Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

List Ingestion Delays In Syslog

September 23, 2024 Wayne Andes 2 min read

Description

This KQL query will check for ingestion delays in Syslog by ProcessName, SourceSystem and HostName.

Note: Azure Sentinel scheduled alert rules are delayed by 5 minutes. This allows data types with a smaller delay to be ingested on time for the scheduled run.

Query

Microsoft Sentinel

Kusto

Syslog
| extend IngestionTime = ingestion_time()
| extend Delay = ingestion_time() - TimeGenerated
| summarize max(Delay) by ProcessName, SourceSystem, HostName

References

Handle ingestion delay in Microsoft Sentinel | Microsoft Learn
Handling ingestion delay in Azure Sentinel scheduled alert rules – Microsoft Community Hub

Detect When An Account Has Been Changed To Password To Never Expire
List Active Directory Group Additions

Description

Query

Microsoft Sentinel

References

You May Also Like

List Total Successful Sign-Ins By Operating System

List Azure Monitor Agent Connector Failures In Syslog

List Active Directory Group Additions

Leave a Reply Cancel reply