Update advanced-hunting-microsoft-defender.md

neelam-nn · web-flow · commit 3aa0da5ef411 · 2025-08-18T14:58:12.000+01:00
Add to "known Issues":
When creating a new Microsoft Sentinel function in Log Analytics, there is a delay of up to 20 minutes until it appears in Advanced Hunting.
diff --git a/defender-xdr/advanced-hunting-microsoft-defender.md b/defender-xdr/advanced-hunting-microsoft-defender.md
@@ -93,6 +93,7 @@ In the unified portal, in addition to viewing the schema column names and descri
     - Near real-time detection frequency isn't available for detections that include Microsoft Sentinel data. 
     - Custom functions that were created and saved in Microsoft Sentinel aren't supported.
     - Defining entities from Sentinel data isn't yet supported in custom detections.
+- When creating a new Microsoft Sentinel function in Log Analytics, there is a delay of up to 20 minutes until it appears in Advanced Hunting.
 - Bookmarks aren't supported in the advanced hunting experience. They're supported in the **Microsoft Sentinel > Threat management > Hunting** feature. Alternatively, you can use the [Link to incident](advanced-hunting-defender-results.md#link-query-results-to-an-incident) feature to link query results to new or existing incidents.
 - If you're streaming Defender XDR tables to Log Analytics, there might be a difference between the`Timestamp` and `TimeGenerated` columns. In case the data arrives to Log Analytics after 48 hours, it's being overridden upon ingestion to `now()`. Therefore, to get the actual time the event happened, we recommend relying on the `Timestamp` column.
 - When prompting [Security Copilot](advanced-hunting-security-copilot.md) for advanced hunting queries, you might find that not all Microsoft Sentinel tables are currently supported. However, support for these tables can be expected in the future.
