SOLVED

Questions on Microsoft Sentinel

Brass Contributor

Hi Community,

 

Our customer raised the below queries relates to Fusion rules in Microsoft Sentinel.

 

(1) For alerts/incidents triggered by fusion rules, if it’s false positive then any input from SOC or analyst (eg. suppress the alert) can enhance the detection algorithm for the customer environment to minimize the false positive rate?

 

(2) Is there a way to force default time zone for Analytics rule in Sentinel – currently all rules fire in UTC (+00:00) – which is the default, is there a way to force rule to trigger in different time zones?

 

Any guidance would be of great help.

 

Thanks in advance!

5 Replies
best response confirmed by GBushey (Microsoft)
Solution
1. no answer
2. You could, if you edit the KQL, convert UTC to local: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-utc-to-local-function UTC is used throughout Sentinel.
Hi Clive,
Thank you very much for the answers. Let me share with this customer to see if they find helpful.

Thanks again!
Hi Clive, One question, is there a way to rename the field so it doesn’t auto append ‘UTC’ to the field name?

@SB V 

 

Yes, but it requires changing the format from a datetime to a string (see last line of this example).


let localTime = 'US/Pacific';
Heartbeat
| extend newTime = datetime_utc_to_local(TimeGenerated, localTime)
| summarize count() by Computer, newTime, TimeGenerated
| project Computer, TimeGenerated, localTime = tostring(newTime)



Clive_Watson_0-1662711815645.png

 

Hi Clive, Thank you very much for the answer.
1 best response

Accepted Solutions
best response confirmed by GBushey (Microsoft)
Solution
1. no answer
2. You could, if you edit the KQL, convert UTC to local: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-utc-to-local-function UTC is used throughout Sentinel.

View solution in original post