Defining business hours
I was wondering a way of creating alerts/ reports on admin activities performed outside business hours.
How do I create a query with time range e.g. where time= 5 PM to 8 AM (weekdays) and 24 hours for weekends?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Alerts are trickier, but you can definitely create a report on this.
The report should focus on the action you want to track. The trick is using the schedule to run the report over the time of interest.
Run your report daily at 8:00 AM and set it to look at the past 16 hours. For your weekend, you can either schedule two separate daily reports to run each day over the past 24 hours, or just schedule one for Monday morning that looks at the past 48 hours.
The time meta key has date time format. Can I use wildcard to specify time range for any day?
We run daily report that has many rules running within. How do we specify a specific rule in that report to run for a time range when other rules set to run for past 24 hours? We would like to have all rules in a single daily report.
There is a major flaw with this, and reporting in general on SA. Because it is using UTC time and you cannot force reports to use the correct time frame you are going to be getting in correct data. For our place we are in EST -4 at the moment and our reports run in the morning using the past 1 day. This gives us a report of say March 12th 20:00 to March 13th 20:00. The correct time frame would be March 13th 00:00 to March 14th 00:00. This likely will not occur for the nightly reports but for weekend reports I don't see away to fix this.
Sean, you are correct about the reports running for the past 1 day. The issue is that we had to define a "day" somehow. If you scheduled your reports to run over the past 24 hours, it would run the past 24 hours up until the top of the hour that the report was scheduled to run. For instance, you have a report that runs at 8:15 AM. The report would look at the hours of 8AM the previous day up until 8 AM of the current day.