2 Replies Latest reply on Jun 29, 2016 4:43 AM by acommons

    Correlation rule on a specific day

    uzanatta

      Hi,

       

      I would like to make a correlation rule specifying only a day or a range of days e.g: (from December, 25th to Janurary, 1st).


      How can I make it possible? Is it feasible?


      Thank you,


      Rgds,

        • 1. Re: Correlation rule on a specific day
          minsktractorworks

          I don't think this is possible.

           

          From what I've seen you can only set the "Time of Day" and "Day of Week". You could create a rule and enable it for the date range you need and then disable when not required. Not ideal but I cannot see a way of automatically setting a date range in a correlation rule.

          • 2. Re: Correlation rule on a specific day
            acommons

            This is offered in the spirit of 'brain storming'. Feel free to hurl things at it...that is what the process is about.

             

            So...have a scheduled event that can be used to create an alarm that does something (maybe add to a watchlist) that enables the correlation rule. You could turn the rule off using the same mechanism.

             

            I'm not sure if there is anything trivial and internal to ESM that can be both scheduled (yes there are tasks that can be scheduled) and create an event that can be used as a trigger (possibly rule updates??). My preference is for something like a cron job.

             

            This has the advantage of being something that can be scheduled ahead of time but the mechanism needs to be reliable. For example, in the rule update example it might get triggered some other way.

             

            Cheers,
            Andrew