Share via

How do you change the Created Time timestamp in Azure Sentinel from Local Time to UTC

Brandon Goh 20 Reputation points
2025-07-16T13:33:35.77+00:00

Azure Sentinel currently does not report the creation time of an incident in UTC and as we are an MSSP, it is a requirement that we standardise all timestamps to UTC. This is already consistent with the data when it is pulled from the API but we need to be able to change the timestamps shown in the browser to UTC time as well.

I have attached a screenshot of my Teams, showing that the time shown in all 3 locations is in local time. This is impacting my operations as such information, when it has to be quickly transmitted to the customer would constantly require the conversion of timestamps and is prone to human error.

Is there a way to change the incident creation timestamp to UTC? I know that in the logs blade UI the setting can be changed to show UTC time and it has already been done. And that option is only limited to the timestamps shown in the logs.

Screenshot 2025-07-16 212203

Microsoft Security | Microsoft Sentinel
0 comments
Accepted answer
  1. EduardsGrebezs 941 Reputation points
    2025-07-16T16:56:54.16+00:00

    Hi,

    As of now (July 2025), there is no built-in option in the Sentinel incident interface to change timestamps (such as "Created Time") to UTC. While the Logs blade (Kusto queries) offers the ability to toggle between local and UTC, this feature is unfortunately not available for the Sentinel incident view or for the Overview/Investigation interfaces.

    Workarounds

    1. Use the API for UTC Timestamps

    You're already doing this—when pulling incident data via the Microsoft Sentinel REST API, timestamps are in UTC. You can build dashboards or reports (e.g., Power BI, custom portal) that show incidents in UTC.

    1. Custom Workbook or Dashboard

    Create a Sentinel Workbook that pulls incident data using KQL and displays timestamps in UTC. This gives your SOC team a consistent UTC view.

    Other option is if you use Logic apps for incident automation etc. you could parse JSON and compose, of course it will be a problem if you have multiple customers with different timezones.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.