Skip to content
  • There are no suggestions because the search field is empty.

NetWitness Admin Server - Time Based Rules in Event Stream Analysis

Issue

This article describes how to write an ESA Rule that will work on a given time period. For example, you may want a rule to only be active outside of working hours, or on certain days of the week.

This article assumes that the reader is already familiar with advanced Event Stream Analysis (ESA) Rules and already has an advanced rule which they wish to modify to only work during a particular time frame.

Resolution

This method makes use of the following ESPER methods documented here:

http://www.espertech.com/esper/release-5.2.0/esper-reference/html/datetimereference.html#datetime-method-getitem

  • getHourOfDay()
  • getDayOfWeek()

The event time meta is in seconds past Unix Epoch Time, so we convert this to milliseconds past Epoch Time by multiplying by 1000.

Below is a sample ESA Rule that looks for a successful login event.

module MyLoginRule;
 

module MyLoginRule;

// The real “alerter”. The annotation, identifies it as the one that ESA needs to watch for.
@RSAAlert
@RSAPersist
@Name('MyLoginRule')
@Description('Successful Logon')
SELECT * FROM Event(
ec_activity='Logon' AND ec_outcome='Success'
);


Our aim is to convert this rule so that it only matches events that are outside business hours. For simplicity we define business hours as:

        Monday - Friday : 9:00 AM to 17:30 PM UTC

In EPSER
        January = Month 0, December = Month 11
        Sunday = Day 1, Saturday = Day 7

Our time based rules then becomes:
 

module MyLoginRule;

// The real “alerter”. The annotation, identifies it as the one that ESA needs to watch for.
@RSAAlert
@RSAPersist
@Name('MyLoginRule')
@Description('Successful Logon Outside Business Hours')
SELECT * FROM Event(
ec_activity='Logon' AND ec_outcome='Success' AND 
((event_time*1000).getDayOfWeek  IN (2,3,4,5,6) // Monday to Friday
AND (event_time*1000).getHourOfDay NOT IN (9,10,11,12,13,14,15,16,17) // 9:00 -17:00  UTC)
OR (event_time*1000).getDayOfWeek IN (1,7) )// Saturday or Sunday
);

Product Details

NetWitness Product Set: NetWitness Logs & Network
NetWitness Product/Service Type: ESA/Correlation-server, Admin Server
NetWitness Version/Condition: 11.x , 12.x
Platform: CentOS , AlmaLinux
 


Approval Reviewer Queue

Technical approval queue