It's not supported inside an alarm but you can create a correlation rule for that time window and then trigger an alarm for the signature ID of that correlation you've just created.
Thanks for your help.
I have it all setup now.
Since my Signature ID for that type of event wasn't setup prior to yesterday. Is there a way to go back a month (for instance) and see if events fired based on that correlated event/alarm or is it impossible until time lapses? I've been trying to figure that out for the last day or so unsuccessfully by seeing if I could use the same criteria for the correlated rule/alarm inside a report query.
I suspect I already know the answer to this....
I was able to recreate what I wanted within a report however the only part that is not possible while using "Event Queries" is a custom time format. Is there a way I seem to be missing if I only want the logs over a period of time between the hours of 2200-0500? The custom time choice only allows you to pick time frames from day to day or "past" 10 minutes, 1 day etc. There doesn't seem to be a between function that Correlated Rules allow you to use.