Forum Discussion

Ciyaresh's avatar
Ciyaresh
Brass Contributor
Jun 18, 2021

Incident query based on time of the day

I have few ideas to implement for a incidents query that would only trigger when action is done out of office hours. We don't expect certain things happen outside office hours and we would like to know if it does.

 

I have tried using | where operator  combined with a variable mentioning "18:" and "08:" but this wouldn't work. I have tried looking at what kind of "time" fields are out there that I can use but the KQL is quite different to what I been using with other SIEM's

 

TL;DR

 

looking to setup an alert only to trigger between 18:00 and 08:00 (out of office hours)

 

any ideas?

 

Resources