Recently, Enterprise Security allowed for event timestamps to be index time instead of event time. I was excited about this since it would alleviate some issues related to log ingestion delays and outages. However, it appears there are some limitations which I have questions about. From the previously linked docs: Selecting Index time as the time range for a correlation search might impact the performance of the search. What is the nature of the impact, specifically? Select Index time to run a correlation search only on raw events that do not use accelerated data model fields or the tstats command in the search. Otherwise, the UI might display errors. You can update the correlation search so that it does not include any tstats commands to avoid these errors. So there is just no option to use index time with accelerated data models? Will this feature be added in the future? Drill down searches for notables might get modified when using Index time. Modified in what way? Index time filters are added after the first " | " pipe character in a search string. Index time filters do not have any effect on accelerated datamodels, stats, streaming, or lookup commands. So, custom drilldown searches must be constructed correctly when using Index time. What are index time filters? What is the correct way to construct custom drilldowns when using index time? Index time might not apply correctly to the Contributing Events search for risk notables. How might it not apply correctly? The Index time time range might not be applied correctly to the original correlation search with datamodels, stats, streaming, or lookup commands at the end of the search since the index time range is applied after the "savedseach" construct. Therefore, you must adjust the time range manually for the search. How might it not apply correctly? Is there a specific example? When you select Index time to run the search, all the underlying searches are run using the '''All Time''' time range picker, which might impact the search performance. This includes the correlation search as well as the drill-down search of the notable adaptive response action. Additionally, the drill down search for the notable event in Incident Review also uses index time. Am I understanding that first sentence correctly? What possible reason could there be to run the underlying search over "All Time"? In that case, what purpose does the alert time range serve? This seems like a massive caveat that makes index time practically unusable.  Index time seemed super promising, but the fact that you can't use it with accelerated data models, that it searches over all time, and that it could modify drilldowns in mysterious and unknown ways makes me wonder what use it actually serves? These seem like major issues, but I wanted to make sure I wasn't misunderstanding something.  ... View more

I wanted to get some clarification on how trigger conditions effect notable response actions for correlation searches in Enterprise Security. The trigger condition options are between "Once" and "For each Result", and I believe I understand the difference. However, under them there is a little blurb that says "Notable response actions and risk response actions are always triggered for each result." To me, this essentially nullifies "Once" since the action will be triggered for each result. As a result, I fail to see how "Once" is any different than "For each Result". But surely they can't be the same.  ... View more