Analysts forget that Sentinel logs output the TimeGenerated field values as UTC.
Add this line to create a reformatted timestamp field congruent to your time zone:
| extend FormattedTime = format_datetime(datetime_add('hour', -4, TimeGenerated), 'yyyy-MM-dd HH:mm:ss')Remember to change the amount value to the UTC difference for your time zone. For example, I am in the US Eastern Time Zone, which is -4.
Now you can use the FormattedTime field string in the remainder of your query.
https://learn.microsoft.com/en-us/kusto/query/format-datetime-function?view=microsoft-fabric
https://learn.microsoft.com/en-us/kusto/query/datetime-add-function?view=microsoft-fabric