cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Questions on Microsoft Sentinel

SB V
Brass Contributor

‎Sep 07 2022 11:02 AM

‎Sep 07 2022 11:02 AM

Questions on Microsoft Sentinel

Hi Community,

 

Our customer raised the below queries relates to Fusion rules in Microsoft Sentinel.

 

(1) For alerts/incidents triggered by fusion rules, if it’s false positive then any input from SOC or analyst (eg. suppress the alert) can enhance the detection algorithm for the customer environment to minimize the false positive rate?

 

(2) Is there a way to force default time zone for Analytics rule in Sentinel – currently all rules fire in UTC (+00:00) – which is the default, is there a way to force rule to trigger in different time zones?

 

Any guidance would be of great help.

 

Thanks in advance!

Labels:
1,636 Views
0 Likes
5 Replies
Reply
5 Replies
best response confirmed by GBushey (Microsoft)
Clive_Watson

‎Sep 08 2022 07:48 AM

‎Sep 08 2022 07:48 AM

Solution

Re: Questions on Microsoft Sentinel

1. no answer
2. You could, if you edit the KQL, convert UTC to local: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-utc-to-local-function UTC is used throughout Sentinel.
0 Likes
Reply
SB V

‎Sep 08 2022 08:50 AM

‎Sep 08 2022 08:50 AM

Re: Questions on Microsoft Sentinel

Hi Clive,
Thank you very much for the answers. Let me share with this customer to see if they find helpful.

Thanks again!
0 Likes
Reply
SB V

‎Sep 08 2022 10:55 AM

‎Sep 08 2022 10:55 AM

Re: Questions on Microsoft Sentinel

Hi Clive, One question, is there a way to rename the field so it doesn’t auto append ‘UTC’ to the field name?
0 Likes
Reply
Clive_Watson

‎Sep 09 2022 01:24 AM

‎Sep 09 2022 01:24 AM

Re: Questions on Microsoft Sentinel

@SB V 

 

Yes, but it requires changing the format from a datetime to a string (see last line of this example).


let localTime = 'US/Pacific';
Heartbeat
| extend newTime = datetime_utc_to_local(TimeGenerated, localTime)
| summarize count() by Computer, newTime, TimeGenerated
| project Computer, TimeGenerated, localTime = tostring(newTime)



Clive_Watson_0-1662711815645.png

 

0 Likes
Reply
SB V

‎Sep 09 2022 01:52 AM

‎Sep 09 2022 01:52 AM

Re: Questions on Microsoft Sentinel

Hi Clive, Thank you very much for the answer.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by GBushey (Microsoft)
Clive_Watson

‎Sep 08 2022 07:48 AM

‎Sep 08 2022 07:48 AM

Solution

Re: Questions on Microsoft Sentinel

1. no answer
2. You could, if you edit the KQL, convert UTC to local: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-utc-to-local-function UTC is used throughout Sentinel.

View solution in original post

0 Likes
Reply