AnsweredAssumed Answered

RSA SA ESA current_time

Question asked by go4lUa1mL0I2Tzs9lENhdlfZmfZCgWJByWLRDiaaVSw= on May 2, 2016
Latest reply on Sep 30, 2016 by Badal Chandani

I am new with EPSER. I am trying to create a ESA advanced rule to detect system configuration during trading hours

 

This is what I created, using "current_timestamp" function to see whether it is Mon-Fri 9am-5:59pm. While I save the rule, I got no validation error, but not able to sync the rule, with java error.

 

I want to know if this rule make sense and why it cannot be sync?

Please help.

 

thanks a lot

 

*********************************************************************************************************

      SELECT *, current_timestamp.getDayOfWeek() as var_dayofweek, current_timestamp.getHourofDay() as var_hourofday FROM Event(

            /* Statement: CiscoDeviceChange */

            (device_type IN ( 'ciscosecureacs' ) AND event_desc IN ( 'Changed configuration' ) AND var_dayofweek in (1,2,3,4,5) and var_hourofday in (9,10,11,12,13,14,15,16,17))

            OR

            /* Statement: NetscreenDeviceChange */

            (device_type IN ( 'netscreen' ) AND message LIKE '%System configuration saved%' AND var_dayofweek in (1,2,3,4,5) and var_hourofday in (9,10,11,12,13,14,15,16,17))

            OR

            /* Statement: WindowsDeviceChange */

            (device_type IN ( 'winevent_nic' ) AND event_cat_name IN ( 'Config.Changes.Modify' ) AND var_dayofweek in (1,2,3,4,5) and var_hourofday in (9,10,11,12,13,14,15,16,17))

           

        )

       

       

       

        ;

 

*********************************************************************************************************

Outcomes