Forum Discussion

Trevax's avatar
Trevax
Copper Contributor
Jun 02, 2025

Recent Logic Apps Failures with Defender ATP Steps – "TimeGenerated" No Longer Recognized

Hi everyone,

I’ve recently encountered an issue with Logic Apps failing on Defender ATP steps. Requests containing the TimeGenerated parameter no longer work—the column seems to be unrecognized. My code hasn’t changed at all, and the same queries run successfully in Defender 365’s Advanced Hunting.

For example, this basic KQL query:

DeviceLogonEvents 
| where TimeGenerated >= ago(30d)
| where LogonType != "Local" 
| where DeviceName !contains ".fr" 
| where DeviceName !contains "shared-"
| where DeviceName !contains "gdc-" 
| where DeviceName !contains "mon-"
| distinct DeviceName

Now throws the error:
Failed to resolve column or scalar expression named 'TimeGenerated'. Fix semantic errors in your query.

Removing TimeGenerated makes the query work again, but this isn’t a viable solution. Notably, the identical query still functions in Defender 365’s Advanced Hunting UI.

This issue started affecting a Logic App that runs weekly—it worked on May 11th but failed on May 18th.

Questions:

  1. Has there been a recent schema change or deprecation of TimeGenerated in Defender ATP's KQL for Logic Apps?
  2. Is there an alternative column or syntax we should use now?
  3. Are others experiencing this?

Any insights or workarounds would be greatly appreciated!

Activity Logs
Azure Log Analytics
Defender 365
defender atp
KQL
Log Analytics
Logic App
logic apps
Query Language

3 Replies

  • JohnnyStarfish's avatar
    JohnnyStarfish
    Copper Contributor
    Jul 08, 2025

    Something happened the week of May 21, 2025, because I'm having inconsistent results from queries myself where this particular week can only either be the beginning or end of all data returned. You may want to double check that the results you're seeing in the Advanced Hunting UI are accurate because mine are absolutely not.

    The culprit is indeed the TimeGenerated field, but more specifically inconsistent results arise from using any custom date range traversing the week of May 21, using either TimeGenerated with ago() or the UI calendar dropdown. If you limit the query window to one of the presets in the UI (hourly/7/30/day), only then does the query work as expected.

    This warrants a ticket being opened with Microsoft, but some other sucker can volunteer for that. Never again.

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Jun 03, 2025

    May consider below:

     

    • Check for Schema Changes – Microsoft may have updated the schema, causing TimeGenerated to be deprecated or replaced.
    • Use an Alternative Column – Some users have found success using Timestamp or EventTime instead.
    • Trevax's avatar
      Trevax
      Copper Contributor
      Jun 03, 2025

      Indeed, I dont see it in the schema anymore. I just switch it with Timestamp on all my logics apps and it's working. 
      thanks a lot :) 

Resources