Recent Logic Apps Failures with Defender ATP Steps – "TimeGenerated" No Longer Recognized
Hi everyone, I’ve recently encountered an issue with Logic Apps failing on Defender ATP steps. Requests containing the TimeGenerated parameter no longer work—the column seems to be unrecognized. My code hasn’t changed at all, and the same queries run successfully in Defender 365’s Advanced Hunting. For example, this basic KQL query: DeviceLogonEvents | where TimeGenerated >= ago(30d) | where LogonType != "Local" | where DeviceName !contains ".fr" | where DeviceName !contains "shared-" | where DeviceName !contains "gdc-" | where DeviceName !contains "mon-" | distinct DeviceName Now throws the error: Failed to resolve column or scalar expression named 'TimeGenerated'. Fix semantic errors in your query. Removing TimeGenerated makes the query work again, but this isn’t a viable solution. Notably, the identical query still functions in Defender 365’s Advanced Hunting UI. This issue started affecting a Logic App that runs weekly—it worked on May 11th but failed on May 18th. Questions: Has there been a recent schema change or deprecation of TimeGenerated in Defender ATP's KQL for Logic Apps? Is there an alternative column or syntax we should use now? Are others experiencing this? Any insights or workarounds would be greatly appreciated!
Query for App Service and outbound IP Query
Right now I need help writing a Query that shows this: AzureDiagnostics | where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog" clientIp, backendHostname This query isn't working. I have a server that is using SSH and the logs there show stuff but I have a Front Door Globally and I need to see the logs there also. What is the best method.
Azure Firewall Logs Kusto Query
Dear Member, In Azure firewall i have configured the rule block, now i want to check the traffic it is supposed to deny and does it still allow the other traffic. can someone please help with the Kusto Query on this if the rule block is allowing traffic or deny . appreciate for help in this
Working with watchlists and ipv4_is_in_any_range() to exclude results from query
Hello! I am struggling with using watchlists as a blacklist. This is my query: let list = _GetWatchlist('blacklistedSegments') | summarize make_list(segment); SigninLogs | where ipv4_is_in_any_range(IPAddress, list); //throws an error This is my Watchlist named "blacklistedSegments" - one column named "segment": segment 1.2.0.0/16 3.4.0.0/16 I am trying to create a query in which sign-in logs from black listed IPs are returned. The problem is that I get the following error : This is probably because make_list() returns an array while the ipv4 method expects a value. Can anyone suggest the correct KQL way of achieving the above? Any suggestion will be highly appreciated! Thanks in advance. Ben
