Requesting Clarity on XDR XQL API Logging (timeframe related)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Requesting Clarity on XDR XQL API Logging (timeframe related)

L2 Linker

Hello Team,

 

We are using XQL to query data from cortex API for windows event logs.

Our query run every 5 minutes and we have used parameter timeframe in the query. This parameter is provided in the API documentation.

However, when we pull the logs, there is discrepancy in number of logs we pull and number of logs observed in Cortex XDR search.

We suspect that we are using log generation time to pull logs and this discrepancy could be due to latency in log ingestion at the API.

There are three field available in the logs:

  • _time
  • _insert_time
  • insert_timestamp

 

I want to understand:

  1. what this parameter timeframe represents? Is it log generation time or ingestion time?
  2. What above three timestamp fields represent? what is the difference in those 3 fields?
  3. Is any of the above three field is log ingestion time, if so can we use it in XQL query?

Thank you in advance!

 

Cortex XDR @zarnous 

1 accepted solution

Accepted Solutions

L4 Transporter

Hello @sushant1601 

 

Thanks for reaching out on LiveCommunity!

Below is the description and comparison of the three fields.

_time -> It is the timestamp of the actual event that took place on endpoint. Its data type is Integer.

_insert_time -> It is the timestamp when the event was inserted in XDR database. Its data type is also integer.

insert_timestamp -> It is also the timestamp when the event was inserted into XDR database but its datatype is timestamp.

So if you are creating XQL query to fetch data based on insertion time of events then "insert_timestamp" is the field you are looking forward. Since it is of timestamp datatype so you can use timestamp related function available within XQL.

View solution in original post

2 REPLIES 2

L4 Transporter

Hello @sushant1601 

 

Thanks for reaching out on LiveCommunity!

Below is the description and comparison of the three fields.

_time -> It is the timestamp of the actual event that took place on endpoint. Its data type is Integer.

_insert_time -> It is the timestamp when the event was inserted in XDR database. Its data type is also integer.

insert_timestamp -> It is also the timestamp when the event was inserted into XDR database but its datatype is timestamp.

So if you are creating XQL query to fetch data based on insertion time of events then "insert_timestamp" is the field you are looking forward. Since it is of timestamp datatype so you can use timestamp related function available within XQL.

L0 Member

Hello,

The parameter "timeframe" in the Cortex API represents the time range for which you want to retrieve logs. It is based on the log generation time, not the log ingestion time. The three timestamp fields (_time, _insert_time, and insert_timestamp) represent different aspects of the logs. - _time represents the time when the event occurred. - _insert_time represents the time when the log was ingested into Cortex XDR. - insert_timestamp is a numerical representation of _insert_time. If you suspect latency in log ingestion, you can use the _insert_time field in your XQL query to filter logs based on the time they were ingested.

  • 1 accepted solution
  • 925 Views
  • 2 replies
  • 0 Likes
  • 78 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!