Hello,
I have just started using Elastic and am trying to create a rule that will alert for role assignment changes in AzureAD out of office hours.
Using @timestamp appears to be the option but I cant seem to have it look at a specific time range eg. 17:00 - 09:00
I am not sure what else you may need but if anyone can assist it would be appreciated.
Thanks,
To my knowledge, there isn't a direct way to limit when a rule runs. However, a work around for this is adding a scheduled snooze to your rule. This way your rule will always run, but only send alerts when the scheduled snooze isn't active. The one downside of this approach is that if something triggers your rule during the "snoozed" period, you won't receive an alert when the "snooze" period ends.
Thanks BenB196, this has done the trick. Appreciated.
No problem. It also looks like Elastic opened a new enhancement to formalize this type of thing as well: [E&C][RAM] [META] Conditional Actions · Issue #152026 · elastic/kibana · GitHub
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.