Event time to Trigger alert
I am not able to define the range of time , example
from 10:00 to 15:59 using regex,
There is only one field, how can I define range?
Can you please show me the query?
There is a slight issue with using time in a correlation rule, this is because the comparison column will not allow regex.
What you can do, is look at my other post:
There are two .bat files here which can start and stop a view, just simply change one line within each script with your view name and set them to run as scheduled jobs. So the "Start a View" script runs at 10:00 and the "Stop a View" script runs ar 16:00.
I just tried adding the regex to a Windows correlation rule for failed logins and couldn't get it to alert.
Have you had this solution work before? If so, can you help me with it? Would be handy to use for future rules I implement.