Adversaries may convert local time to UTC time to obfuscate their activity timestamps and evade time-based detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential time manipulation tactics used in advanced persistent threats.
KQL Query
EmailEvents
| where Timestamp between (datetime_local_to_utc(datetime(2023-08-10T00:00:00Z),"Europe/Madrid") .. datetime_local_to_utc(datetime(2023-08-31T23:59:59Z),"Europe/Madrid"))
| where DeliveryAction == "Delivered"
| where LatestDeliveryLocation == "Quarantine"
id: 712ffdd8-ddce-4372-85dd-063029b418cf
name: Local time to UTC time conversion
description: |
Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings.
description-detailed: |
This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp between (datetime_local_to_utc(datetime(2023-08-10T00:00:00Z),"Europe/Madrid") .. datetime_local_to_utc(datetime(2023-08-31T23:59:59Z),"Europe/Madrid"))
| where DeliveryAction == "Delivered"
| where LatestDeliveryLocation == "Quarantine"
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually adjusts the system clock to local time for easier user interaction during a maintenance window.
Filter/Exclusion: Exclude events where the source system is known to be configured with a local time zone (e.g., SystemTimezone = 'Local' in Windows event logs).
Scenario: A scheduled job runs at a specific local time (e.g., 8:00 AM local time) to perform nightly backups, causing a time zone discrepancy between the job’s scheduled time and the UTC-based detection.
Filter/Exclusion: Exclude events where the activity is associated with a known scheduled task (e.g., EventID = 100 and TaskName = 'NightlyBackup' in Windows Event Logs).
Scenario: A user logs in during a time zone conversion test, and their login time is recorded in local time while the system logs are in UTC.
Filter/Exclusion: Exclude login events where the user is known to be performing a time zone test (e.g., EventID = 4624 and LogonType = 'Interactive' with a specific user account used for testing).
Scenario: A third-party monitoring tool (e.g., SolarWinds) sends alerts in local time, which are then ingested by Advanced Hunting and displayed in UTC, causing a false positive.
Filter/Exclusion: Exclude alerts from known third-party tools (e.g., SourceSystem = 'SolarWinds' or EventSource = 'SolarWinds').
Scenario: A system clock synchronization task (e.g., Windows Time service) temporarily adjusts the system clock, causing a time delta between local and UTC time.
Filter/Exclusion: Exclude events where the system clock was recently synchronized (e.g., EventID = 1005 or `Event