Forum Discussion
Solved
Questions on Microsoft Sentinel
Hi Community, Our customer raised the below queries relates to Fusion rules in Microsoft Sentinel. (1) For alerts/incidents triggered by fusion rules, if it’s false positive then any input fr...
- 1. no answer
2. You could, if you edit the KQL, convert UTC to local: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-utc-to-local-function UTC is used throughout Sentinel.
1. no answer
2. You could, if you edit the KQL, convert UTC to local: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-utc-to-local-function UTC is used throughout Sentinel.
2. You could, if you edit the KQL, convert UTC to local: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-utc-to-local-function UTC is used throughout Sentinel.
Hi Clive, One question, is there a way to rename the field so it doesn’t auto append ‘UTC’ to the field name?
Yes, but it requires changing the format from a datetime to a string (see last line of this example).
let localTime = 'US/Pacific';
Heartbeat
| extend newTime = datetime_utc_to_local(TimeGenerated, localTime)
| summarize count() by Computer, newTime, TimeGenerated
| project Computer, TimeGenerated, localTime = tostring(newTime)- Hi Clive, Thank you very much for the answer.
