Day/week/Time based Analytical (scheduled) rule in Azure Sentinel

Hi Community, I am currently working with a client on a certain requirement for detection of an office 365 message activity based on time and date. below business use case in detail Use ca...

CliveWatson

Former Employee

Nov 10, 2020

Some examples: https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-align-your-analytics-with-time-windows-in-azure-sentinel/ba-p/1667574

User9864

Copper Contributor

Jun 21, 2024

CliveWatson
We defined a set of workspaces function for it.
for example

let _get_day_name = (timestamp:datetime){tostring(dynamic(["Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"])[toint(dayofweek(timestamp)/1d)]) }
;
let _is_working_hours = (TimeGenerated: datetime, is_local_time:bool = false, timezone:string){
                                    let local_time = iif(is_local_time
                                                        , TimeGenerated
                                                        , datetime_utc_to_local(TimeGenerated, timezone)
                                                        )
                                    ;
                                    get_day_name(local_time) !in("Sat", "Sun")
                                    and hourofday(local_time) between (8 .. 18)
                                                }
;

Forum Discussion

Day/week/Time based Analytical (scheduled) rule in Azure Sentinel