Forum Discussion
Day/week/Time based Analytical (scheduled) rule in Azure Sentinel
Hi Community,
I am currently working with a client on a certain requirement for detection of an office 365 message activity based on time and date. below business use case in detail
Use case: emails sent to external domain
- after office hours in working days (i.e. between 5:00 PM to 9:00 AM) and
- same activity any time on non-working days (i.e. any time on Saturdays and Sundays)
For the first use case, I have created KQL for detection based on Time hours and it is working but the rule runs only on certain time during the weekend because I need the rule to detect activities anytime on weekend, below query for reference
O365MessageTrace_CL
| where RecipientAddress_s !contains "m365x971587.onmicrosoft.com"
| extend ReceivedTimeStamp = tostring(format_datetime(Received_t, "HH"))
| where ReceivedTimeStamp in ("17", "18", "19", "20", "21", "22", "23", "00", "01", "02", "03", "04", "05", "06", "07", "08")
| project Received_t, ReceivedTimeStamp, SenderAddress_s, RecipientAddress_s, Subject_s, Status_s, MessageTraceId_g
| extend AccountCustomEntity = SenderAddress_s
Require Help on:
- running the first rule only on weekdays (M,T,W,T,F) so that it detects activity between certain timeframe as mentioned in KQL.
- scheduling the second rule to run only on weekend irrespective of timeframe
P.S: i used logic app's recurrence based on date and time but logic app doesn't support
enabling/disabling a sentinel rule
3 Replies
CliveWatson
We defined a set of workspaces function for it.
for examplelet _get_day_name = (timestamp:datetime){tostring(dynamic(["Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"])[toint(dayofweek(timestamp)/1d)]) } ; let _is_working_hours = (TimeGenerated: datetime, is_local_time:bool = false, timezone:string){ let local_time = iif(is_local_time , TimeGenerated , datetime_utc_to_local(TimeGenerated, timezone) ) ; get_day_name(local_time) !in("Sat", "Sun") and hourofday(local_time) between (8 .. 18) } ;
