When someone trips over a Canary and an alert is generated, the local timestamp is stored in the alert that is sent to the Console. We use the time on the Console when that alert is received to set the incident timestamp, and usually any difference between these two time sources is negligible.
Difference on disconnect/reconnect
However, if a Canary is attacked while disconnected from a Console, the alert time may differ more significantly when an incident is created on its arrival. We notify you of this on the incident via an annotation to allow you to make sense of any discrepancies.
Difference from time source drift
Sometimes the time on a Canary can drift and end up being significantly out-of-sync with the time on your Console. When this happens, there may be a sizeable difference between the timestamp at which an action is performed on the Canary, and the incident timestamp on the Console.
We use the Console-side timestamp for incidents as it tends to be more reliable, but if you do see a warning regarding this you should be able to bring the timestamps back into line by synchronising the local time on your Canary. If your Canary is AD-joined, please check the time setting in your AD to confirm it's correct. If this is not an AD-joined Canary, please reach out to us for assistance.