Incident query based on time of the day

%3CLINGO-SUB%20id%3D%22lingo-sub-2462765%22%20slang%3D%22en-US%22%3EIncident%20query%20based%20on%20time%20of%20the%20day%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2462765%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20few%20ideas%20to%20implement%20for%20a%20incidents%20query%20that%20would%20only%20trigger%20when%20action%20is%20done%20out%20of%20office%20hours.%20We%20don't%20expect%20certain%20things%20happen%20outside%20office%20hours%20and%20we%20would%20like%20to%20know%20if%20it%20does.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20using%20%7C%20where%20operator%26nbsp%3B%20combined%20with%20a%20variable%20mentioning%20%2218%3A%22%20and%20%2208%3A%22%20but%20this%20wouldn't%20work.%20I%20have%20tried%20looking%20at%20what%20kind%20of%20%22time%22%20fields%20are%20out%20there%20that%20I%20can%20use%20but%20the%20KQL%20is%20quite%20different%20to%20what%20I%20been%20using%20with%20other%20SIEM's%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETL%3BDR%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Elooking%20to%20setup%20an%20alert%20only%20to%20trigger%20between%2018%3A00%20and%2008%3A00%20(out%20of%20office%20hours)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eany%20ideas%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2463159%22%20slang%3D%22en-US%22%3ERe%3A%20Incident%20query%20based%20on%20time%20of%20the%20day%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2463159%22%20slang%3D%22en-US%22%3ESee%20example%20%239%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fhow-to-align-your-analytics-with-time-windows-in-azure-sentinel%2Fba-p%2F1667574%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fhow-to-align-your-analytics-with-time-windows-in-azure-sentinel%2Fba-p%2F1667574%3C%2FA%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I have few ideas to implement for a incidents query that would only trigger when action is done out of office hours. We don't expect certain things happen outside office hours and we would like to know if it does.

 

I have tried using | where operator  combined with a variable mentioning "18:" and "08:" but this wouldn't work. I have tried looking at what kind of "time" fields are out there that I can use but the KQL is quite different to what I been using with other SIEM's

 

TL;DR

 

looking to setup an alert only to trigger between 18:00 and 08:00 (out of office hours)

 

any ideas?

 

2 Replies

@Clive Watson 

 

This was exactly what I was looking for, thank you :smile: