09-13-2023 12:41 AM
Hello Team,
We are using XQL to query data from cortex API for windows event logs.
Our query run every 5 minutes and we have used parameter timeframe in the query. This parameter is provided in the API documentation.
However, when we pull the logs, there is discrepancy in number of logs we pull and number of logs observed in Cortex XDR search.
We suspect that we are using log generation time to pull logs and this discrepancy could be due to latency in log ingestion at the API.
There are three field available in the logs:
I want to understand:
Thank you in advance!
09-13-2023 08:27 AM
Hello @sushant1601
Thanks for reaching out on LiveCommunity!
Below is the description and comparison of the three fields.
_time -> It is the timestamp of the actual event that took place on endpoint. Its data type is Integer.
_insert_time -> It is the timestamp when the event was inserted in XDR database. Its data type is also integer.
insert_timestamp -> It is also the timestamp when the event was inserted into XDR database but its datatype is timestamp.
So if you are creating XQL query to fetch data based on insertion time of events then "insert_timestamp" is the field you are looking forward. Since it is of timestamp datatype so you can use timestamp related function available within XQL.
09-13-2023 08:27 AM
Hello @sushant1601
Thanks for reaching out on LiveCommunity!
Below is the description and comparison of the three fields.
_time -> It is the timestamp of the actual event that took place on endpoint. Its data type is Integer.
_insert_time -> It is the timestamp when the event was inserted in XDR database. Its data type is also integer.
insert_timestamp -> It is also the timestamp when the event was inserted into XDR database but its datatype is timestamp.
So if you are creating XQL query to fetch data based on insertion time of events then "insert_timestamp" is the field you are looking forward. Since it is of timestamp datatype so you can use timestamp related function available within XQL.
09-15-2023 01:46 AM
Hello,
The parameter "timeframe" in the Cortex API represents the time range for which you want to retrieve logs. It is based on the log generation time, not the log ingestion time. The three timestamp fields (_time, _insert_time, and insert_timestamp) represent different aspects of the logs. - _time represents the time when the event occurred. - _insert_time represents the time when the log was ingested into Cortex XDR. - insert_timestamp is a numerical representation of _insert_time. If you suspect latency in log ingestion, you can use the _insert_time field in your XQL query to filter logs based on the time they were ingested.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
