What's the meaning of each enriched timestamp field in my alerts on Panther?

Last updated: September 3, 2024

QUESTION

What is the meaning of each alert timestamp field in my alerts records on Panther?

ANSWER

Panther enriches each alert with the following timestamps: 

  • p_alert_creation_time  is the first time an event matched this rule

  • p_event_time is the time the event reported itself as happening

  • p_parse_time is the time the event was processed by Panther

  • p_alert_update_time is the last time an event matched this rule (in the case of deduplication)