UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Alert to ignore in a particular time frame

Hello Team,

Is there any way in the arcsight,so that a rule should not trigger for a particular time frame.

for example :

i have integrated a sql server and whenever someone taking backup of sql server we need inform to the customer except defined time windows.

there is schedule backup which run everyday on a particular time like 2-6 Am. now we dont want any alert should trigger between this time (2-6 am) frame. is it possible ???



Labels (1)
1 Reply
Fleet Admiral
Fleet Admiral

Time based rules you say? Easy....

So I have taken a copy of the standard ArcSight User Login rule and customized it for this test purposes. Basically its easy for me to login and logout and generate the relevant events for this. So the rule looks like this:

Capture 1.PNG

Firstly, ignore the File Name = demo part - this is just to trap for the specific username that I want to trigger the rule on and prevent it form getting triggered by my default user that I am logged in as. For some reason the internal audit events use fileName as the field that we use for putting the username for a login event!

But you can see the currentHour section - this is a local variable. So click the local variable tab and we can see the local variable that I have defined:

Capture 2.PNG

Just click add, select the Timezone group and then select the GetHour function - give the variable a name, in this case its currentHour. Also, make sure you select which field you want to get the timestamp from. For me, I want to do this on the endTime - so the time that the event is generated.

Capture 3.PNG

If you want, you can test this and press the calculate button to see what the value is. In my case its a 24 hour clock and in this case, I would get a value of 17 in the hour.

When you create a local variable, it will be available for use in the rule instantly. So go to the bottom of the rule fields and you will see it there:

Capture 5.PNG

Just put the data in the field as you would in a normal rule. Make sure you get the correct > and < in use of course.

So I applied the rule changes and generated the event for the login. I can then see the event correlated here:

Capture 4.PNG

Should the login occur out of the time range that I have defined - the rule wont get triggered. So if you see above, you can see its between 14:00 and 20:00 - so adjust for your particular requirement. However, you can use < and > for this, but you will not that in the rule there will be a Between option - just put the numbers in with a , between them - this is how you use Betweens!

Simple as that. Easy.....

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.