Rule That Alerts When Logins Are Past a Certain Time

I am trying to write a rule in Kibana that alerts when somebody logs in anytime after 7 PM and before 7 AM. I am trying to do this with a "Custom query" because this seems like the easiest approach. I have elastic agent on a windows machine. The logs that I am interested in have the event code "4624". The current query I have is shown below

event.code : "4624" and @timestamp >= "SomeTime" and @timestamp <= "SomeOtherTime"

The thing that I am having trouble with is the "SomeTime" and "SomeOtherTime" portion. How would I write a query to only look at hours and not worry about the rest. What format would this follow. Also where can I learn more how to query effectively so I can write other rules.

Thanks For the Help,

1 Like

Hi @Jared9922,

In the future, we're looking into facilitating the workflow of creating rules to detect events outside of working hours. But for now, you could accomplish this with runtime fields. For example, you could add a runtime field called office_hours (see below) to your source index and then use this field in the detection rule. If you're using Kibana 8.4+, you can add the runtime field via the UI and use it in your detection rule via the Data View configuration as described here.

PUT <source-index>/_mapping
      "runtime": {
        "office_hours": {
          "type": "boolean",
          "script": {
            "source": "def office;\r\n\r\nif (doc['@timestamp'].value.hour < 5 && doc['@timestamp'].value.hour > 17) {\r\n    office = false;\r\n} else { office = true;}\r\n\r\nemit(office);"
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.