We are trying to build a esa rule named
Compliance - Windows - WinAdmCSI Logins
We want this rule to fire each time a Windows administrator logs in during not working hours.
This is the syntax of our rule:
create context NotWorkingHours start (0, 18, *, *, *) end (0, 9, *, *, *);
SELECT * FROM
(user_dst .toLowerCase() LIKE '%adm')
AND device_type IN ( 'winevent_nic' )
AND reference_id IN ( '4624')
It appears that this rule does not match any event (as you can see in the attachment). Can you please explain us why? Are there any mistakes in context definition?
Thanks in advance