Forum Discussion

Bronze Contributor

Apr 01, 2020

Azure Sentinel Logs time settings not working

I have set the Date & Time in my Azure Sentinel Logs Settings pane to use Local Time but whenever I run a query, I still need to change the Display time from UTC to local time. Correct me if I am wr...

Sarah_Young

Microsoft

Apr 14, 2020

GaryBushey no, in KQL queries date/time values are always expressed in UTC no matter what time zone you set your date/time zone to.

More details can be found here - https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/datetime

Hope that helps!

Sarah

GaryBushey

Bronze Contributor

Apr 15, 2020

Sarah_Young Thank you for your reply however I don't think I was clear enough in my description.

While initially the results are showing date/time in UTC time zone, it was my understanding, and I am pretty sure it used to work, that changing this setting would then change the time zone used to display the date/time field in the result section of the Logs page anytime you ran a new query. Much like you can change the time zone in the results section for each individual query you run.

If that is the the intended use of that setting, then what is it used for?

UPDATE: Upon further testing, it seems that the initial tab created when you first go into Logs ignores this setting but any other tabs you open uses it.

Sarah_Young
Microsoft
Apr 19, 2020
GaryBushey yes, I understand your question now. You're right that queries will default to UTC the first time you open a Log Analytics tab but you can change it here, and subsequent queries should show your local time:

Thanks!

Sarah
- GaryBushey
  Bronze Contributor
  Apr 20, 2020
  Sarah_Young Thank you for your reply. I am aware of that functionality. What I am asking is shouldn't the Date & Time setting in the Settings pane automatically change that dropdown to whatever I had set in the Settings pane?
  
  So if I set the Date & Time in the Settings pane to use Local Time, shouldn't that drop down in the results pane automatically be set to that as well?
  
  Right now it appears to do that for all BUT the first tab that opens in the Logs page. That seems to be a bug.
  - Sarah_Young
    Microsoft
    Apr 24, 2020
    GaryBushey I can replicate what you describe, thanks for clarifying.
    
    I have checked with our Azure Monitor PG and they tell me that this is working as intended at the moment, it's not a bug. If you think it needs to be changed you can raise it with the Log Analytics/Azure Monitor team user voice - https://feedback.azure.com/forums/913690-azure-monitor
    
    Sarah