Forum Discussion

akshayp199503's avatar
akshayp199503
Copper Contributor
Jul 16, 2025

Unable to query logs in Advanced Hunting

Hi Community,   Recently, I turned off the ingestion of some of the Device* tables to Sentinel via Microsoft XDR Data connector. Ever since the ingestion is stopped in Sentinel, the TimeGenerated o...
microsoft defender for endpoint
microsoft sentinel
Surya_Narayana's avatar
Surya_Narayana
MCT
Jul 18, 2025

hi akshayp199503​ check one of these

 

To safely query recent events when Timestamp is unreliable:

DeviceImageLoadEvents

| where ingestion_time() >= ago(1h)

| project Timestamp, ingestion_time(), FileName, DeviceName

| limit 100

You can also add a null check if Timestamp is inconsistently populated:

DeviceImageLoadEvents

| where isnotempty(Timestamp) and Timestamp >= ago(1h)

| limit 100

 

Resources