Forum Discussion

JanAnders45's avatar
JanAnders45
Copper Contributor
Mar 20, 2025

Lookup data from the last == ingestion_time()

Howdy! 

 

In "Analytics rule wizard - Create a new Scheduled rule" under Query scheduling you have to fill out "Lookup data from the last"

 

What time field is Sentinel looking at when determine which events to include in the lookup data? Is it ingestion_time()? Is it TimeGenerated? How does it know?

analytics
detection
Log Data

3 Replies

  • ITProfessor's avatar
    ITProfessor
    Brass Contributor
    Mar 23, 2025

    Hello!

    When you specify "Lookup data from the last X hours/days", Sentinel applies the filter on TimeGenerated, meaning it looks for logs where

    TimeGenerated >= ago(X hours/days etc)

    This ensures that the rule evaluates events based on when they actually occurred, not when they were ingested.

    • JanAnders45's avatar
      JanAnders45
      Copper Contributor
      Mar 26, 2025

      Thanks for the reply! This is interesting. Are you sure about this? Im finding some of the TimeGenerated to be unreliable and all over the place. For example events having TimeGenerated after they are ingested (time paradox)

      • ITProfessor's avatar
        ITProfessor
        Brass Contributor
        Mar 26, 2025

        Microsoft product unreliable? No way :D 

        A little bit more information in the link below;

        https://learn.microsoft.com/en-us/azure/sentinel/ingestion-delay

Resources