Hi,
I have working ESA rule depending of the time with the following syntax
@Name('OutBusinessHours')
create context BusinessHours start (0, 17, *, *, *) end (0, 8, *, *, *);
...
It works fine but my customers don't work on saturday and sunday.
So, how to combine multiple contexts with a logical "OR" (as a "nested context" could do it with a "AND")?
@Name('OutBusinessHours')
create context OutBusinessHours
context OutHours start (0, 17, *, *, *) end (0, 8, *, *, *)
OR
context WeekEnd start (0, 0, *, *, 5-6) end (59, 23, *, *, 5-6)
A bit late here, but for future reference - one can fulfill similar "business hours" use-cases, by modifying the EPL rule below.
This example EPL Rule will alert on successful logon activity between Mon - Fri, outside of 9-5 UTC - leveraging the time ESA ingests the data (noted by 'esa_time').
***************************************************************************************
@Name('Logon_Activity_Non_Biz_Hours_Alert')
@Description('This is a query to alert on successful auth during non-biz hours, between Mon - Fri')
@RSAAlert(oneInSeconds=0)
SELECT * FROM Event(
ec_activity='Logon' AND ec_outcome ='Success'
AND (esa_time).getDayOfWeek IN (2,3,4,5,6) // Monday to Friday
AND (esa_time).getHourOfDay NOT IN (9,10,11,12,13,14,15,16,17)) // 9:00 -17:00 UTC
***************************************************************************************
Explicitly stating which days / time to focus the query on, is one way to remove weekend days from the rule.
You could also explicitly specify:
AND (esa_time).getDayOfWeek NOT IN (1,7) // Sunday and Saturday
***************************************************************************************
Reference Day Format
1
2
3
4
5
6
7
Sun
Mon
Tue
Wed
Thu
Fri
Sat