For sites that operate 24 hours within a single domain, the following is provided to modify policy_rules for a specific period of operating hours related to AlienVault USM Appliance monitoring of HIDS user logins. This is applicable upon events reported as detailed for the policy_rule below, "event ID 17101 login during non-business hours". Follow this procedure to modify the window of time defined in the below policy_rules.xml.
- Within the web UI, go to Environment > Detection > HIDS, click the EDIT RULES tab.
- Click on the RULE EDITOR tab.
In the right hand pane of the RULE EDITOR you have the option to modify the default period of time 6 – 8:30 am.
- You may specify a <time> in 24 hour or 12 hour format.
Note: For 12 hour format you must specify am or pm as per the default example 6 pm – 08:30 am.
Below is an example for 24-hour Centers that may have users logging into hosts running HIDS agents any time during 24-hour period.
<group name="policy_violation,”> </rule> <group>login_time,</group> <description>Successful login during non-business hours.</description> <time>00:00 – 24:00 pm</time> <if_group>authentication_success</if_group> <rule id="17101" level="9"> <rule id="17102" level="9"> <if_group>authentication_success</if_group> <weekday>weekends</weekday> <description>Successful login during weekend.</description> <group>login_day,</group>
</rule> </group> <!-- POLICY_RULES -->
Optional: You have the option to also specify wekdays using the <weekday> </weekday>. If not included in the rule, then the rule will apply to all 7 days in the week. There is a default rule that will alert for login during weekend (Sat:Sun).