This article describes how to write an ESA Rule that will work on a given time period. For example, you may want a rule to only be active outside of working hours, or on certain days of the week.
This article assumes that the reader is already familiar with advanced Event Stream Analysis (ESA) Rules and already has an advanced rule which they wish to modify to only work during a particular time frame.
This method makes use of the following ESPER methods documented here:
http://www.espertech.com/esper/release-5.2.0/esper-reference/html/datetimereference.html#datetime-method-getitem
- getHourOfDay()
- getDayOfWeek()
The event time meta is in seconds past Unix Epoch Time, so we convert this to milliseconds past Epoch Time by multiplying by 1000.
Below is a sample ESA Rule that looks for a successful login event.
module MyLoginRule;
module MyLoginRule;
// The real “alerter”. The annotation, identifies it as the one that ESA needs to watch for.
@RSAAlert
@RSAPersist
@Name('MyLoginRule')
@Description('Successful Logon')
SELECT * FROM Event(
ec_activity='Logon' AND ec_outcome='Success'
)
Our aim is to convert this rule so that it only matches events that are outside business hours. For simplicity we define business hours as:
Monday - Friday : 9:00 AM to 17:30 PM UTC
In EPSER
January = Month 0, December = Month 11
Sunday = Day 1, Saturday = Day 7
Our time based rules then becomes:
module MyLoginRule;
// The real “alerter”. The annotation, identifies it as the one that ESA needs to watch for.
@RSAAlert
@RSAPersist
@Name('MyLoginRule')
@Description('Successful Logon Outside Business Hours')
SELECT * FROM Event(
ec_activity='Logon' AND ec_outcome='Success' AND
((event_time*1000).getDayOfWeek IN (2,3,4,5,6) // Monday to Friday
AND (event_time*1000).getHourOfDay NOT IN (9,10,11,12,13,14,15,16,17) // 9:00 -17:00 UTC)
OR (event_time*1000).getDayOfWeek IN (1,7) )// Saturday or Sunday
)
