I have a SIEM use case that require to do a search for After Office hour login and generate a 1 month report with this filter.
Any advice on how could i filter the hour from @timestamp (or any better approach?)
I got a successful way to do it by adding a new field named hourofday using painless with script below
However this might not be the approach my management would prefer as they are afraid that by adding field into the log might abuse the Integrity of logs.
Would appreciate if anyone could shed some lights on:
- Is it possible to filter Hour of document so that i could generate a report for after office hour (assume office hour = 9AM to 6PM), and if yes, how could I achieve so?
Also, just a quick query, will the raw logs be modified when I uses painless script to add a field into documents? As we are not suppose to change anything to raw logs due to the C.I.A rules.