Date time filtering
I'm trying to configure a (relatively simple) correlated rule to spot some specific user accounts being used outside their authorized times. I'm running into two problems; 1: All the date time fields to match against are full date time fields and appear to be a modified Unix epoch based format, so I can't do "Before 9am or after 5pm". To make this work using what I can see, I'll need to configure a script to modify an xml version of the correlation rule and reimport it every day. Surely there's a way of filtering against just an Hour of day, or something like that. I can't find it though. 2: When I am selecting to filter against date-time fields, the entry form for the constant to match against only lets me enter date-times before 1st Jan 2006. Which isn't too useful. For 1:, What am I missing? Surely there's a way.. I suspect I've been looking at this too much and just can't see something right in front of me, but I just cannot see it. For 2: WTF? It reeks of an issue with the java widget that provides the date/time selection, but when I edit the xml and import, it then shows 1974. I have confirmed it behaves the same in Firefox and IE(9).