AnsweredAssumed Answered

Defining context in Esa Rule

Question asked by Csi Piemonte D-Soc on Feb 18, 2021
Latest reply on Feb 18, 2021 by Josh Randall

Like • Show 0 Likes0
Comment • 1

We are trying to build a esa rule named

Compliance - Windows - WinAdmCSI Logins

We want this rule to fire each time a Windows administrator logs in during not working hours.

This is the syntax of our rule:

@RSAAlert()
create context NotWorkingHours start (0, 18, *, *, *) end (0, 9, *, *, *);
context NotWorkingHours
SELECT * FROM
   Event(
       (user_dst .toLowerCase() LIKE '%adm')
                AND device_type IN ( 'winevent_nic' )
                AND reference_id IN ( '4624')
                );

It appears that this rule does not match any event (as you can see in the attachment). Can you please explain us why? Are there any mistakes in context definition?

Thanks in advance

Attachments

esa rule.png23.3 KB

No one else has this question

Outcomes

CREATE SCHEMA BeginNonWorkingHours(); CREATE SCHEMA EndNonWorkingHours(); CREATE CONTEXT NonWorkingHours START BeginNonWorkingHours END EndNonWorkingHours; /* timestamps NOT IN US MST time: Mon-Fri 0800 - 1759 */ INSERT INTO BeginNonWorkingHours SELECT * FROM PATTERN[ EVERY timer:interval(1 minute) ] WHERE( ( current_timestamp.minus(7 hours).getDayOfWeek IN [2:6] AND current_timestamp.minus(7 hours).getHourOfDay NOT IN [08:17] ) ); /* timestamps IN US MST time: Mon-Fri 0800 - 1759 */ INSERT INTO EndNonWorkingHours SELECT * FROM PATTERN[ EVERY timer:interval(1 minute) ] WHERE( ( current_timestamp.minus(7 hours).getDayOfWeek IN [2:6] AND current_timestamp.minus(7 hours).getHourOfDay IN [08:17] ) ); @RSAAlert context NonWorkingHours SELECT window(*) from Event( (user_dst .toLowerCase() LIKE '%adm') AND device_type IN ( 'winevent_nic' ) AND reference_id IN ( '4624') );

1 Reply

Josh Randall

Feb 19, 2021 2:40 PM

Csi Piemonte D-Soc

I believe the main issue is that you need to use

SELECT window(*)

...instead of

SELECT *

A couple references on the topic:

Also, you may find it useful to refine your context to account for weekends and different timezones. For instance, your context:

create context NotWorkingHours start (0, 18, *, *, *) end (0, 9, *, *, *);

treats every day of the week exactly the same....and creates your context in UTC.

Instead, we can create context like this:

HTH

Actions

Defining context in Esa Rule

Attachments

Outcomes

Related Content

Recommended Content