|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Event Stream Analysis
RSA Version/Condition: 10.5.x 10.6.x
|Issue||This article describes how to write an ESA Rule that will work on a given time period. For example, you may want a rule to only be active outside of working hours, or on certain days of the week.|
This article assumes that the reader is already familiar with advanced Event Stream Analysis (ESA) Rules and already has an advanced rule which they wish to modify to only work during a particular time frame.
|Resolution||This method makes use of the following ESPER methods documented here:|
Below is a sample ESA Rule that looks for a successful login event.
Our aim is to convert this rule so that it only matches events that are outside business hours. For simplicity we define business hours as:
Monday - Friday : 9:00 AM to 17:30 PM UTC
January = Month 0, December = Month 11
Sunday = Day 1, Saturday = Day 7
Our time based rules then becomes: