NetWitness Community

BohdanR · ‎2021-09-14

I am trying to write a rule that will create alert on login out of office hours, while using a context-hub list enrichment containing whitelist of users that are allowed to do that.

For imagination, simplified version of the rule is:

create context OOHours start (0, 20, *, *, [1,2,3,4,5], *, 'Europe/Paris') end (30, 7, *, *, [1,2,3,4,5], *, 'Europe/Paris');

@Name("Login out of office hours")
@UsesEnrichment(name = 'OOH_WL')
@RSAAlert

context OOHours
SELECT * FROM Event(
  device_type = 'winevent_nic' AND
  NOT EXISTS (SELECT * FROM OOH_WL WHERE name = Event.user_src_lower )
);

The problem is that when I try to deploy such rule, I receive an error: Named window by name 'OOH_WL' has been declared for context 'null' and can only be used within the same context

If I try to put @UsesEnrichment under context OOHours, it thows a syntax error.

Any ideas how to solve it, to be able to use context and enrichment at the same time?

I know I could use another approach by checking esa_time or event_time using functions like getHourOfDay, but those times are in GMT and office hour are in local time zone (CET), so it changes with winter time and summer time twice a year, and I don't know how to convert GMT to local time in EPL...

JoshRandall · ‎2021-09-14

@BohdanR I don't know if there's a way to use both a CH List and a context at the same time, but you can use local time zone offsets in your contexts like so....

CREATE SCHEMA BeginNonWorkingHours();
CREATE SCHEMA EndNonWorkingHours();
CREATE CONTEXT NonWorkingHours START BeginNonWorkingHours END EndNonWorkingHours;

/*
SET YOUR TZ OFFSET WITH EITHER .minus(N hours) OR .plus(N hours)
the below syntax is for US PST -8 hour offset
and would be changed during daylight saving to a -7 hour offset
PST time: Mon-Fri 0800 - 1759
*/
INSERT INTO BeginNonWorkingHours
SELECT * FROM PATTERN[
	EVERY timer:interval(1 minute)
	]
	WHERE(
		(
		current_timestamp.minus(8 hours).getDayOfWeek IN [2:6]
		AND
		current_timestamp.minus(8 hours).getHourOfDay NOT IN [08:17]
		)
	);

/*
SET YOUR TZ OFFSET WITH EITHER .minus(N hours) OR .plus(N hours)
the below syntax is for US PST -8 hour offset
and would be changed during daylight saving to a -7 hour offset
PST time: Mon-Fri 0800 - 1759
*/
INSERT INTO EndNonWorkingHours
SELECT * FROM PATTERN[
	EVERY timer:interval(1 minute)
	]
	WHERE(
		(
		current_timestamp.minus(8 hours).getDayOfWeek IN [2:6]
		AND
		current_timestamp.minus(8 hours).getHourOfDay IN [08:17]
		)
	);

@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
@Name("Failed Logins Outside Business Hours by {user_dst}")
context NonWorkingHours select window(*) from Event
         (medium =32
          AND ec_activity='Logon'
		  AND ec_outcome='Failure'
		  AND device_class IS NOT NULL
		  AND user_dst IS NOT NULL
		  AND user_dst NOT LIKE '%$'
		 ).win:time(1800 seconds) group by user_dst having count(*) = 2 output first every 1800 seconds;

This has the added benefit of accounting for both weekends and weekdays, in addition to the timezone offset.

Mr. Mongo

BohdanR · ‎2021-09-14

Hi Josh,

I am not sure if that can help me, because as I mentioned, I need to use a whitelist stored in a contexthub list (which is actually created by export of AD group) in the rule. Your sample also uses context, so I suppose I would have the same problem there.

In addition, the problem with offset is, that we have it +1 hour in the winter, but +2 hours in the summer. And I will not remember to update all such rules twice a year when we switch to summer/winter time 🙂 I suppose it would require using some Java functions to calculate local time automatically...

By the way, what I used in my sample rule, defining context with a time zone as following, works with the local time correctly (the problem is just how to use an enrichment with it):
create context WorkingHours start (0, 8, *, *, [1,2,3,4,5], *, 'Europe/Paris') end (0, 17, *, *, [1,2,3,4,5], *, 'Europe/Paris');

NetWitness Community

EPL: context with enrichment