I am trying to write a rule in Kibana that alerts when somebody logs in anytime after 7 PM and before 7 AM. I am trying to do this with a "Custom query" because this seems like the easiest approach. I have elastic agent on a windows machine. The logs that I am interested in have the event code "4624". The current query I have is shown below
event.code : "4624" and @timestamp >= "SomeTime" and @timestamp <= "SomeOtherTime"
The thing that I am having trouble with is the "SomeTime" and "SomeOtherTime" portion. How would I write a query to only look at hours and not worry about the rest. What format would this follow. Also where can I learn more how to query effectively so I can write other rules.
In the future, we're looking into facilitating the workflow of creating rules to detect events outside of working hours. But for now, you could accomplish this with runtime fields. For example, you could add a runtime field called office_hours (see below) to your source index and then use this field in the detection rule. If you're using Kibana 8.4+, you can add the runtime field via the UI and use it in your detection rule via the Data View configuration as described here.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.