How to put query to trigger alert if user account has logged in during off business hours?
Here is second part to the same question
How to use lookup if there are multiple locations with different business hours ?
@gcusello @renjith_nair @emile194
Hi @berzerk,
it depends on the timezone configuration you adopted:
you could use the local time (eventually converting from _time knowing the user location) and so the business hours are the same.
If instead you converted all the timestamps in your user time, you have to create a new field from _time to use for the check, but the approach is the same.
Ciao.
Giuseppe
Hi @berzerk,
when you say off business hours are you speaking of hours outside 8.00 - 17.00 (or a different hours) in Monday-Friday but always the same in every day, in other words without considering holydays or are you speaking also about holydays?
in the first case it isn't so complicate: you have to create a search on the login conditions (e.g. in Windows EvenCode=4624) adding the off business hours: something like this:
index=wineventlog EventCode=4624 ((date_wday IN ("saturday","sunday")) OR (date_hour>17 OR date_hour<8))
If instead you have to manage also holydays, you have to create a lookup (to manage) containing all the holydays of the year (called e.g. "holydays.csv") containing at least one column:
date
2022-01-01
2022-04-18
2022-12-25
2022-12-26
then you have to add this check to the previous search:
index=wineventlog EventCode=4624
| eval date=strftime(_time,"%Y-%m-%d")
| search [ | inputlookup holydays.csv | search type=1 | fields date ]) OR date_wday IN ("saturday","sunday") OR (date_hour>17 OR date_hour<8)
In both the situations, the main problem is to identify the login conditions (e.g. for Windows EventCode=4624).
To do this I hint to create an eventtype for each kind of log (e.g. one for Windows, one for linux, etc...) adding to all of them a tag (e.g. "LOGIN"), then you can use it in your search.
Ciao.
Giuseppe
Hi @berzerk,
if this answer solves your need, please accept it for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors 😉
For others, what I did was I created a lookup table with hour and value. So from the payload hour field was already extracted and being compared to the lookup table with hours define for off business in column Tag.
The query to put using lookup after extracting the message
| lookup offbusinesshours.csv Time as Tag_hour output Value as Value
| where isnull(Value)
Hi Ranjith,
To define off business hours what query can we put in search? Also, I have the search for the logged events just request you to help me with the command how to define the off business hours
Thanks
It would be really helpful if you could provide more details like sample events etc to formulate a search.
In general
For e.g. if you are off business hours are between 6PM to 8AM, then select the time range between these time limit and search for the logged in events