We want to create a report that shows the access to our customer outside business hours.
Im using the following meta: time, user.dst, event.desc, alias.host, count(user.dst)
in "where" i tried to create a time range ( 5pm to 9am) using:
event.time != (9am to 5pm)
time != (9am to 5)
No of them worked. Does anyone tried with sucess building a rule for out of business hours?
There is an ESA rule to alert on this in RSA Live. does that help you identify those accesses outside your business hours ?
Reporting: NWDB Rule Syntax