This document explains common timestamps for events and detections.
For more information about timestamps, seeDate function.
The following timestamps are related to events:
Event timestamp: Time when an event occurred and is stored in themetadata.event_timestampUDM field. Rules and UDM searches use themetadata.event_timestampfield for queries.
Collected timestamp: Time when an event was collected by the local collection
infrastructure, such as the forwarder. This is stored in themetadata.collected_timestampUDM field.
Ingested timestamp: Time when an event was ingested by Google Security Operations.
This is stored in themetadata.ingested_timestampUDM field.
The following timestamps are stored with detections:
Detection window: For rules with amatchsection,
a detection is created over the time range, called
thedetection window. The event timestamps for events that triggered the detection
are within the detection window.
Detection timestamp: For rules with amatchsection, the detection
timestamp is the end time of the detection window. Otherwise, the detection
timestamp is themetadata.event_timestampof the event that generated the
detection.
Detection created timestamp: Date and time the detection was created by
detection engine.
Where timestamps appear in the application
The following sections define where you can view these timestamps in the UI.
UDM Event viewer
To open theUDM Eventview, do the following:
Perform a UDM Search.
In theEventstab, select an event to open theEvent viewer
TheUDM eventpane displays the following data:
Event timestamp is stored in themetadata.event_timestampUDM field (1).
Ingested timestamp is stored in themetadata.ingested_timestampUDM field (2).
Detections panel
To open theDetectionsview, do the following:
OpenDetections>Rules & Detections, and then click theDashboardbutton.
Click the rule name link under theRule namecolumn. TheDetectionspanel appears and displays the following:
Detection timestamp appears in rows that identify a detection (1).
Event timestamp appears in rows that identify events (2).
Alert view
To open theAlertview, do the following:
OpenDetections>Alerts & IOCs.
Under theAlertstab, click the alert name link in theNamecolumn.
Click theOverviewtab to display the following:
Alert (or Detection) created timestamp appears in theAlert Detailspane >Createdfield (1).
Detection window appears in theDetection Summarypane >Detection windowfield (2).
Detection timestamp appears is in theDetection Summarypane >Alerts detected atfield (3).
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis document details the various timestamps associated with events and detections within Google Security Operations, including their definitions and locations in the user interface.\u003c/p\u003e\n"],["\u003cp\u003eEvent timestamps mark when an event occurred, collected timestamps indicate when the event was gathered by local infrastructure, and ingested timestamps show when the event entered Google Security Operations.\u003c/p\u003e\n"],["\u003cp\u003eDetections have a detection window that is the time range in which events that trigger a detection are included, as well as a detection timestamp representing the end time of the detection window.\u003c/p\u003e\n"],["\u003cp\u003eThe detection created timestamp indicates when the detection was generated by the detection engine and can be found in the alert details pane under the created field.\u003c/p\u003e\n"],["\u003cp\u003eTimestamps for events (event and ingested) are visible in the UDM event viewer, while detection timestamps and event timestamps are in the Detections panel.\u003c/p\u003e\n"]]],[],null,["# Timestamp Definitions\n=====================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThis document explains common timestamps for events and detections.\nFor more information about timestamps, see [Date function](/chronicle/docs/reference/parser-syntax#date_function).\n\nThe following timestamps are related to events:\n\n- **Event timestamp** : Time when an event occurred and is stored in the `metadata.event_timestamp` UDM field. Rules and UDM searches use the `metadata.event_timestamp` field for queries.\n- **Collected timestamp** : Time when an event was collected by the local collection infrastructure, such as the forwarder. This is stored in the `metadata.collected_timestamp` UDM field.\n- **Ingested timestamp** : Time when an event was ingested by Google Security Operations. This is stored in the `metadata.ingested_timestamp` UDM field.\n\nThe following timestamps are stored with detections:\n\n- **Detection window** : For rules with a [`match` section](/chronicle/docs/detection/yara-l-2-0-syntax#match_section_syntax), a detection is created over the time range, called the *detection window*. The event timestamps for events that triggered the detection are within the detection window.\n- **Detection timestamp** : For rules with a `match` section, the detection timestamp is the end time of the detection window. Otherwise, the detection timestamp is the `metadata.event_timestamp` of the event that generated the detection.\n- **Detection created timestamp**: Date and time the detection was created by detection engine.\n\nWhere timestamps appear in the application\n------------------------------------------\n\nThe following sections define where you can view these timestamps in the UI.\n\n### UDM Event viewer\n\nTo open the **UDM Event** view, do the following:\n\n1. Perform a UDM Search.\n2. In the **Events** tab, select an event to open the [Event viewer](/chronicle/docs/investigation/udm-search#event-viewer)\n3. The **UDM event** pane displays the following data:\n\n - Event timestamp is stored in the `metadata.event_timestamp` UDM field (1).\n - Ingested timestamp is stored in the `metadata.ingested_timestamp` UDM field (2).\n\n### Detections panel\n\nTo open the **Detections** view, do the following:\n\n1. Open **Detections** \\\u003e **Rules \\& Detections** , and then click the **Dashboard** button.\n2. Click the rule name link under the **Rule name** column. The **Detections** panel appears and displays the following:\n\n - Detection timestamp appears in rows that identify a detection (1).\n - Event timestamp appears in rows that identify events (2).\n\n### Alert view\n\nTo open the **Alert** view, do the following:\n\n1. Open **Detections** \\\u003e **Alerts \\& IOCs**.\n2. Under the **Alerts** tab, click the alert name link in the **Name** column.\n3. Click the **Overview** tab to display the following:\n\n - Alert (or Detection) created timestamp appears in the **Alert Details** pane \\\u003e **Created** field (1).\n - Detection window appears in the **Detection Summary** pane \\\u003e **Detection window** field (2).\n - Detection timestamp appears is in the **Detection Summary** pane \\\u003e **Alerts detected at** field (3).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
