logic app data ingestion delay.

Question

logic app data ingestion delay.

Prasad Boke 0

I have a logic app running. Which fetched data, parses it and logs the data into threatintelindicator table.

Ingestion of data to ms sentinel is taking longer time than usual. Delay is almost of 24 hours to reflect the logs in sentinel workspace.

Can someone suggest whats the mistake or whats happening here. Why it is taking so much of time?

Suchitra Suregaunkar 14,595 Reputation points Microsoft External Staff Moderator

2025-09-25T17:36:56.2266667+00:00

Hello Prasad Boke,

Thank you for posting your query on Microsoft Q&A portal.

You are seeing a delay because the table you are using ThreatIntelligenceIndicator is no longer actively supported by Microsoft Sentinel. They officially stopped allowing new data into that table after July 31, 2025. Unless your workspace was specifically granted an extension, any data your Logic App sends there will not show up or will be heavily delayed.

So, your Logic App might still be working fine, but Sentinel is basically ignoring or delaying the data because it's going to an outdated table.

Reference: https://learn.microsoft.com/en-us/azure/sentinel/ingestion-delay

As a workaround you can try below steps:

1.Check whether your workspace is still eligible for ingestion into the ThreatIntelligenceIndicator table. If not, you must migrate to the new threat intelligence tables.

Refer this document on how to work with threat indicators in Sentinel, including how to use the new tables and update your configurations.
https://learn.microsoft.com/en-us/azure/sentinel/work-with-threat-indicators?tabs=defender-portal

Refer below document for on how to use STIX-based threat intelligence in Sentinel, which is the foundation of the new tables.

https://learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators

If you still need to use the legacy table temporarily, you can raise a support request with Microsoft to ask for an extension

Please follow the below to submit a support ticket.
In Azure portal navigate to your Sentinel workspace click on the Support + Troubleshooting icon ?, select contact support, create a New support request, in the issue type select Techincal and choose Extend ingestion timeframe for ThreatIntelligenceIndicator table as the problem sub type.

Defender experience: please add the phrase Extend ingestion timeframe for ThreatIntelligenceIndicator table to the chatbot's text and open create support request when prompted.

The possibility will be there until 31 May 2026 (on this date the dual ingestion will be retired).

Thanks,

Suchitra.
Prasad Boke 0 Reputation points

2025-09-26T07:32:24.76+00:00

Hi Suchitra,
Thanks for the response. Table which im using is ThreatIntelIndicator

not threatintelleginceindicator.

1 answer

Your answer

Prasad Boke 0 Reputation points

2025-09-26T07:32:24.76+00:00

Hi Suchitra,
Thanks for the response. Table which im using is ThreatIntelIndicator

not threatintelleginceindicator.

Answer 1

Hello Prasad Boke, Thanks for confirming.
As you are using a Logic App to send data to the ThreatIntelIndicators table in Microsoft Sentinel, but the logs are delayed sometimes by hours or even a full day might be due to following reasons:

Logic App Timing: If your Logic App uses a recurrence trigger, it may not run exactly on time. This causes delays in when data is fetched and sent.
Ingestion vs. TimeGenerated: Sentinel uses TimeGenerated to filter logs. If your data arrives late, it might fall outside the time window used in your queries or rules making it look like it’s missing.
Pipeline Latency: Even if your Logic App runs fine, the data pipeline into Sentinel can have delays, especially if you're using custom connectors or transformations.

As a workaround you can try below steps:

Use Sliding Window Trigger in Logic App

Switch from a recurrence trigger to a sliding window trigger. It’s more reliable and ensures consistent execution.

Increase Look-Back Period in Sentinel Rules

If your analytics rule looks back 5 minutes, increase it to 10 or 15 minutes. This helps capture delayed logs.

Use ingestion_time() in Queries

Update your KQL queries to include ingestion time checks:

ThreatIntelIndicators

| where ingestion_time() - TimeGenerated > 2m

This helps you measure and adjust for delay.

Monitor Ingestion Health

Use Sentinel’s built-in Health Monitoring Workbook to track ingestion latency and identify bottlenecks.

Below are the reference documents:

Thanks,

Suchitra.

Share via

logic app data ingestion delay.

1 answer

Your answer