I have working ESA rule depending of the time with the following syntax
create context BusinessHours start (0, 9, *, *, *) end (0, 18, *, *, *);
Its works fine but the check is only based on the arrival time of the log.
How change this behavior to base the check of the time on another meta ?
- event.time for windows events
- a custom meta (some logs could contains multiple time like start time or stop time)