Identify Log Ingestion Delays by Device in CommonSecurityLog with KQL

Monitoring ingestion latency in Microsoft Sentinel is key to ensuring log fidelity and timing accuracy, especially when dealing with security alerts. Using KQL, you can analyze CommonSecurityLog data to identify delays between the actual event time and its ingestion into Sentinel. This allows security teams to proactively handle log lag across different vendors and products, especially considering the standard 5-minute delay for scheduled rule executions in Sentinel. The query below provides insights into the maximum observed delay by DeviceVendor and DeviceProduct, enabling better tuning of alert logic and incident response timing.

Risk

Delayed log ingestion may cause critical security events to be missed or detected too late by scheduled analytics rules. This can lead to gaps in monitoring, reduced alert accuracy, and slower incident response. Identifying ingestion delays allows for optimized rule timing and ensures better detection fidelity across different security appliances.

Query

Microsoft Sentinel

CommonSecurityLog
| extend IngestionTime = ingestion_time()
| extend Delay = ingestion_time() - TimeGenerated
| summarize max(Delay) by DeviceVendor, DeviceProduct

This KQL query extends each log entry with its ingestion time and calculates the delay by subtracting the event’s original generation time. The final output summarizes the maximum delay grouped by DeviceVendor and DeviceProduct, highlighting where the largest ingestion lags are occurring.

References

• Handling ingestion delay in Azure Sentinel scheduled alert rules – Microsoft Community Hub
• Handle ingestion delay in Microsoft Sentinel | Microsoft Learn