Article Content
Article Number | 000032396 |
Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: Event Stream Analysis RSA Version/Condition: 10.5.x 10.6.x |
Issue | This article describes how to write an ESA Rule that will work on a given time period. For example, you may want a rule to only be active outside of working hours, or on certain days of the week. This article assumes that the reader is already familiar with advanced Event Stream Analysis (ESA) Rules and already has an advanced rule which they wish to modify to only work during a particular time frame. |
Resolution | This method makes use of the following ESPER methods documented here: http://www.espertech.com/esper/release-5.2.0/esper-reference/html/datetimereference.html#datetime-method-getitem
Below is a sample ESA Rule that looks for a successful login event. module MyLoginRule; module MyLoginRule; Our aim is to convert this rule so that it only matches events that are outside business hours. For simplicity we define business hours as: Monday - Friday : 9:00 AM to 17:30 PM UTC In EPSER January = Month 0, December = Month 11 Sunday = Day 1, Saturday = Day 7 Our time based rules then becomes: module MyLoginRule; |