts is the timestamp for the data ingestion for the alert event in XDR and you were also provided a reference for API documentation. The field in the API shows the same. However, if you would go down further in the same document, you should have been able to find the fields captured using the same API which clearly refers to the local_insert_ts which corresponds to the creation time for the alert in Cortex XDR.

 

I have attached screenshot of an excerpt out of the same and would request you to look into the documentation details in the response fields sample section.

Screenshot 2023-06-13 at 11.16.22 PM.png

Go to solution
zarnous
L2 Linker

‎06-13-2023 08:24 AM

Hi @sushant1601 ,

 

Happy to hear from you!

 

So a quick summary as below:

  • event_timestamp = creation_time = indicating when the event occurred and registered by the XDR agent.

  • insert_timestamp = server_creation_time = local_insert_ts = Ingestion timestamp, when the event was ingested into XDR server

    So, to answer the second part of your use case, yes, the server_creation_time is going to help you fetching the alerts using the API. 

I hope that was helpful to you and answered your question, please let me know if any!
Thanks,
Z

Z
0 Likes Likes

Go to solution
sushant1601
L2 Linker
In response to neelrohit

‎06-13-2023 10:02 AM

Thank you for your response @neelrohit 

In the recent discussion https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-x... I asked about creation time and local_insert_time. The response there was clear about it, but what was not clear is that if server creation time is the local insert time. I couldn't find this link in documentation. I could able to see we can use server creation time, but my doubt was if the field in the logs for it is local insert time. 

Anyways, thank you for your response. 

0 Likes Likes

Go to solution
sushant1601
L2 Linker
In response to zarnous

‎06-13-2023 10:03 AM

Thank you so much @zarnous .

Appreciate the clarification. 

0 Likes Likes
  • 1 accepted solution
  • 2241 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks