50 строки
2.8 KiB
Plaintext
50 строки
2.8 KiB
Plaintext
// Usage Instruction :
|
||
// Either run this query as a stand alone query within Azure Sentinel or save it as a KQL function for later use. Further details on
|
||
// functions can be found here: https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381
|
||
// For US Daylight Savings
|
||
//Below function will take timestamp as input and provides status if the timestamp is in US DaylightSavings window or not.
|
||
// Check sample usage on test data at the end
|
||
let CheckifDaylightSavingUS = (UtcDateTime:datetime) {
|
||
// Reference formula: http://www.webexhibits.org/daylightsaving/i.html
|
||
// US daylight savings time begins (clocks go forward) on the second Sunday in March,
|
||
// and ends (clocks go back) on the first Sunday in November:
|
||
let Year = getyear(UtcDateTime);
|
||
// Calculate day portion of last sunday in March and in November
|
||
let SecondSundayMarch = 14 - ((1+(5 * Year)/4)%7);
|
||
let FirstSundayNovember = 7 - ((1+(5 * Year)/4)%7);
|
||
// Make full datetime object to compare with Current datetime - Add UTC offset to convert local Pacific Time
|
||
let DaylightStart = datetime_add("Hour",-7,make_datetime(Year,03,SecondSundayMarch));
|
||
let DaylightEnd = datetime_add("Hour",-8,make_datetime(Year,11,FirstSundayNovember));
|
||
// Compare the input datetime to the DaylightSavings window
|
||
iff(UtcDateTime between (DaylightStart .. DaylightEnd), "True", "False")
|
||
};
|
||
// For EU Daylight Savings
|
||
let CheckifDaylightSavingEU = (UtcDateTime:datetime) {
|
||
// Reference formula: http://www.webexhibits.org/daylightsaving/i.html
|
||
// European Summer Time begins (clocks go forward) at 01:00 UTC on the last Sunday in March,
|
||
// and ends (clocks go back) at 01:00 UTC on the last Sunday in October:
|
||
let Year = getyear(UtcDateTime);
|
||
// Calculate day portion of last sunday in March and in October
|
||
let LastSundayMarch = (31 - (((5 * Year)/4)+4)%7);
|
||
let LastSundayOctober = (31 - (((5 * Year)/4)+1)%7);
|
||
// Make full datetime object to compare with Current datetime
|
||
let DaylightStart = make_datetime(Year,03,LastSundayMarch,01,00);
|
||
let DaylightEnd = make_datetime(Year,10,LastSundayOctober,01,00);
|
||
// Compare the input datetime to the DaylightSavings window
|
||
iff(UtcDateTime between (DaylightStart .. DaylightEnd), "True", "False")
|
||
};
|
||
// Sample Usage in the Query - Generate Status based on InputDatetime in UTC
|
||
// let T = materialize(datatable(InputDateTime:datetime)
|
||
// [
|
||
// datetime(2020-03-07 16:59),
|
||
// datetime(2020-03-07 17:01),
|
||
// datetime(2020-10-31 15:59),
|
||
// datetime(2020-10-31 16:01),
|
||
// datetime(2020-03-29 00:59),
|
||
// datetime(2020-03-29 01:00),
|
||
// datetime(2020-10-25 00:59),
|
||
// datetime(2020-10-25 01:01),
|
||
// ])
|
||
// ;
|
||
// T
|
||
// | extend DstinUSStatus = CheckifDaylightSavingUS(InputDateTime), DstinEUStatus = CheckifDaylightSavingEU(InputDateTime) |