What field has the creation of the alert in "Alerts" dataset in XSIAM

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What field has the creation of the alert in "Alerts" dataset in XSIAM

L1 Bithead

Hello Everyone,

 

We wanted to calculate the Mean time to detection in XSIAM. Hence we require fields name which has creation time of the alert and actual event generated time of event related to that alert. I believe the difference between these two will provide us the expected result.

 

Reagrds,

Vinay

1 accepted solution

Accepted Solutions

L1 Bithead

I have tried to analyze the different fields available in the "Alerts" dataset. After analyzing multiple alerts and correlating with the actual events, i came up with the following conclusion.

 

Field

_time: This field has timestamp of the actual event which qualified as alert.

event_timestamp: this field has the event timestamp in epoch time format. This value is same as _time most of the time.

local_insert_ts: This field seems to be having alert creation timestamp.

 

Based on my analysis, i think "local_insert_ts" - "_time" will give us the detection time.

Can anyone verify and let me know your inputs and validation.

View solution in original post

2 REPLIES 2

L4 Transporter

Vinay-AS,

 

This metric may not give you what you're really after, as your essentially only going to be measuring the latency between a message being sent to XSIAM and the time it takes XSIAM to process the event to a dataset and run the correlation rule to create the alert.  Calculating a true MTTD may require log analysis on the affected systems to determine when a threat truly first began affecting the endpoint and when we first generated an alert.  Just because an alert was fired, doesn't mean that is the first time the endpoint was affected.

 

All that being said, there isn't a simple query to do this, as the alert dataset does not have information about the raw contributing events, it only knows when the alert was created.  You would have to determine what the first contributing event was and then query that data to determine what the timestamp was for that event and compare with the creation time of the alert.

L1 Bithead

I have tried to analyze the different fields available in the "Alerts" dataset. After analyzing multiple alerts and correlating with the actual events, i came up with the following conclusion.

 

Field

_time: This field has timestamp of the actual event which qualified as alert.

event_timestamp: this field has the event timestamp in epoch time format. This value is same as _time most of the time.

local_insert_ts: This field seems to be having alert creation timestamp.

 

Based on my analysis, i think "local_insert_ts" - "_time" will give us the detection time.

Can anyone verify and let me know your inputs and validation.

  • 1 accepted solution
  • 1951 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!