Details Regarding XDR Query Fields: server_creation_time and creation_time

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Details Regarding XDR Query Fields: server_creation_time and creation_time

L2 Linker

Hello Everyone,

 

We use below endpoint to collect the alerts:

/public_api/v1/alerts/get_alerts
 
Currently, we use creation_time to query alerts. But recently with the help of community answers only we found that creation_time is the time when an alert was created on the endpoint and not the time when the alert was ingested in XDR. For real time log collection if we use creation_time, we are missing few alerts. 
 
In the API guide we can see that we can query based on server_creation_time.
We want to know which field in the alert does this server_creation_time represents? Does it represents the field local_insert_ts?
 
Could you please also confirm if we use server_creation_time instead of creation_time, will it solve our issue of missing alerts if we fetch real time alerts?
 
Any help in this is appreciated.
 
Thank you.
 
1 accepted solution

Accepted Solutions

L2 Linker

Hi @sushant1601 ,

 

Happy to hear from you!

 

So a quick summary as below:

  • event_timestamp = creation_time = indicating when the event occurred and registered by the XDR agent.

  • insert_timestamp = server_creation_time = local_insert_ts = Ingestion timestamp, when the event was ingested into XDR server

    So, to answer the second part of your use case, yes, the server_creation_time is going to help you fetching the alerts using the API. 

I hope that was helpful to you and answered your question, please let me know if any!
Thanks,
Z

Z

View solution in original post

4 REPLIES 4

L5 Sessionator

Hi @sushant1601 ,

 

In a recent discussion you had here : https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-x...

It was mentioned that the local_insert_ts is the timestamp for the data ingestion for the alert event in XDR and you were also provided a reference for API documentation. The field in the API shows the same. However, if you would go down further in the same document, you should have been able to find the fields captured using the same API which clearly refers to the local_insert_ts which corresponds to the creation time for the alert in Cortex XDR.

 

I have attached screenshot of an excerpt out of the same and would request you to look into the documentation details in the response fields sample section.

Screenshot 2023-06-13 at 11.16.22 PM.png

L2 Linker

Hi @sushant1601 ,

 

Happy to hear from you!

 

So a quick summary as below:

  • event_timestamp = creation_time = indicating when the event occurred and registered by the XDR agent.

  • insert_timestamp = server_creation_time = local_insert_ts = Ingestion timestamp, when the event was ingested into XDR server

    So, to answer the second part of your use case, yes, the server_creation_time is going to help you fetching the alerts using the API. 

I hope that was helpful to you and answered your question, please let me know if any!
Thanks,
Z

Z

Thank you for your response @neelrohit 

In the recent discussion https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/detail-description-of-alert-log-fields-x... I asked about creation time and local_insert_time. The response there was clear about it, but what was not clear is that if server creation time is the local insert time. I couldn't find this link in documentation. I could able to see we can use server creation time, but my doubt was if the field in the logs for it is local insert time. 

Anyways, thank you for your response. 

Thank you so much @zarnous .

Appreciate the clarification. 

  • 1 accepted solution
  • 2261 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!