Relevant versions:  ALL

SMTP incidents are treated differently than other kinds of DIM incidents. The time that appears in the incident list is the "Sent" time--that is, the time inserted by the email client as the time the user pushed the "Send" button. This is NOT the time that the incident was captured or detected.

For example, if the same email message is passed to a monitor multiple times, that email message will all have the same "time" on the incident list report since the time is based on what was stamped in the email message itself.

Additional information

One of our pre-requisites from the Install Guide states:

This is highly recommended.

The following applies:

Sent Time- the time at which a message was sent.
Capture Time- the time at which the message was captured by a Vontu system (e.g., in pcap, when the Monitor saw the message)
Detected Time- when the message was processed through the detection chain and the incident was found. This could be significantly later than capture time if there is a backlog in the detection queue. The Detected time appears in the Incident History.