What's the exact definition of 'Timegenerated' in an Azure Resource Graph query output for Container Image Vulnerabilities?

LaBombard, Lory 41 Reputation points
2024-05-30T14:45:02.8466667+00:00

When we run a query to find vulnerabilities in Container Images, there's a 'timegenerated' column in the query output. I've tried to find this documented somewhere, but can't, I've only found a document for Azure Monitor. Does this mean it's the last time the image was scanned or the first time the vulnerability was discovered with a scan, or something completely different? Thank you!

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,380 questions
Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
467 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,436 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,891 Reputation points Microsoft Employee
    2024-05-31T10:39:15.0866667+00:00

    @LaBombard, Lory

    Thank you for posting your query on Microsoft Q&A, from above description w

    The TimeGenerated column contains the date and time that the record was created by the data source. TimeGenerated provides a common column to use for filtering or summarizing by time. When you select a time range for a view or dashboard in the Azure portal, it uses TimeGenerated to filter the results.

    • Does this mean it's the last time the image was scanned or the first time the vulnerability was discovered with a scan, or something completely different?

    No this means the time when image scan or vulnerability discovery was recorded by defender for cloud into workspace. This time may be same as discovery time or may be different.

    For sentinel we have a DCR/DCE which is responsible for ingesting the data into the pipeline to log analytics/Azure Monitor due to which there could a time difference between the time event was recorded and event actually happened.

    Ingestion time might vary for different resources under different circumstances. For example, here are a few scenarios.

    User's image

    If you don't have any further queries and the suggested answer is as per your business need, please "Accept the answer", This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.