Rule to Create a Report with Alert Out of Business Hours
We want to create a report that shows the access to our customer outside business hours.
Im using the following meta: time, user.dst, event.desc, alias.host, count(user.dst)
in "where" i tried to create a time range ( 5pm to 9am) using:
event.time != (9am to 5pm)
time != (9am to 5)
No of them worked. Does anyone tried with sucess building a rule for out of business hours?
Thanks for the reply. Unfortunelly it doesnt help for a couple of reasons:
1- The alert rule sometimes gives us logs inside the business hours. Still trying to figure out why.
2 We want to build a automatic report in NW,to send by email to our costumer, in which we have detailed information of accesses outside business hours. In the ESA rule i can see that the meta selected is ec_activity = Logon and ec_outcome=failure. I can do that in the rule for report, but how can i define the hours, which in the ESA rule are defined in the parameters?
you might have more luck using the REST interface to programmatically generate the business hours of the days you want to report on using these resources. you will have to account for the weekends (not business hours most likely), evenings, holidays and potentially timezones depending on how regional your customer is.
you could cron the script, and have it send out via email from the REST interface (probably run from head server)
You could try modifying that OOTB rule (copy it as an advanced rule) and replace the default "create context..." section with this:
create schema StartEvent();
create schema EndEvent();
context NonWorkingHours start StartEvent end EndEvent;
insert into StartEvent select * from pattern[every timer:interval(1 minute)] where current_timestamp.getDayOfWeek IN (...) AND current_timestamp.getHourOfDay NOT IN (...)
insert into EndEvent select * from pattern[every timer:interval(1 minute)] where current_timestamp.getDayOfWeek IN (...) AND current_timestamp.getHourOfDay IN (...)
The "IN" can be used with ranges such as (1:5).
This would let you specify both weekday and weekend non-working hour time ranges.
I have this running in my lab, and while I did get a couple alerts that, at first, appeared to be within my working hour time range, it was because current_timestamp relies on UTC instead of my offset (-8).
If your OOTB rule is alerting within business hours, I would also check that your ESA is able to keep up with the meta stream and is not falling behind (000032858 - How to check if Event Stream Analysis (ESA) is falling behind concentrators in RSA Security Analytics).
I have done an app rule on the decoders to alert when an event is on working hours or not.. in fact there are to app rules. the first one, we evaluate if the event was generated in working hours. To do so, we create an expression that evaluates the entire date...
time = "2018-02-02 09:00:00"-"2018-02-02 18:00:00" || time = "2018-02-03 09:00:00"-"2018-02-03 18:00:00" || time = "2018-02-04 09:00:00"-"2018-02-04 18:00:00" || ... and so on for every working day of the month. let's say that app rule generates the meta alert with "working" within. The next rule evaluates if the meta alert exist and contains "working", if not, generates the alert meta with "not working"... using that, every event is "tagged" with "working" or "not working" on the meta "alert" wich can be used in further queries for reports.
It's a little manual approach, but it works for my customer, the only thing to take care about is to keep the first rule updated every month. (I'm planning to script something to do that automatically, but I'm not having enough time right now).
I hope that could be useful to you
First of all thanks you all for the reply
I think all the ideas are valid, but not what we are looking for.
This is a part of our report - made directly by the report engine of NW
Has you can see we have time, user, the event, the host. But has you can also see the first 3 lines the time is between 9/17 and we only want outside of that time. You can also see that the last two are outside business hours.
Anyone has any ideas how can we do it? Or the only way is like Maximiliano, Joshua and Eric said?
The reporting engine by itself is not able to perform that logic.
Here is another idea that is similar to the feed idea by @Maximiliano
create a feed on the head server in the lighthttp directory with one line in it, 2 columns
call it something like "nonworkinghourfeed.csv"
#logonkey,#where to write to
Use a cron script to run at the edges of your working day window to update the 2nd line of the file (either comment it at the beginning of the working day or uncomment at the end). This way your action outside the working hours are flagged with meta which can be used in your reports (and there will hopefully be less events to tag with the meta).
then create a recurring feed in the UI that refreshes this feed every x minutes (whatever your acceptable resolution is at the edges of your window vs. the load on the server to check the feed every minute (lowest time period))
that way when a login event occurs, the feed will either have a value that matches as non_working_hour_activity or not and that meta (say into the alert key) will be used in your reporting engine to select the events to report on for your customer.
your report would be
time, user.dst, event.desc, alias.host, count(user.dst)
if you wanted to account for holidays etc. then there are some posts I have seen about using a text file to put your holidays in and a runer script that checks if the next day is one of those days to take appropriate additional action to flag or not on those depending on the location and holidays of the customer.
Similar idea to Maximiliano without the excessive app rules.
Hi Eric, my first option was exactly the same thing that you tell but, I found a problem there... Let say we have a windows event source, as you know, windows like many other event sources works by fetching the events by a given period of time, so you have in a single event two time/date related meta, the first one the raw event date/time and the second the collection time. In event sources like Windows, ODBC or others, this two dates may have a gap of a few second or several minutes. So, if you made a script generated custom feed, it could miss enrich an 5:50 PM event as "non_working_hours" just because the event has decoded at 6:01 PM. I was wondering about a LUA parser, but the lua engine within the decoder is compiled as 32bits and it cant handle the event.time meta. So, my final option was to made an app rule... I don't like neither, but is the only "accurate" approach.
I had the same problem with a report. The main trouble is handle with "event.time" meta and report engine syntax. Well, this is how I did:
1st: work on the xml parser and use "event.time.str" to save (as string) the value of "event.time" (You gonna need UDS knowledge). In this step we get a string like '2018-03-05 11:58:02' (eg).
2nd: Make a lua (You gonna need Lua knowledge) parser that work with "event.time.str" to get 2 new metas ("my.date" and "my.time"), lua have string functions (string.gsub, string.match, etc), Also need to add this new metas on index-custom file (services decoder, concentrator, archiver, esa). This both new metas have to be "UInt32", this help to make a rule on report engine. In this step we get a meta for date as number '20180305' and time also as number '115802'.
3th: Well with the new "my.time" meta is easy to make a rule on reporte engine (eg: not(my.time = 90000-170000)), but if saturday and sunday are not working day, no matter the hour?
4th: to get the name of the day from "my.date" you can use a feed, but is not a practical solution, as you must to map the day name from a date (eg: "20180305","monday"), that will be 365 lines for just one year. There gonna be a better way ...
we gonna use LUA (God bless you LUA :D) to get "my.day.name" (text), and this usefull link: http://lua-users.org/wiki/DayOfWeekAndDaysInMonthExample
Finally we alredy to use a rule like "not(my.time= 90000-170000 && my.day.name= 'Mon','Tue','Wed','Thu','Fri')".
I prefer work with "event.time" meta than "time" meta, as "event.time" is the print from the device or app. Suppose that you collect the log with hours of delay, the "time" meta gonna have delay time and your report will show you uncorrect data.
Hope this can help you.