A bit late here, but for future reference - one can fulfill similar "business hours" use-cases, by modifying the EPL rule below.
This example EPL Rule will alert on successful logon activity between Mon - Fri, outside of 9-5 UTC - leveraging the time ESA ingests the data (noted by 'esa_time').
***************************************************************************************
@Name('Logon_Activity_Non_Biz_Hours_Alert')
@Description('This is a query to alert on successful auth during non-biz hours, between Mon - Fri')
@RSAAlert(oneInSeconds=0)
SELECT * FROM Event(
ec_activity='Logon' AND ec_outcome ='Success'
AND (esa_time).getDayOfWeek IN (2,3,4,5,6) // Monday to Friday
AND (esa_time).getHourOfDay NOT IN (9,10,11,12,13,14,15,16,17)) // 9:00 -17:00 UTC
***************************************************************************************
Explicitly stating which days / time to focus the query on, is one way to remove weekend days from the rule.
You could also explicitly specify:
AND (esa_time).getDayOfWeek NOT IN (1,7) // Sunday and Saturday
***************************************************************************************
Reference Day Format
1 | 2 | 3 | 4 | 5 | 6 | 7 |
Sun | Mon | Tue | Wed | Thu | Fri | Sat |
