Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Forum Discussion

KrishhnaM

Copper Contributor

Nov 09, 2020

Day/week/Time based Analytical (scheduled) rule in Azure Sentinel

Hi Community, I am currently working with a client on a certain requirement for detection of an office 365 message activity based on time and date. below business use case in detail Use ca...

GaryBushey

Bronze Contributor

Nov 10, 2020

KrishhnaM You could use a dayofweek function to determine if it is a weekend or not and then and iif statement to handle different hour of the day processing.

CliveWatson

Microsoft

Nov 10, 2020

Some examples: https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-align-your-analytics-with-time-windows-in-azure-sentinel/ba-p/1667574

User9864

Copper Contributor

Jun 21, 2024

CliveWatson
We defined a set of workspaces function for it.
for example

let _get_day_name = (timestamp:datetime){tostring(dynamic(["Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"])[toint(dayofweek(timestamp)/1d)]) }
;
let _is_working_hours = (TimeGenerated: datetime, is_local_time:bool = false, timezone:string){
                                    let local_time = iif(is_local_time
                                                        , TimeGenerated
                                                        , datetime_utc_to_local(TimeGenerated, timezone)
                                                        )
                                    ;
                                    get_day_name(local_time) !in("Sat", "Sun")
                                    and hourofday(local_time) between (8 .. 18)
                                                }
;