Azure-Sentinel/Functions/CheckifDayLightSavings-US-E...

50 строки
2.8 KiB
Plaintext

// Usage Instruction :
// Either run this query as a stand alone query within Azure Sentinel or save it as a KQL function for later use. Further details on
// functions can be found here: https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381
// For US Daylight Savings
//Below function will take timestamp as input and provides status if the timestamp is in US DaylightSavings window or not.
// Check sample usage on test data at the end
let CheckifDaylightSavingUS = (UtcDateTime:datetime) {
// Reference formula: http://www.webexhibits.org/daylightsaving/i.html
// US daylight savings time begins (clocks go forward) on the second Sunday in March,
// and ends (clocks go back) on the first Sunday in November:
let Year = getyear(UtcDateTime);
// Calculate day portion of last sunday in March and in November
let SecondSundayMarch = 14 - ((1+(5 * Year)/4)%7);
let FirstSundayNovember = 7 - ((1+(5 * Year)/4)%7);
// Make full datetime object to compare with Current datetime - Add UTC offset to convert local Pacific Time
let DaylightStart = datetime_add("Hour",-7,make_datetime(Year,03,SecondSundayMarch));
let DaylightEnd = datetime_add("Hour",-8,make_datetime(Year,11,FirstSundayNovember));
// Compare the input datetime to the DaylightSavings window
iff(UtcDateTime between (DaylightStart .. DaylightEnd), "True", "False")
};
// For EU Daylight Savings
let CheckifDaylightSavingEU = (UtcDateTime:datetime) {
// Reference formula: http://www.webexhibits.org/daylightsaving/i.html
// European Summer Time begins (clocks go forward) at 01:00 UTC on the last Sunday in March,
// and ends (clocks go back) at 01:00 UTC on the last Sunday in October:
let Year = getyear(UtcDateTime);
// Calculate day portion of last sunday in March and in October
let LastSundayMarch = (31 - (((5 * Year)/4)+4)%7);
let LastSundayOctober = (31 - (((5 * Year)/4)+1)%7);
// Make full datetime object to compare with Current datetime
let DaylightStart = make_datetime(Year,03,LastSundayMarch,01,00);
let DaylightEnd = make_datetime(Year,10,LastSundayOctober,01,00);
// Compare the input datetime to the DaylightSavings window
iff(UtcDateTime between (DaylightStart .. DaylightEnd), "True", "False")
};
// Sample Usage in the Query - Generate Status based on InputDatetime in UTC
// let T = materialize(datatable(InputDateTime:datetime)
// [
// datetime(2020-03-07 16:59),
// datetime(2020-03-07 17:01),
// datetime(2020-10-31 15:59),
// datetime(2020-10-31 16:01),
// datetime(2020-03-29 00:59),
// datetime(2020-03-29 01:00),
// datetime(2020-10-25 00:59),
// datetime(2020-10-25 01:01),
// ])
// ;
// T
// | extend DstinUSStatus = CheckifDaylightSavingUS(InputDateTime), DstinEUStatus = CheckifDaylightSavingEU(InputDateTime)