3 Replies Latest reply on Nov 29, 2016 6:31 PM by hegemon76

    Non-Working Hour Alarm

    hegemon76

      Hello,

       

      I'm wondering if there's a way to set an alarm for a specific period of time?

       

      More specifically, I'm utilizing a watchlist for admin accounts associated with windows servers and workstations. I want to make an alarm for non-working hour logins (10PM to 5AM) but I do not see this feature within the alarm creation process. Does it exist?

       

      Regards,

       

      Tim

        • 1. Re: Non-Working Hour Alarm
          abanaru

          It's not supported inside an alarm but you can create a correlation rule for that time window and then trigger an alarm for the signature ID of that correlation you've just created.

          • 2. Re: Non-Working Hour Alarm
            hegemon76

            Thanks for your help.

             

            I have it all setup now.

             

            Related question.....

             

            Since my Signature ID for that type of event wasn't setup prior to yesterday. Is there a way to go back a month (for instance) and see if events fired based on that correlated event/alarm or is it impossible until time lapses? I've been trying to figure that out for the last day or so unsuccessfully by seeing if I could use the same criteria for the correlated rule/alarm inside a report query.

             

            I suspect I already know the answer to this....

             

            Regards,

             

            Tim

            • 3. Re: Non-Working Hour Alarm
              hegemon76

              I was able to recreate what I wanted within a report however the only part that is not possible while using "Event Queries" is a custom time format. Is there a way I seem to be missing if I only want the logs over a period of time between the hours of 2200-0500? The custom time choice only allows you to pick time frames from day to day or "past" 10 minutes, 1 day etc. There doesn't seem to be a between function that Correlated Rules allow you to use.

               

              Regards,

               

              Tim