2021-09-14 11:24 AM
I am trying to write a rule that will create alert on login out of office hours, while using a context-hub list enrichment containing whitelist of users that are allowed to do that.
For imagination, simplified version of the rule is:
create context OOHours start (0, 20, *, *, [1,2,3,4,5], *, 'Europe/Paris') end (30, 7, *, *, [1,2,3,4,5], *, 'Europe/Paris');
@Name("Login out of office hours")
@UsesEnrichment(name = 'OOH_WL')
@RSAAlert
context OOHours
SELECT * FROM Event(
device_type = 'winevent_nic' AND
NOT EXISTS (SELECT * FROM OOH_WL WHERE name = Event.user_src_lower )
);
The problem is that when I try to deploy such rule, I receive an error: Named window by name 'OOH_WL' has been declared for context 'null' and can only be used within the same context
If I try to put @UsesEnrichment under context OOHours, it thows a syntax error.
Any ideas how to solve it, to be able to use context and enrichment at the same time?
I know I could use another approach by checking esa_time or event_time using functions like getHourOfDay, but those times are in GMT and office hour are in local time zone (CET), so it changes with winter time and summer time twice a year, and I don't know how to convert GMT to local time in EPL...
2021-09-14 12:01 PM - edited 2021-09-14 12:04 PM
@BohdanR I don't know if there's a way to use both a CH List and a context at the same time, but you can use local time zone offsets in your contexts like so....
CREATE SCHEMA BeginNonWorkingHours();
CREATE SCHEMA EndNonWorkingHours();
CREATE CONTEXT NonWorkingHours START BeginNonWorkingHours END EndNonWorkingHours;
/*
SET YOUR TZ OFFSET WITH EITHER .minus(N hours) OR .plus(N hours)
the below syntax is for US PST -8 hour offset
and would be changed during daylight saving to a -7 hour offset
PST time: Mon-Fri 0800 - 1759
*/
INSERT INTO BeginNonWorkingHours
SELECT * FROM PATTERN[
EVERY timer:interval(1 minute)
]
WHERE(
(
current_timestamp.minus(8 hours).getDayOfWeek IN [2:6]
AND
current_timestamp.minus(8 hours).getHourOfDay NOT IN [08:17]
)
);
/*
SET YOUR TZ OFFSET WITH EITHER .minus(N hours) OR .plus(N hours)
the below syntax is for US PST -8 hour offset
and would be changed during daylight saving to a -7 hour offset
PST time: Mon-Fri 0800 - 1759
*/
INSERT INTO EndNonWorkingHours
SELECT * FROM PATTERN[
EVERY timer:interval(1 minute)
]
WHERE(
(
current_timestamp.minus(8 hours).getDayOfWeek IN [2:6]
AND
current_timestamp.minus(8 hours).getHourOfDay IN [08:17]
)
);
@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
@Name("Failed Logins Outside Business Hours by {user_dst}")
context NonWorkingHours select window(*) from Event
(medium =32
AND ec_activity='Logon'
AND ec_outcome='Failure'
AND device_class IS NOT NULL
AND user_dst IS NOT NULL
AND user_dst NOT LIKE '%$'
).win:time(1800 seconds) group by user_dst having count(*) = 2 output first every 1800 seconds;
This has the added benefit of accounting for both weekends and weekdays, in addition to the timezone offset.
2021-09-14 12:18 PM - edited 2021-09-14 12:20 PM
Hi Josh,
I am not sure if that can help me, because as I mentioned, I need to use a whitelist stored in a contexthub list (which is actually created by export of AD group) in the rule. Your sample also uses context, so I suppose I would have the same problem there.
In addition, the problem with offset is, that we have it +1 hour in the winter, but +2 hours in the summer. And I will not remember to update all such rules twice a year when we switch to summer/winter time 🙂 I suppose it would require using some Java functions to calculate local time automatically...
By the way, what I used in my sample rule, defining context with a time zone as following, works with the local time correctly (the problem is just how to use an enrichment with it):
create context WorkingHours start (0, 8, *, *, [1,2,3,4,5], *, 'Europe/Paris') end (0, 17, *, *, [1,2,3,4,5], *, 'Europe/Paris');