there is a time attribute condition which you can set as part of the rule logic that define day of the week and time of the day.
I want to set an alarm if "Total Collection rate per Second " is less than 500 on Mon to Friday from 10 AM to 5 PM then trigger an alarm. I need guidance in two things
1) Here I am able to set only based on baseline, But not on fixed value How can I do that?
2) I am not able to see tIme attribute, where Can I set it?
Do you have an ACE or correlation engine?
Are you talking about the "Application" Variables like "DAY_START" "DAY_END" "HOUR_START" and "HOUR_END"
I have seen those used in the canned ACE Correlation Rules, as we have operations all over, and on multiple shifts, they are not very useful.
Never tried incorporating those in to any of my custom correlation rules.
There are times when we would want to be texted instead of emailed, if it were outside of our normal business hours (for SIEM support team), versus just an email. But that would be something like a Deviation from Baseline, Device Failure, etc. which are alarms that I don't believe can be duplicated in to ACE rules. They simply need to add check boxes and time start / stop options to the Alarm action tab if you ask me, sounds like another PER/Idea.
We have correlation engine
Mmm. rth67 is correct, there are some system built-in alarms that you can't rewrite in correlation engine.
Maybe, 1. configure the variable date/time to your environment.
2. create a correlation rule with total event count and put in use the above variable.