Which field should you reference in order to find the system time of a *FileWritten event?
Which field should you reference in order to find the system time of a *FileWritten event?
The correct field to reference for finding the system time of a *FileWritten event is 'ContextTimeStamp_decimal'. This field indicates the time at which an event occurred on the system as seen by the sensor. It captures the system time of the event, which is what is required to determine when the FileWritten event took place.
ContextTimeStamp: System time of event creation.
System time should be ContextTimeStamp_decimal
the question is asking "system time of xxx". the "*FileWritten event" is the event, the focus is the system time, so the answer is A Document : Falcon Documentation > Event Investigation > Events > Events Full Reference (Events Data Dictionary) ContextTimeStamp_decimal The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format). Not to be confused with timestamp which is the time the event was received by the cloud.
(A) ContextTimeStamp_decimal: This field specifically refers to the time the event was captured by the security system, which is what you're interested in for a FileWritten event.
ContextTimeStamp. FileTimeStamp only records time of file modification, not creation.