Today I want to share a log query that only returns logs generated between 09 and 18, during workdays. The example is working with security events, without any filters. To improve query performances it is strongly recommended to add more filters, for example, event ID or account.
6.00:00:00 means Saturday and 7.00:00:00 means Sunday \ud83d\ude42 <\/p>\n\n\n\n
let startDateOfAlert = startofday(now());
\nlet StartAlertTime = startDateOfAlert + 9hours;
\nlet StopAlertTime = startDateOfAlert + 18hours;
\nSecurityEvent
\n| extend localTimestamp = TimeGenerated + 2h
\n| extend ByPassDays = dayofweek(localTimestamp)
\n| where ByPassDays <> ‘6.00:00:00’
\n| where ByPassDays <> ‘7.00:00:00’
\n| where localTimestamp > StartAlertTime
\n| where localTimestamp < StopAlertTime
\n| order by localTimestamp asc <\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Today I want to share a log query that only returns logs generated between 09 and 18, during workdays. The example is working with security events, without any filters. To improve query performances it is strongly recommended to add more filters, for example, event ID or account. 6.00:00:00 means Saturday and 7.00:00:00 means Sunday \ud83d\ude42 … Continue reading