Query Details
Alert Ingestion Time
Query
//Tracking how long it takes an Alert to ingest. (in minutes)
SecurityAlert
| summarize by ProviderName, AlertName,Minutes_ = datetime_diff("minute",ingestion_time(), TimeGenerated)
| order by Minutes_ desc
Explanation
This query tracks the time it takes for an alert to be ingested, measured in minutes. It groups the alerts by the provider name and alert name, and calculates the difference in minutes between the ingestion time and the time the alert was generated. The results are then ordered in descending order based on the time difference.
Details
Rod Trent
Released: August 11, 2021
Tables
SecurityAlert
Keywords
SecurityAlert,ProviderName,AlertName,Minutes_,ingestion_time,TimeGenerated
Operators
summarizebydatetime_difforder by