Query Details
Hunting Bookmark Health
Query
//Bookmark health
HuntingBookmark
| where TimeGenerated > ago(30d)
| summarize last_log = datetime_diff("second",now(), max(TimeGenerated))
| where last_log >= 259200
Explanation
This query is checking the health of a bookmark called "HuntingBookmark". It filters the results to only include logs generated in the last 30 days. It then calculates the time difference between the current time and the latest log entry, in seconds. It filters the results again to only include bookmarks where the time difference is greater than or equal to 259,200 seconds (3 days).
Details
Rod Trent
Released: November 9, 2021
Tables
HuntingBookmark
Keywords
HuntingBookmark,TimeGenerated,ago,summarize,last_log,datetime_diff,now,max
Operators
whereagosummarizedatetime_diffnow()max>=