Forum Discussion
Unable to query logs in Advanced Hunting
Hi Community,
Recently, I turned off the ingestion of some of the Device* tables to Sentinel via Microsoft XDR Data connector. Ever since the ingestion is stopped in Sentinel, the TimeGenerated or Timestamp column usage in KQL is not working in Microsoft XDR Advanced Hunting at all.
Example KQL in Advanced Hunting below:
DeviceImageLoadEvents
| where Timestamp >= ago(1h)
| limit 100
The above yields no results in AdvancedHunting pane. However, if you use ingestion_time() you see the results which also gives TimeGenerated/Timestamp but cannot filter on that in the KQL.
It seems like a bug to me.
Does anyone face the same issue or can someone help?
Thanks
1 Reply
hi akshayp199503 check one of these
To safely query recent events when Timestamp is unreliable:
DeviceImageLoadEvents
| where ingestion_time() >= ago(1h)
| project Timestamp, ingestion_time(), FileName, DeviceName
| limit 100
You can also add a null check if Timestamp is inconsistently populated:
DeviceImageLoadEvents
| where isnotempty(Timestamp) and Timestamp >= ago(1h)
| limit 100
