Sep 07 2022 11:02 AM
Hi Community,
Our customer raised the below queries relates to Fusion rules in Microsoft Sentinel.
(1) For alerts/incidents triggered by fusion rules, if it’s false positive then any input from SOC or analyst (eg. suppress the alert) can enhance the detection algorithm for the customer environment to minimize the false positive rate?
(2) Is there a way to force default time zone for Analytics rule in Sentinel – currently all rules fire in UTC (+00:00) – which is the default, is there a way to force rule to trigger in different time zones?
Any guidance would be of great help.
Thanks in advance!
Sep 08 2022 07:48 AM
SolutionSep 08 2022 08:50 AM
Sep 08 2022 10:55 AM
Sep 09 2022 01:24 AM
Yes, but it requires changing the format from a datetime to a string (see last line of this example).
let localTime = 'US/Pacific';
Heartbeat
| extend newTime = datetime_utc_to_local(TimeGenerated, localTime)
| summarize count() by Computer, newTime, TimeGenerated
| project Computer, TimeGenerated, localTime = tostring(newTime)
Sep 09 2022 01:52 AM
Sep 08 2022 07:48 AM
Solution