I have 2 qestion about time on ESA:
1. How I know ESA use time of event what come from concentrators (time when event was received on ESA), not real event time (event.time field). Can I use real event time in correlation process? I mean - can ESA uses field event.time like time of received event on ESA if this meta field exist?
2. Some of default correlation rules has criteria like 3 time for count events. For example rules like a "Suspicious Privileged User Access Activity". But from Active Directory can come many equally events which will have same time. Can I have count multiple events how one if those events has equal event.time meta field?