Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to use Event Date field in correlation rules?

Created: 13 Oct 2008 • Updated: 23 Jul 2010 | 6 comments
lukaszfr's picture

Hello,

I want to create incident if some specific event / or events will occur within certain time frame, i.e. every successfull logon attempts from one source IP address between 10 pm and 6 am.
I wanted to use Event Date field with 'matches' operator and regex patterns such as ^\d\d\d\d\-\d\d\-\d\d\s22:\d\d:\d\d.*$ and so on. But it doesn't work, I received "XML Parse Error"

I noticed that I can put there only numbers no matter what operator is being used.

Also I found a field called Event Day, but if I'm correct this field can be used only when we want to use Weekdays or Weekend lookup tables. Unfortunatelly, there is no field such as Event Hour etc.

Any ideas?


Regards,
Antilles

Comments 6 CommentsJump to latest comment

caglar10ur's picture
For time window, in the rule editor you can just write something like:

Event Date > "6:00"
AND
Event Date < "20:00"
MegL's picture
We support the following time and date formats:
    Valid date format is: DD/MM/YY[YY]
   Valid time format is: HH:MM[AM|PM]

You can use greater than or less than, using a 24 hour clock for incident if the incident is time based, or the event date if the incident should declare on specific date.

The lookup tables can be used for checking the day of the week, e.g. Weekend vs. weekday.

HTH

Blenky's picture

But I keep getting an invalid search query.  I'm trying to use the Event Query to write this query first, but it doesn't seem to like doing a search just based on time.

For example:

Event Date < 06:00 AM
Event Date > 11:00 PM

This is on v4.7 of the SSIM.

lukaszfr's picture

When you want to use Event Date fields in correlation rules criteria you should do it as MegL wrote. But you cannot use Event Date fields in queries because in that case you should use Time Range section in the Query Wizard window.

Blenky's picture

You are correct, the method MegL outlined does work for Correlation Rules but DOES NOT work for Event Queries.  

While in Event Queries you have the option to select a date/time range, that really doesn't help you do what I need.  As an example, let's say I want to write an event query to give me all the successful log-in events across the last 30 days that happened between 11pm and 6am.  You can't do it.  You can do it each day, but you can't write an event query that gives me ONLY events between 11pm and 6am across multiple days.  It will give you ALL the events between Jan 1, 2010 11:00:00 pm and Jan 9, 2010 06:00:00 am.

When you are developing rules, it is nice to be able to write an Event Query that matches the logic of the rule so that you can compare the results.  In the correlation rule testing tab you can see the number of conclusions, incidents and the total number of events reviewed based on your rule, but you can't actually review the events in time period in question to confirm that it is truly accurate.  If you could write the exact same logic in an Event Query, you could then review the actual events themselves and use that as a confirmation that your rule is triggering as it should.

In the end I got confirmation from the team that handles enhancement requests that this is not currently possible.  They have officially submitted that request for possible future enhancement.

lukaszfr's picture

Ok, now I understand better what you wanted to do.
You are correct too, there is no way to build query with criteria that you wrote. So unfortunately we need to wait for enchancement of query features...