https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-after-hours-quot-query/m-p/1238330#M8738 <P>This is a fairly dataset agnostic query snippet to look for events "after hours". You'll need to define what that means and also convert the time zone to your local time. This might not work if you're using UTC in the console, I'm not sure there.&nbsp;</P> <P>&nbsp;</P> <P>It took me some doing to get this working correctly and it's a common thing someone might want to use for an investigation or dashboard.. so here you go</P> <P>&nbsp;</P> <P>| alter Local_Time = parse_timestamp("%Y/%m/%d %H:%M:%S", format_timestamp("%Y/%m/%d %H:%M:%S", _time,"America/Los_Angeles"),"UTC")<BR />| alter event_hour = extract_time(Local_Time , "HOUR"), event_day = extract_time(Local_Time , "DAYOFWEEK")<BR />| filter (<BR />&nbsp; &nbsp;(event_day in (1, 7)) // Saturday (7) or Sunday (1)<BR />&nbsp; &nbsp;or<BR />&nbsp; &nbsp;(event_day in (2, 3, 4, 5,6) and (event_hour &lt; 6 or event_hour &gt;= 17)) // M–F but outside 6am-5pm<BR />&nbsp;)//end filter</P> <P>|fields _time, Local_Time , event_hour , event_day</P> <P>&nbsp;</P> <P>That field set should help you confirm its return the correct results before you drive on. Comment out the filter above and make sure the local time matches your _time and the hour and day also lines up. From what I can tell Sunday starts at 1 and Sat is 7, but ymmv.&nbsp;</P> Thu, 18 Sep 2025 20:08:00 GMT Jesse_Siegrist 2025-09-18T20:08:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-after-hours-quot-query/m-p/1238330#M8738 <P>This is a fairly dataset agnostic query snippet to look for events "after hours". You'll need to define what that means and also convert the time zone to your local time. This might not work if you're using UTC in the console, I'm not sure there.&nbsp;</P> <P>&nbsp;</P> <P>It took me some doing to get this working correctly and it's a common thing someone might want to use for an investigation or dashboard.. so here you go</P> <P>&nbsp;</P> <P>| alter Local_Time = parse_timestamp("%Y/%m/%d %H:%M:%S", format_timestamp("%Y/%m/%d %H:%M:%S", _time,"America/Los_Angeles"),"UTC")<BR />| alter event_hour = extract_time(Local_Time , "HOUR"), event_day = extract_time(Local_Time , "DAYOFWEEK")<BR />| filter (<BR />&nbsp; &nbsp;(event_day in (1, 7)) // Saturday (7) or Sunday (1)<BR />&nbsp; &nbsp;or<BR />&nbsp; &nbsp;(event_day in (2, 3, 4, 5,6) and (event_hour &lt; 6 or event_hour &gt;= 17)) // M–F but outside 6am-5pm<BR />&nbsp;)//end filter</P> <P>|fields _time, Local_Time , event_hour , event_day</P> <P>&nbsp;</P> <P>That field set should help you confirm its return the correct results before you drive on. Comment out the filter above and make sure the local time matches your _time and the hour and day also lines up. From what I can tell Sunday starts at 1 and Sat is 7, but ymmv.&nbsp;</P> Thu, 18 Sep 2025 20:08:00 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-after-hours-quot-query/m-p/1238330#M8738 Jesse_Siegrist 2025-09-18T20:08:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-after-hours-quot-query/m-p/1238388#M8743 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/259674">@Jesse_Siegrist</a>&nbsp;</P> <P>&nbsp;</P> <P>Glad to hear that this is working. We really appreciate the contribution of every user here in this forum</P> <P>&nbsp;</P> <P>KR,&nbsp;</P> <P>Luis&nbsp;</P> Fri, 19 Sep 2025 14:01:07 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-after-hours-quot-query/m-p/1238388#M8743 eluis 2025-09-19T14:01:07Z