We recently noticed that some Azure EventHubs Applications (e.g. the Azure AD Identity Protection -> https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection) are setting the "time" field not in the ISO 8601 Datetime format, but in the "general date long time" format (see https://docs.microsoft.com/en-us/dotnet/standard/base-types/standard-date-and-time-format-strings#GeneralDateLongTime).
Thus the month and day field seem to be mixed up in these cases, and e.g. events that were actually collected on 6th of april (according to col_ts) are sorted into the repos on 4th of june (because of the wrong log_ts).
Also alert rules on these events are then triggering months later, when the accidentally wrongly sorted events slip into the current window of the search time range.
The following screenshots shows how the timestamp format of the Azure AD Identity Protection differs from the usual ISO 8601 format.
Do you know if it is somehow possible to change this log timestamp format somewhere in the Azure AD settings?
Or has the compiled normalizer of the EventHub events to be adjusted?