Forum Discussion
JLospinoso
Dec 28, 2023Copper Contributor
Event Time
We have recently noticed that an Azure AD a user had (18) events that spanned over 7 minutes, whereas Sentinel morphed this into (35) events spanning over 2 days. We have been told by support that "b...
samikroy
Dec 29, 2023Brass Contributor
You can try using ingestion time like this to extract the ingestion time
SigninLogs
| extend ingestionTime = ingestion_time()
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/ingestiontimefunction?pivots=azuredataexplorer
SigninLogs
| extend ingestionTime = ingestion_time()
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/ingestiontimefunction?pivots=azuredataexplorer
- JLospinosoJan 02, 2024Copper ContributorThanks. We're trying to identify if there is a specific field (or function) that can be counted on as the time the event was created by the given Data Source. Microsoft's definition above leads us to believe that's "TimeGenerated", but our observation and statements from Microsoft Support don't agree. For Security Analytics, the events creation time (when the thing actually happened) is what's relevant.