This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ESA alerts depending of the time in event.time

JohnDoe1
Beginner
Beginner

‎2016-01-22 11:13 AM

Hi,

 

I have working ESA rule depending of the time with the following syntax

@Name('BusinessHours')

create context BusinessHours start (0, 9, *, *, *) end (0, 18, *, *, *);

...

 

Its works fine but the check is only based on the arrival time  of the log.

 

How change this behavior to base the check of the time on another meta ?

 

Examples :

  • event.time for windows events
  • a custom meta (some logs could contains multiple time like start time or stop time)
0 Likes
4 REPLIES 4

CindyCelata
Beginner
Beginner

‎2016-01-22 07:10 PM

hi, article 000026973 that is published in https://knowledge.rsasecurity.com has some information to check out on that.

JohnDoe1
Beginner
Beginner
In response to CindyCelata

‎2016-01-25 04:21 AM

Thanks Cindy Celata​ but this KB is only about  windows ans not related on the ESA.

 

I have edited my question to clarify.

0 Likes

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor

‎2016-01-26 09:09 AM

Hi John,

 

As you have noticed, by default the ESA appliance will utilise its own time for correlation. To satisfy your use case it may be worth while extracting the hours of the day from the event_time meta data using some in-built functions of Esper such as "getHourOfDay()" like so:

 

SELECT * FROM Event((event_time.getHourOfDay() in (9,10,11,12,13,14,15,16,17,18)) AND user_dst IS NOT NULL and event_cat_name = 'firewall change')

 

This allows us to manually specify the hours of the day like you have done so with your context but against a different time variable.

Cheers,

Lee

DavidWaugh1
Employee
Employee
In response to LeeKirkpatrick

‎2016-01-29 04:20 AM

Note make sure you multiply event.time by 1000 as it needs to be milliseconds since 1970, rather than seconds since 1970.

 

The line above would be

 

SELECT * FROM Event(((event_time*1000).getHourOfDay() in (9,10,11,12,13,14,15,16,17,18)) AND user_dst IS NOT NULL and event_cat_name = 'firewall change')

 

There is also a bug in Esper 5.1 that may prevent this is working in some cases. 10.6 uses Esper 5.3.

 

EsperTech acknowledged a bug which we reported last April, and it looks like it might apply in this scenario. To quote:

 

The bug is specific to the presence of a having-clause in a non-fully-aggregated and grouped query, and will only show up under certain sequences of data.

From some tests we did previously, we found that the bug caused conditionals in the having-clause to behave unpredictably, especially when using “having count(*)”.

 

The bug has since been patched in the newer versions (after 5.2), but our version of Esper in ESA is still at 5.1. We had to work around the issue by using a fully-aggregated query instead.

© 2022 RSA Security LLC or its affiliates. All rights reserved.