How to use Event Date field in correlation rules?
Updated: 23 Jul 2010 | 6 comments
Hello,
I want to create incident if some specific event / or events will occur within certain time frame, i.e. every successfull logon attempts from one source IP address between 10 pm and 6 am.
I wanted to use Event Date field with 'matches' operator and regex patterns such as ^\d\d\d\d\-\d\d\-\d\d\s22:\d\d:\d\d.*$ and so on. But it doesn't work, I received "XML Parse Error"
I noticed that I can put there only numbers no matter what operator is being used.
Also I found a field called Event Day, but if I'm correct this field can be used only when we want to use Weekdays or Weekend lookup tables. Unfortunatelly, there is no field such as Event Hour etc.
Any ideas?
Regards,
Antilles
Discussion Filed Under:
Comments
How to use Event Date field in correlation rules?
Two different ways
You can use greater than or less than, using a 24 hour clock for incident if the incident is time based, or the event date if the incident should declare on specific date.
The lookup tables can be used for checking the day of the week, e.g. Weekend vs. weekday.
HTH
I'm attempting to do this...
But I keep getting an invalid search query. I'm trying to use the Event Query to write this query first, but it doesn't seem to like doing a search just based on time.
For example:
Event Date < 06:00 AM
Event Date > 11:00 PM
This is on v4.7 of the SSIM.
When you want to use Event
When you want to use Event Date fields in correlation rules criteria you should do it as MegL wrote. But you cannot use Event Date fields in queries because in that case you should use Time Range section in the Query Wizard window.
Feedback...
You are correct, the method MegL outlined does work for Correlation Rules but DOES NOT work for Event Queries.
While in Event Queries you have the option to select a date/time range, that really doesn't help you do what I need. As an example, let's say I want to write an event query to give me all the successful log-in events across the last 30 days that happened between 11pm and 6am. You can't do it. You can do it each day, but you can't write an event query that gives me ONLY events between 11pm and 6am across multiple days. It will give you ALL the events between Jan 1, 2010 11:00:00 pm and Jan 9, 2010 06:00:00 am.
When you are developing rules, it is nice to be able to write an Event Query that matches the logic of the rule so that you can compare the results. In the correlation rule testing tab you can see the number of conclusions, incidents and the total number of events reviewed based on your rule, but you can't actually review the events in time period in question to confirm that it is truly accurate. If you could write the exact same logic in an Event Query, you could then review the actual events themselves and use that as a confirmation that your rule is triggering as it should.
In the end I got confirmation from the team that handles enhancement requests that this is not currently possible. They have officially submitted that request for possible future enhancement.
Ok, now I understand better
Ok, now I understand better what you wanted to do.
You are correct too, there is no way to build query with criteria that you wrote. So unfortunately we need to wait for enchancement of query features...
Would you like to reply?
Login or Register to post your comment.