However, when I try to create a rule in Security > Rules to get an alert for authentications during this time (so when office_hours=false), I can't add office_hours in the query, whereas in Discover I can see it and filter data with it.
I also tried to map the field directly (with Dev Tools). I successfully added the field and it is viewable in Discover and usable in the Alert query but I don't know how to add the script to this request, given that I have an if conditional in my script. Here's my request :
Hi @sirineb, we added support for Data Views (and runtime fields) to 8.4, so you will be able to use the Security Solution rule creation UI to take advantage of runtime fields after adding them in Kibana. More info on that can be found in our docs.
In 8.3, you should be able to add the runtime field mapping directly onto the index via Dev Tools and then use that field during rule creation by following the guidance here. What is the error you're seeing in Dev Tools when trying to index your runtime field?
Hi @sirineb, we want make sure the runtime field is properly being processed and that event timestamps are not a factor in our diagnosis of the issue. To that effect, would you mind re-running the Rule Preview, but this time selecting Last day in the dropdown? Do you see any results then?
But just a question to be sure that I am not going on the wrong path : to make an alert during the night, what would you suggest ? I thought about adding a runtime field because it seemed to be the easiest but maybe there're other and better ways to do, what would you do in my case ?
I looked into the Event Correlation rule type but I don't know if I can use this to do what I want above.
Hi @sirineb, the approach you've taken to create a runtime field to denote working hours seems sound to me. In the future, we're looking into facilitating the workflow of creating rules to detect events outside of working hours. But for now, the runtime field approach should work. Could you make sure that you have events in your source data index that match the query in the "Last day"? The rule preview should help with that. If it doesn't show any results, it most likely means there are no source events matching the query in that timeframe.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.