When I started using Microsoft Sentinel, one of the glaring issues I ran into as an incident responder was that while my logs were showing in UTC (as I selected), the Workbooks (dashboards) I created would only show in local time. I checked settings, changed my Azure profile to UTC, no luck. Why can't I select the timezone for my dashboard?
I finally found the answer. You can't select the time zone as a user. You have to bake it into the dashboard and your choices are UTC or local time.
(EDIT: I just discovered that the time picker is still in Local Time and I don't see any way to change it.)
You can't make a blanket change across the entire Workbook either. You have to change the formatting of EVERY time column in EVERY query in your Workbook. (I'd really like to talk to Microsoft about their UI design, because it's killing incident responders like myself).
Here's how to do it:
1. Click the button to Edit your Workbook.
2. Click Edit on the query you want to set to UTC.
3. Click on the Column Settings button. (FYI, Column Settings ONLY appears if your query is showing results 🤬)
4. Click on the time column, set "Column renderer" to Date/Time.
Click the checkbox for "Custom date formatting".
Change the Date format style back to Short date time.
Click the radio box under "Show time as" to UTC.
5. Do this for every single query in your Workbook.
