AnsweredAssumed Answered

Defining context in Esa Rule

Question asked by Csi Piemonte D-Soc on Feb 18, 2021
Latest reply on Feb 18, 2021 by Josh Randall

We are trying to build a esa rule named

Compliance - Windows - WinAdmCSI Logins

We want this rule to fire each time a Windows administrator logs in during not working hours.

 

This is the syntax of our rule:

@RSAAlert()
create context NotWorkingHours start (0, 18, *, *, *) end (0, 9, *, *, *);
context NotWorkingHours
SELECT * FROM
    Event(
        (user_dst .toLowerCase() LIKE '%adm')
                AND device_type IN ( 'winevent_nic' )
                AND reference_id IN ( '4624')
                );

It appears that this rule does not match any event (as you can see in the attachment). Can you please explain us why? Are there any mistakes in context definition?

 

Thanks in advance

Attachments

Outcomes