Forum Discussion
Solved
Questions on Microsoft Sentinel
Hi Community,
Our customer raised the below queries relates to Fusion rules in Microsoft Sentinel.
(1) For alerts/incidents triggered by fusion rules, if it’s false positive then any input from SOC or analyst (eg. suppress the alert) can enhance the detection algorithm for the customer environment to minimize the false positive rate?
(2) Is there a way to force default time zone for Analytics rule in Sentinel – currently all rules fire in UTC (+00:00) – which is the default, is there a way to force rule to trigger in different time zones?
Any guidance would be of great help.
Thanks in advance!
- 1. no answer
2. You could, if you edit the KQL, convert UTC to local: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-utc-to-local-function UTC is used throughout Sentinel.
- 1. no answer
2. You could, if you edit the KQL, convert UTC to local: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-utc-to-local-function UTC is used throughout Sentinel.- Hi Clive, One question, is there a way to rename the field so it doesn’t auto append ‘UTC’ to the field name?
Yes, but it requires changing the format from a datetime to a string (see last line of this example).
let localTime = 'US/Pacific';
Heartbeat
| extend newTime = datetime_utc_to_local(TimeGenerated, localTime)
| summarize count() by Computer, newTime, TimeGenerated
| project Computer, TimeGenerated, localTime = tostring(newTime)
- Hi Clive,
Thank you very much for the answers. Let me share with this customer to see if they find helpful.
Thanks again!
