Forum Discussion

JanAnders45's avatar
JanAnders45
Copper Contributor
Mar 20, 2025

Lookup data from the last == ingestion_time()

Howdy!    In "Analytics rule wizard - Create a new Scheduled rule" under Query scheduling you have to fill out "Lookup data from the last"   What time field is Sentinel looking at when determ...
analytics
detection
Log Data
ITProfessor's avatar
ITProfessor
Brass Contributor
Mar 23, 2025

Hello!

When you specify "Lookup data from the last X hours/days", Sentinel applies the filter on TimeGenerated, meaning it looks for logs where

TimeGenerated >= ago(X hours/days etc)

This ensures that the rule evaluates events based on when they actually occurred, not when they were ingested.

JanAnders45's avatar
JanAnders45
Copper Contributor
Mar 26, 2025

Thanks for the reply! This is interesting. Are you sure about this? Im finding some of the TimeGenerated to be unreliable and all over the place. For example events having TimeGenerated after they are ingested (time paradox)

  • ITProfessor's avatar
    ITProfessor
    Brass Contributor
    Mar 26, 2025

    Microsoft product unreliable? No way :D 

    A little bit more information in the link below;

    https://learn.microsoft.com/en-us/azure/sentinel/ingestion-delay

Resources