I am trying to create an Advanced ESA rule that alert us when someone creates an user out of office hours. For that we are creating a "context" which determine when the alert should be generated, and a Whitelist to exclude users that have permission to do that. The Whitelist in question was added to the ContextHub and applied to ESA's Enrichment Sources.
Yet, our query is not working... We are not being able to use our whitelist from within the "context" we've created. Below is a sample of the alert we are trying to create:
@RSAAlert(oneInSeconds=0)
@Name ("Suspicious Account Creation")
@Description('This alert is triggered when someone from outside the whitelist creates a new account out of office hours')
@UsesEnrichment(name = "Custom_User_Whitelist")
create context cronhour start (1,19,*,*,*) end (59,7,*,*,*);
context cronhour select window(*) from Event
(
/* Statement: Statement 0 - Null */
(reference_id IS NOT NULL)
AND
/* Statement: Statement 1 - Reference ID */
(reference_id IN ( '4720' ))
AND
/* Statement: Statement 2 - User Whitelist */
(user_dst.toLowerCase() IS NOT NULL AND NOT EXISTS (SELECT * FROM Custom_User_Whitelist WHERE ( LIST = Event.user_dst ) ))
AND
/* Statement: Statement 3 - Exclusions*/
(user_dst NOT LIKE '%$%' AND user_src NOT LIKE '%$%')
).win:length(1);
The error we receive is: Named window by name 'Custom_User_Whitelist' has been declared for context 'null' and can only be used within the same context.
Is there a way to import our ContextHub Whitelist into the context (cronhour) we've created? And if so, how?
