I came across that Detection Rule but it seems unusual to me that i cannot specify the "Forbidden Times" somehow. My guess is that auditd has that event that can be triggered but the thing is that somehow you can control that and set your "forbidden hours".
The query is:
event.module:auditd and event.action:"attempted-log-in-during-unusual-hour-to"
Also i couldn't find any documentation about that event from auditd.
Thanks in advance