cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Help. It is necessary to make a rule that will work in a certain range of time

Dimitry36
Copper Contributor

‎Sep 06 2022 02:12 AM

‎Sep 06 2022 02:12 AM

Help. It is necessary to make a rule that will work in a certain range of time

Hello! 

 

It is necessary to make a rule that will work in a certain range of time. 

e.g. every day from 21:00 to 00:00 or from 21:00 to the next morning 06:00. 

I tried to do it through the transformation of time into a string, it did not work

 

 

The date looks like this:

EventTime [UTC]
2022-09-06T23:04:01Z

 

Labels:
971 Views
0 Likes
6 Replies
Reply
6 Replies
GBushey

‎Sep 06 2022 04:34 AM

‎Sep 06 2022 04:34 AM

Re: Help. It is necessary to make a rule that will work in a certain range of time

@Dimitry36 What is the issue you are running into?   Using

todatetime('2022-09-06T23:04:01Z')

converts the string into the UTC time of '9/6/2022, 11:04:01.000 PM'

0 Likes
Reply
Dimitry36

‎Sep 06 2022 05:04 AM

‎Sep 06 2022 05:04 AM

Re: Help. It is necessary to make a rule that will work in a certain range of time

I don't understand how to display an event at a specific time interval every day.
for example display events from 9:00 to 18:00, on this date every day
0 Likes
Reply
best response confirmed by Dimitry36 (Copper Contributor)
GBushey

‎Sep 06 2022 05:40 AM

‎Sep 06 2022 05:40 AM

Solution

Re: Help. It is necessary to make a rule that will work in a certain range of time

@Dimitry36 You would need to do something like this to get the UTC equivalent of 0800 today

let dt = now();
print todatetime(strcat(datetime_part("month", dt),'/',datetime_part("day", dt),'/',datetime_part("year", dt), ' 08:00:00.000 AM'))
0 Likes
Reply
Dimitry36

‎Sep 06 2022 06:16 AM

‎Sep 06 2022 06:16 AM

Re: Help. It is necessary to make a rule that will work in a certain range of time


WindowsEvent
| where EventID == 4663
| where EventData.AccessMask == 0x10000 or EventData.AccessList == "%%1537"
//| How do I need a time range? I want to see the events that take place for example 9 am to 18 pm.
0 Likes
Reply
Dimitry36

‎Sep 07 2022 12:45 AM

‎Sep 07 2022 12:45 AM

Re: Help. It is necessary to make a rule that will work in a certain range of time

Thank you very much, 9 example fit perfectly.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Dimitry36 (Copper Contributor)
GBushey

‎Sep 06 2022 05:40 AM

‎Sep 06 2022 05:40 AM

Solution

Re: Help. It is necessary to make a rule that will work in a certain range of time

@Dimitry36 You would need to do something like this to get the UTC equivalent of 0800 today

let dt = now();
print todatetime(strcat(datetime_part("month", dt),'/',datetime_part("day", dt),'/',datetime_part("year", dt), ' 08:00:00.000 AM'))

View solution in original post

0 Likes
Reply