2022-03-25 08:03 AM
Hi, we have troubles with some ESA rules we wrote.
We defined a context for extra business hours:
create context noWorkingHours start (*,19,*,*,*) end (*,7,*,*,*);
We used this context to search for generic Events:
@RSAAlert()
context VpnNotWorkingHours
SELECT * FROM Event();
This rule has been deployed and should generate an alert every time an event occurs between 19:00 and 07:00.
But this doesn't happen: we tested this rule using a json file we downloaded from the Investigation, which contained events of that period,
and the outcome was that no event was matched.
Can you please explain how it is possible? Is there a problem with the context definition? Our software is RSA Netwintess v 11.5.2.0
Thanks in advice
CsiPiemonteDSoc
2024-10-02 05:20 AM - edited 2024-10-02 07:59 AM
Hi,
Did you solve it?
Have you tried to check if it's necessary to add the timezone field in the context properties? For example
create context noWorkingHours start (*, 19, *, *, *,*,'CET') end (*, 7, *, *, *,*,'CET');
Ref:
Table 6.5. Properties offered by sample statement aggregating price in the EPL_Reference PDF
Moreover, your context is called noWorkingHours instead of VpnNotWorkingHours (I don't know if this is a typo).