Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Day/week/Time based Analytical (scheduled) rule in Azure Sentinel

Copper Contributor


Hi Community,


I am currently working with a client on a certain requirement for detection of an office 365 message activity based on time and date. below business use case in detail


Use case: emails sent to external domain

  1. after office hours in working days (i.e. between 5:00 PM to 9:00 AM) and
  2. same activity any time on non-working days (i.e. any time on Saturdays and Sundays)


For the first use case, I have created KQL for detection based on Time hours and it is working but  the rule runs only on certain time during the weekend because I need the rule to detect activities anytime on weekend, below query for reference


where RecipientAddress_s !contains ""
extend ReceivedTimeStamp = tostring(format_datetime(Received_t, "HH"))
where ReceivedTimeStamp in ("17""18""19""20""21""22""23""00""01""02""03""04""05""06""07""08")
project Received_t, ReceivedTimeStamp, SenderAddress_s, RecipientAddress_s, Subject_s, Status_s, MessageTraceId_g
extend AccountCustomEntity = SenderAddress_s

Require Help on:

  1. running the first rule only on weekdays (M,T,W,T,F) so that it detects activity between certain timeframe as mentioned in KQL.
  2. scheduling the second rule to run only on weekend irrespective of timeframe


P.S: i used logic app's recurrence based on date and time but logic app doesn't support

enabling/disabling a sentinel rule

3 Replies

@KrishhnaM You could use a dayofweek function to determine if it is a weekend or not and then and iif statement to handle different hour of the day processing.

We defined a set of workspaces function for it.
for example



let _get_day_name = (timestamp:datetime){tostring(dynamic(["Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"])[toint(dayofweek(timestamp)/1d)]) }
let _is_working_hours = (TimeGenerated: datetime, is_local_time:bool = false, timezone:string){
                                    let local_time = iif(is_local_time
                                                        , TimeGenerated
                                                        , datetime_utc_to_local(TimeGenerated, timezone)
                                    get_day_name(local_time) !in("Sat", "Sun")
                                    and hourofday(local_time) between (8 .. 18)