This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Advanced EPL Rule trigger only if it matches the event_time range passed

Go to solution
danielfortes
Contributor
Contributor

‎2022-05-30 01:24 PM - edited ‎2022-05-30 01:26 PM

Hello,

 

I'm working currently on a rule that should trigger some conditions (it's fully working) only if the event time matches some interval. So in a simple way, the alert should be triggered only if the time of the event was between 10pm-07am.

 

I worked with the EPL Essentials documentation where you can find two ways about Time-Based Contexts but any of those technics are working.

 

NetWitness version: 11.6.1.0

My rule, fully working and without any filter for time range/interval of time as I need is:

 

@RSAAlert(oneInSeconds=0)
@RSAPersist

SELECT * FROM Event(
    (reference_id IS NOT NULL AND `group` IS NOT NULL)
    AND
    (reference_id IN ('4728' , '4732' , '4756' , '4785' , '4787') OR reference_id IN ( '4729' , '4733' , '4757' , '4786' , '4788'))
);

 

Is there any way to filter all of the content (I'm receiving already) by event_time or time?

 

References I tried already to filter the results by time interval:

 

1st way: CONTEXT

create context BizHours start (0, 9, *, *, *) end (0, 17, *, *, *);
context BizHours
select * from Event(<ANY CONDITIONS HERE>);

----------------------------------------

2nd way: PATTERNS

create variable string var_on_off;
on pattern[Every(timer:at(*, 9, *, *, *))] set var_on_off = 'true';
on pattern[Every(timer:at(*, 17, *, *, *))] set var_on_off =
'false';
select * from Event(var_on_off='true' AND <ANY CONDITIONS HERE>)
0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
YOANNTHIBERT
New Contributor
New Contributor

‎2022-07-19 10:57 AM

SELECT * FROM Event (
(reference_id IS NOT NULL AND `group` IS NOT NULL)
AND
(reference_id IN ('4728' , '4732' , '4756' , '4785' , '4787') OR reference_id IN ( '4729' , '4733' , '4757' , '4786' , '4788')
AND (
/* Horaire en semaine */
((current_timestamp.getHourOfDay+2) NOT IN (8,9,10,11,12,13,14,15,16,17,18)
AND current_timestamp.getDayOfWeek IN (2,3,4,5,6))
/* Horaire weekend */
OR current_timestamp.getDayOfWeek IN (1,7))
).win:time_batch(120 seconds)
GROUP BY ip_src, user_dst HAVING COUNT(*) >=4;

View solution in original post

2 REPLIES 2

Go to solution
YOANNTHIBERT
New Contributor
New Contributor

‎2022-07-19 10:57 AM

SELECT * FROM Event (
(reference_id IS NOT NULL AND `group` IS NOT NULL)
AND
(reference_id IN ('4728' , '4732' , '4756' , '4785' , '4787') OR reference_id IN ( '4729' , '4733' , '4757' , '4786' , '4788')
AND (
/* Horaire en semaine */
((current_timestamp.getHourOfDay+2) NOT IN (8,9,10,11,12,13,14,15,16,17,18)
AND current_timestamp.getDayOfWeek IN (2,3,4,5,6))
/* Horaire weekend */
OR current_timestamp.getDayOfWeek IN (1,7))
).win:time_batch(120 seconds)
GROUP BY ip_src, user_dst HAVING COUNT(*) >=4;

Go to solution
danielfortes
Contributor
Contributor
In response to YOANNTHIBERT

‎2022-08-11 03:50 PM

Thanks for your help.

 

The idea of using (current_timestamp.getHourOfDay+2) NOT IN (8,9,10,11,12,13,14,15,16,17,18) was really nice.

 

Something I've not seen in the official doc

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.