Merge pull request #1698 from SEKOIA-IO/CharlesLR-sekoia-patch-1

Provide more information on alert delays causes
SEKOIA-IO · Mar 14, 2024 · 2177255 · 2177255
2 parents 146200b + 874b7e3
commit 2177255
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/docs/xdr/FAQ/Alerts_qa.md b/docs/xdr/FAQ/Alerts_qa.md
@@ -14,5 +14,10 @@ If it is involved in the current alert, the bell is not displayed.
 
 Besides matching a rule in real time, an alert can be triggered with a delay when: 
 
-    - An IOC is published, old events are scanned and if an event matches, the rule will automatically trigger an alert. 
-    - Reingesting old logs
+    - An IOC is published, old events are scanned and if an event matches, the rule will automatically trigger an alert.
+    - Logs from the source were received by Sekoia with a delay. Common route causes: 
+        * the log collection was interrupted, if logs are buffered loccaly on customer's side, before being sent later when the collection restarts 
+        * Reingestion of old logs
+
+!!! Note
+    See more informaiton on `timestamp` and `event.created`fields [here](Events_qa.md#timestampeventcreated-eventstart-eventend-meaning).