Update filtering parameters to specify time generated

Author: oshezaf

articles/sentinel/normalization-schema-alert.md

@@ -46,8 +46,8 @@ The Alert parsers support various [filtering parameters](normalization-about-par
 
 | Name | Type | Description |
 |------|------|-------------|
-| **starttime** | datetime | Filter only alerts that started at or after this time. |
-| **endtime** | datetime | Filter only alerts that started at or before this time. |
+| **starttime** | datetime | Filter only alerts that started at or after this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **endtime** | datetime | Filter only alerts that started at or before this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
 | **ipaddr_has_any_prefix** | dynamic | Filter only alerts for which the **'DvcIpAddr'** field is in one of the listed values. |
 | **hostname_has_any** | dynamic | Filter only alerts for which the **'DvcHostname'** field is in one of the listed values. |
 | **username_has_any** | dynamic | Filter only alerts for which the **'Username'** field is in one of the listed values. |

articles/sentinel/normalization-schema-authentication.md

@@ -48,8 +48,8 @@ The following filtering parameters are available:
 
 | Name     | Type      | Description |
 |----------|-----------|-------------|
-| **starttime** | datetime | Filter only authentication events that ran at or after this time. |
-| **endtime** | datetime | Filter only authentication events that finished running at or before this time. |
+| **starttime** | datetime | Filter only authentication events that ran at or after this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **endtime** | datetime | Filter only authentication events that finished running at or before this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
 | **targetusername_has** | string | Filter only authentication events that have any of the listed user names. |
 
 

articles/sentinel/normalization-schema-dns.md

@@ -79,8 +79,8 @@ The following filtering parameters are available:
 
 | Name     | Type      | Description |
 |----------|-----------|-------------|
-| **starttime** | datetime | Filter only DNS queries that ran at or after this time. |
-| **endtime** | datetime | Filter only DNS queries that finished running at or before this time. |
+| **starttime** | datetime | Filter only DNS queries that ran at or after this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **endtime** | datetime | Filter only DNS queries that finished running at or before this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
 | **srcipaddr** | string | Filter only DNS queries from this source IP address. |
 | **domain_has_any**| dynamic/string | Filter only DNS queries where the `domain` (or `query`) has any of the listed domain names, including as part of the event domain. The length of the list is limited to 10,000 items.
 | **responsecodename** | string | Filter only DNS queries for which the response code name matches the provided value. <br>For example: `NXDOMAIN` |

articles/sentinel/normalization-schema-network.md

@@ -49,8 +49,8 @@ The following filtering parameters are available:
 
 | Name     | Type      | Description |
 |----------|-----------|-------------|
-| **starttime** | datetime | Filter only network sessions that *started* at or after this time. |
-| **endtime** | datetime | Filter only network sessions that *started* running at or before this time. |
+| **starttime** | datetime | Filter only network sessions that *started* at or after this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **endtime** | datetime | Filter only network sessions that *started* running at or before this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
 | **srcipaddr_has_any_prefix** | dynamic | Filter only network sessions for which the [source IP address field](#srcipaddr) prefix is in one of the listed values. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.|
 | **dstipaddr_has_any_prefix** | dynamic | Filter only network sessions for which the [destination IP address field](#dstipaddr) prefix is in one of the listed values. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.|
 | **ipaddr_has_any_prefix** | dynamic | Filter only network sessions for which the [destination IP address field](#dstipaddr) or [source IP address field](#srcipaddr) prefix is in one of the listed values. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.<br><br>The field [ASimMatchingIpAddr](#asimmatchingipaddr) is set with the one of the values `SrcIpAddr`, `DstIpAddr`, or `Both` to reflect the matching fields or fields. |

articles/sentinel/normalization-schema-process-event.md

@@ -46,8 +46,8 @@ The following filtering parameters are available:
 
 | Name     | Type      | Description |
 |----------|-----------|-------------|
-| **starttime** | datetime | Filter only process events occurred at or after this time. |
-| **endtime** | datetime | Filter only process events queries that occurred at or before this time. |
+| **starttime** | datetime | Filter only process events occurred at or after this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **endtime** | datetime | Filter only process events queries that occurred at or before this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
 | **commandline_has_any** | dynamic | Filter only process events for which the command line executed has **any** of the listed values. The length of the list is limited to 10,000 items. |
 | **commandline_has_all**| dynamic | Filter only process events for which the command line executed has **all** of the listed values. The length of the list is limited to 10,000 items.
 | **commandline_has_any_ip_prefix** | dynamic | Filter only process events for which the command line executed has **all** of the listed IP addresses or IP address prefixes. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.  |

articles/sentinel/normalization-schema-web.md

@@ -69,8 +69,8 @@ The following filtering parameters are available:
 
 | Name     | Type      | Description |
 |----------|-----------|-------------|
-| **starttime** | datetime | Filter only Web sessions that **started** at or after this time. |
-| **endtime** | datetime | Filter only Web sessions that **started** running at or before this time. |
+| **starttime** | datetime | Filter only Web sessions that **started** at or after this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **endtime** | datetime | Filter only Web sessions that **started** running at or before this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
 | **srcipaddr_has_any_prefix** | dynamic | Filter only Web sessions for which the [source IP address field](normalization-schema-network.md#srcipaddr) prefix is in one of the listed values. The list of values can include IP addresses and IP address prefixes. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.|
 | **ipaddr_has_any_prefix** | dynamic | Filter only network sessions for which the [destination IP address field](normalization-schema-network.md#dstipaddr) or [source IP address field](normalization-schema-network.md#srcipaddr) prefix is in one of the listed values. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.<br><br>The field [ASimMatchingIpAddr](normalization-schema-network.md#asimmatchingipaddr) is set with the one of the values `SrcIpAddr`, `DstIpAddr`, or `Both` to reflect the matching fields or fields. |
 | **url_has_any** | dynamic | Filter only Web sessions for which the [URL field](#url) has any of the values listed. The parser may ignore the schema of the URL passed as a parameter, if the source does not report it. If specified, and the session is not a web session, no result will be returned. The length of the list is limited to 10,000 items.|