You might be dealing with time zone conversion issues with Palo Alto and Sentinel. I would look at how the timestamps are formatted in both, time zone settings in Sentinel and your machine, and if you have any latency issues with Palo Alto logs being ingested into Sentinel.
Timestamp ok but kql query needs to be set to 5h to get current logs.

Hi there,
(See UPDATE below for latests observation)
I'm feeding in PaloAlto logs to Sentinel.
The timestamps are showing as 'current', however in order to see any logs I have to query back 5 hours.
For example, right now it's 10:38 am Central Time.
As you can see I'm querying back 5 hours and I can see the latest event has a Timegenerated of 11:23 UTC, which is 10:23 CST.
So I'd expect my query to only have to be -5 minutes but it's -5 hours.
If I set my query to -4h then no data is shown.
Thoughts?
And querying by using todatetime(ReceiptTime) works w/o having to go back 5 hours, but it's horribly inefficient.
UPDATE:
I tried this and it seems to work.
But I haven't seen this used in Sentinel analytic rules or anywhere else.
Is this correct?