Hello,
I'm setting up asset enrichment through the ENTITY_CONTEXT. I have configured time interval as below:
By concept as stated in EntityMetadata, the enriched asset data is only valid for April 5 - April 6 in UTC. Now, I have ingested some test events in April 10 and the fields are being enriched. Is there something that I did wrong?
Please note below screenshot are all test data and are not actual information.
Thanks in advance!
Kind regards,
Raven
It seems metadata time interval doesn't work with Asset ENTITY_CONTEXT. It only works with IOCs. Expiring IOCs in Entity Graph. How to expire Indicators of Compromise… | by Chris Martin (@thatsiemg...
Hoping someone could confirm this as well.
Confirmed with Google Support
" From the link I shared, Expiration of Entity Graph entities` section. What happens here is basically we consider these entities active for next 5 days from the ingestion time. This is true for all non IOC entities."