List Ingestion Delays Of All Analytics Rules
Description
This KQL query will check for ingestion delays of all Analytics Rules.
Note: Azure Sentinel scheduled alert rules are delayed by 5 minutes. This allows data types with a smaller delay to be ingested on time for the scheduled run.
Risk
Explain what risk this detection tries to cover.
Query
Microsoft Sentinel
Kusto
SentinelHealth
| extend IngestionTime = ingestion_time()
| extend Delay = ingestion_time() - TimeGenerated
| summarize max(Delay) by SentinelResourceNameKusto
SentinelHealth
| extend IngestionTime = ingestion_time()
| extend Delay = ingestion_time() - TimeGenerated
| summarize percentiles(Delay,50,100) by SentinelResourceNameKusto
SecurityIncident
| extend IngestionTime = ingestion_time()
| extend Delay = ingestion_time() - TimeGenerated
| summarize max(Delay) by Title