Hello,
I want to create a rule to detect any connection attempt between 7pm and 7am the next day. But unfortunately I am obliged to put the whole date (year, month, day, hour, minute and second) which obliges me to modify my rule each day by changing the date.
Here is the rule I have :
event.code : ("4624" or "4625") and @timestamp >= 2023-05-23T19:00:00.000 and @timestamp <= 2023-05-24T07:00:00.000
The rule I want :
event.code : ("4624" or "4625") and @timestamp >= 19:00:00.000 and @timestamp <= 07:00:00.000
Does anyone have an idea please?