Hello, does differentiore (lgnore Removals) mean Differential query?For example, when querying the server for an abnormal process, the content of the query in this hour is compared to the query in the last hour. If there are other processes in this hour, the result log will be generated. Another question is what does action: add mean in the results log.

yep, I think that you're understanding it correctly

But the actual result of the query is not what I understand it to be, and the same process warnings often appear in the result log

hm, can you give an example of the log you don't expect? (just a snippet is fine, and feel free to redact any sensitive information)

The time I sent the pack was 11:00 the interval was 3600s but the log time was not just an hour later