arnieos Hi You can do that in reporting only
Go to reports->create report and fill all the required details, in the layout section you need to chose either of the below
and in time range specify your time requirements.
Thank you for looking into this. I cannot seem to find that option in the layout section. Should I need to enable it first somewhere?
I have Compliance, Executive Reports, McAfee ADM, DAM, DEM, McAfee Event Reporter. All of those have subcategories and 'Outside of business hours activity is not there'.
You can create report with the help of normalized ID 806354944/12 in the filter, this normalized ID represents off-hours events.
initially search for the events with this normalized id so you will get overall idea what you can include in your report.
kmc, I'm curios on why you've added the /12 near the normalization ID 806354944. Can you please detail that ?
BTW, I think we should add that the correlation rules for normalization id 806354944 should be modified to reflect the working hours and days.
abanaru when i filtering for the off-hours suspicious activity i have chosen normalization below normalization, this one has given the that id.
just to clear i have given directly a normalized id instead of normalization name.
did it worked well for you??????
No it didn't. The data generated was not the data our client wanted. We just created a report based from normalization that has kind of suspicious activity outside office hours like password reset, account creation, etc. And the report only includes source ip, source user, and total event count.