Currently when alerts are added to a new event in ACE, we automatically prepend the YYYYMMDD of the earliest ACE alert to the event name the analyst gives.
However, due to how we check for potentially missed phish in events, I think we should extend this logic a bit (assuming the event in question has phish alerts inside of it) so that ACE considers the timestamp of when the email was actually received instead of when the alert was created.
For example, if a user receives a phish on 04/16/2019 but doesn't report it until 04/17/2019, that reported phish alert should actually go in a 20190416 event.
One possible solution when an analyst selects phish alerts to create an event that span multiple days would be for ACE to actually create multiple events for each day with the same name that the analyst specified and place the alerts in their appropriate events based on the phish received timestamp.
And if an analyst tries to add a phish alert to an existing event that is from the "wrong" day, ACE should not allow it and/or notify them that it belongs in a different event.
Currently when alerts are added to a new event in ACE, we automatically prepend the YYYYMMDD of the earliest ACE alert to the event name the analyst gives.
However, due to how we check for potentially missed phish in events, I think we should extend this logic a bit (assuming the event in question has phish alerts inside of it) so that ACE considers the timestamp of when the email was actually received instead of when the alert was created.
For example, if a user receives a phish on 04/16/2019 but doesn't report it until 04/17/2019, that reported phish alert should actually go in a 20190416 event.
One possible solution when an analyst selects phish alerts to create an event that span multiple days would be for ACE to actually create multiple events for each day with the same name that the analyst specified and place the alerts in their appropriate events based on the phish received timestamp.
And if an analyst tries to add a phish alert to an existing event that is from the "wrong" day, ACE should not allow it and/or notify them that it belongs in a different event.