Timestamp ok but kql query needs to be set to 5h to get current logs.

David Broggy 6,101 Reputation points MVP
2023-07-31T15:43:43.03+00:00

Hi there,

(See UPDATE below for latests observation)

I'm feeding in PaloAlto logs to Sentinel.

The timestamps are showing as 'current', however in order to see any logs I have to query back 5 hours.

For example, right now it's 10:38 am Central Time.

As you can see I'm querying back 5 hours and I can see the latest event has a Timegenerated of 11:23 UTC, which is 10:23 CST.

So I'd expect my query to only have to be -5 minutes but it's -5 hours.

If I set my query to -4h then no data is shown.

Thoughts?

User's image

And querying by using todatetime(ReceiptTime) works w/o having to go back 5 hours, but it's horribly inefficient.

User's image

UPDATE:

I tried this and it seems to work.

But I haven't seen this used in Sentinel analytic rules or anywhere else.
Is this correct?
User's image

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,218 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Greg Wilson 1 Reputation point
    2023-08-02T13:12:27.4766667+00:00

    You might be dealing with time zone conversion issues with Palo Alto and Sentinel. I would look at how the timestamps are formatted in both, time zone settings in Sentinel and your machine, and if you have any latency issues with Palo Alto logs being ingested into Sentinel.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.