Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure Sentinel Logs time settings not working

Bronze Contributor

I have set the Date & Time in my Azure Sentinel Logs Settings pane to use Local Time but whenever I run a query, I still need to change the Display time from UTC to local time.  Correct me if I am wrong but shouldn't the Date & Time in the Settings panel override the results Display Time?

 

 

6 Replies

@Gary Bushey no, in KQL queries date/time values are always expressed in UTC no matter what time zone you set your date/time zone to.

 

More details can be found here - https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/datetime

 

Hope that helps!

Sarah

@Sarah_Young Thank you for your reply however I don't think I was clear enough in my description. 

 

While initially the results are showing date/time in UTC time zone, it was my understanding, and I am pretty sure it used to work, that changing this setting would then change the time zone used to display the date/time field in the result section of the Logs page anytime you ran a new query.  Much like you can change the time zone in the results section for each individual query you run.

 

If that is the the intended use of that setting, then what is it used for?

 

UPDATE: Upon further testing, it seems that the initial tab created when you first go into Logs ignores this setting but any other tabs you open uses it.

@Gary Bushey yes, I understand your question now. You're right that queries will default to UTC the first time you open a Log Analytics tab but you can change it here, and subsequent queries should show your local time:

 

sarahyo_0-1587337453188.png

 

Thanks!

Sarah

@Sarah_Young Thank you for your reply.  I am aware of that functionality.  What I am asking is shouldn't the Date & Time setting in the Settings pane automatically change that dropdown to whatever I had set in the Settings pane?

 

So if I set the Date & Time in the Settings pane to use Local Time, shouldn't that drop down in the results pane automatically be set to that as well?

 

Right now it appears to do that for all BUT the first tab that opens in the Logs page.  That seems to be a bug.

@Gary Bushey I can replicate what you describe, thanks for clarifying.

 

I have checked with our Azure Monitor PG and they tell me that this is working as intended at the moment, it's not a bug. If you think it needs to be changed you can raise it with the Log Analytics/Azure Monitor team user voice - https://feedback.azure.com/forums/913690-azure-monitor

 

Sarah

@Sarah_Young Thanks for following up on this.  Not sure how by-passing settings on the first tab only is considered working as designed but I will enter a request to get this changed. :)

 

Thanks again.