Jun 18 2021 06:01 AM
I have few ideas to implement for a incidents query that would only trigger when action is done out of office hours. We don't expect certain things happen outside office hours and we would like to know if it does.
I have tried using | where operator combined with a variable mentioning "18:" and "08:" but this wouldn't work. I have tried looking at what kind of "time" fields are out there that I can use but the KQL is quite different to what I been using with other SIEM's
TL;DR
looking to setup an alert only to trigger between 18:00 and 08:00 (out of office hours)
any ideas?
Jun 18 2021 07:39 AM
Jun 21 2021 11:49 AM