When an alert is generated in XDR and then synced to Sentinel

Question

When an alert is generated in XDR and then synced to Sentinel, is it possible to measure the time it takes for the alert to be synced? Is there a query that can be used to measure this time in minutes?

Answer 1

Its been a while since I wrote this (so test it out) but this is my method. This looks at all products but you can filter with some adjustments

// start Time = when the Alert was first noticed, first event
// End Time = Ingested alerts: the time of the last event or activity included in the alert.
// Processing Time = Ingested alerts: the time that the originating product completes the production of the alert (e.g. Defender XDR).
SecurityIncident
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string)
| join kind=inner
(
    SecurityAlert
        | where TimeGenerated > ago(1h)   
        | extend ProductProcessingMin = datetime_diff('minute',  ProcessingEndTime, EndTime),
            ingest_ = ingestion_time()
        | extend sentinelIngestionDelayinMinutes_ = datetime_diff('minute', ingestion_time(), ProcessingEndTime)
    ) on $right.SystemAlertId == $left.AlertIds
    | summarize AlertCount=dcount(AlertIds),
                arg_max
                (
                 TimeGenerated, *
                )
                by IncidentNumber          
| extend sentinelIngestiontoCreated_ = datetime_diff('minute', ingest_, CreatedTime)
| extend InvestigationElapsedTime_   = datetime_diff('minute', LastModifiedTime, CreatedTime)
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| project StartTime, EndTime, ProcessingEndTime, TimeGenerated, ingest_, ProductProcessingMin,
          sentinelIngestionDelayinMinutes_, IncidentNumber, AlertName, FirstActivityTime, LastModifiedTime, 
          CreatedTime
          , InvestigationElapsedTime_ 
          , sentinelIngestiontoCreated_