I'm trying to alert a Successful login from an Admin User in Non-Business Hours...
I copied the syntax from the RSA Live ESA Rule related to Failed Logins:
Here is the content of the new one:
@Name('Logon_Success_NBH')
create context NotWorkingHours start (*, 18, * ,*, *) end (*, 8, *, *, *);
@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
@Name ("Failed Logins Outside Business Hours by {user_dst}")
context NotWorkingHours select window(*) from Event
(ec_activity='Logon'
AND ec_outcome='Success'
AND device_class IN ('Web Logs' , 'Windows Hosts' , 'Wireless Devices')
AND user_dst.toLowerCase() IN ('Administrator','pruebapass','pruebasiem','prueba2siem')
).win:time(5 seconds) ;
I also tried an alarm created on this discussion but I got the same results us: https://community.netwitness.com/t5/netwitness-discussions/esa-alerts-depending-on-business-hours-and-business-days/m-p/437477/highlight/true
Has anyone here tested an alarm like this fo guide us?
Thanks in advance
