Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000032396 - RSA Security Analytics - Time Based Rules in Event Stream Analysis

Document created by RSA Customer Support

on Jun 30, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 1 Like1
Comment • 0
View in full screen mode

Article Content

Article Number	000032396
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: Event Stream Analysis RSA Version/Condition: 10.5.x 10.6.x
Issue	This article describes how to write an ESA Rule that will work on a given time period. For example, you may want a rule to only be active outside of working hours, or on certain days of the week. This article assumes that the reader is already familiar with advanced Event Stream Analysis (ESA) Rules and already has an advanced rule which they wish to modify to only work during a particular time frame.
Resolution	This method makes use of the following ESPER methods documented here: http://www.espertech.com/esper/release-5.2.0/esper-reference/html/datetimereference.html#datetime-method-getitem getHourOfDay() getDayOfWeek() The event time meta is in seconds past Unix Epoch Time, so we convert this to milliseconds past Epoch Time by multiplying by 1000. Below is a sample ESA Rule that looks for a successful login event. module MyLoginRule; module MyLoginRule; // The real “alerter”. The annotation, identifies it as the one that ESA needs to watch for. @RSAAlert @RSAPersist @Name('MyLoginRule') @Description('Successful Logon') SELECT * FROM Event( ec_activity='Logon' AND ec_outcome='Success' ) Our aim is to convert this rule so that it only matches events that are outside business hours. For simplicity we define business hours as: Monday - Friday : 9:00 AM to 17:30 PM UTC In EPSER January = Month 0, December = Month 11 Sunday = Day 1, Saturday = Day 7 Our time based rules then becomes: module MyLoginRule; // The real “alerter”. The annotation, identifies it as the one that ESA needs to watch for. @RSAAlert @RSAPersist @Name('MyLoginRule') @Description('Successful Logon Outside Business Hours') SELECT * FROM Event( ec_activity='Logon' AND ec_outcome='Success' AND ((event_time1000).getDayOfWeek IN (2,3,4,5,6) // Monday to Friday AND (event_time1000).getHourOfDay NOT IN (9,10,11,12,13,14,15,16,17) // 9:00 -17:00 UTC) OR (event_time*1000).getDayOfWeek IN (1,7) )// Saturday or Sunday )

Attachments

Outcomes

0 Comments

Recommended Content

Incoming Links

Re: (Urgent) RSA NetWitness timeframe rule