You initiate a search with the following query:
event_simpleName=UserLogon | table _time ComputerName UserName
What results will display?
You initiate a search with the following query:
event_simpleName=UserLogon | table _time ComputerName UserName
What results will display?
The query contains the fields '_time', 'ComputerName', and 'UserName'. The '_time' field in this context represents the timestamp of the event which is displayed in a human-readable format by default in most query tools, including Splunk. Therefore, the results will display human-readable event time, host name, and user name.
The correct is letter D, because the query has the fields "_time", "ComputerName" and "UserName". And the field "_time" means timestamp of the moment that the event was received by the Crowdstrike cloud ont Event Data Dictionary document. You can run the query "event_simpleName=UserLogon | table _time ComputerName UserName" on event search and see the results.
I think the correct answer is B. If I run that query it is human readable.
D _time is the command to covert cloud event time from EPOC to UTC readable.
I think the correct answer is B.
Correct answer is A : Machine-readable event host time, host name, user name Reference : _time : The host's local time in epoch format."1538648887.051" https://falcon.crowdstrike.com/documentation/page/e3ce0b24/events-data-dictionary
Event Host Time is identified through ContextTimeStamp_decimal instead.
event host time” and “event cloud time” are two different timestamps that are used to track when an event occurred on the host and when it was ingested into the cloud-based logging service, respectively