Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

List Ingestion Delays In CommonSecurityLog

October 14, 2024 Wayne Andes 2 min read

Description

This KQL query will check for ingestion delays in CommonSecurityLog by DeviceVendor and DeviceProduct.

Note: Azure Sentinel scheduled alert rules are delayed by 5 minutes. This allows data types with a smaller delay to be ingested on time for the scheduled run.

Query

Microsoft Sentinel

Kusto

CommonSecurityLog
| extend IngestionTime = ingestion_time()
| extend Delay = ingestion_time() - TimeGenerated
| summarize max(Delay) by DeviceVendor, DeviceProduct

References

Handle ingestion delay in Microsoft Sentinel | Microsoft Learn
Handling ingestion delay in Azure Sentinel scheduled alert rules – Microsoft Community Hub

List Most Triggered MITRE Techniques
Hunt For Password Changed After Successful Brute Force

Description

Query

Microsoft Sentinel

References

You May Also Like

Hunt For Potential Phishing Campaign

List Tamper Protection Alert Triggered By VMware Carbon Black App Control

List Unwanted Or Malicious Applications Detected By Fortinet

Leave a Reply Cancel reply