Hi every one,
I want to create a KQL rule to detect all accounts created outside of working hours.
I used @timestamp but it shows me an errors
what I did but it didn't work:
event.code: "4726" and (@timestamp>= 09:00 and @timestamp<=17:00)
the error is in the @timestamp part
Thanks
Hello,
Which part of the UI are you using this KQL query on? The @timestamp values need to respect the accepted timestamp formats.
I am attaching how sample timestamp will look like in discover. Can you please check how you are ingesting your @timestamp and the value format and try again?
Thanks,
Bhavya
Thank you Bhavya for your response,
I use "Discover" and I want to create a use case which will monitor in the future (or in past logs) any account creation outside the interval from 9 a.m. to 5 p.m. i.e. outside of working hours.
I tested a lot of KQL rules but it didn't work
This is not possible without changing your data.
When filtering by the timestamp you need to pass the entire date, so you cannot filter just by the hours, you would need to change the filter everyday to add the year, month and day.
What you can do is during the parsing of your data create a new field with just the numeric value of the hour, like 09 and 17, and then filter using those values.
@syphax please see @leandrojmp response below. It will also help if you can please post the error screenshot.
@leandrojmp thanks for helping the community.
Thanks,
Bhavya
Hi everyone,
as you can see in the capture, on the left it was an extract from a log and on the right my KQL query in Discover.
in the request:
event.code: "556" and @timestamp <= "Apr 12, 2024 @ 21:25:15.650"
I tried all the operators (: , <= , >= ) and it still displays an error (to the right of the capture).
@leandrojmp in what you say here "What you can do is during the parsing of your data create a new field with just the numeric value of the hour, like 09 and 17, and then filter using those values."
I don't understand it well but I'm going to find out how I can do it
The correct way to filter using @timestamp is something like this:
@timestamp >= "2024-04-12T19:25:00.000"
What I mean is that during the parsing of your data you need to extract the value of the hour from your date string and store it on another field, then use this other field to filter.
For example, for a date string like this: Apr 12, 2024 @ 21:25:15.650, you would extract the hour, which is 21, then you could store it on a field named date_hour and filter in kibana like this:
date_hour >= 9 and date_hour <= 17
How you will do that depends on how you are ingesting your data, which tools you are using etc
thank you for your answers
I will try the idea that @leandrojmp proposed to me and I'm going to develop a parser
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.