Documentation Center
AlienVault® USM Appliance™

How to Set Hours for Operation for HIDS Rules

Version: 5.x
Deployment: All deployments

For sites that operate 24 hours within a single domain, the following is provided to modify policy_rules for a specific period of operating hours related to AlienVault USM Appliance monitoring of HIDS user logins. This is applicable upon events reported as detailed for the policy_rule below, "event ID 17101 login during non-business hours". Follow this procedure to modify the window of time defined in the below policy_rules.xml.

  1. Within the web UI, go to Environment > Detection > HIDS, click the EDIT RULES tab.
  2. Click on the RULE EDITOR tab.Rule Editor Tab
  3. In the right hand pane of the RULE EDITOR you have the option to modify the default period of time 6 – 8:30 am.Right pane rule editor tab

  4. You may specify a <time> in 24 hour or 12 hour format.

Note: For 12 hour format you must specify am or pm as per the default example 6 pm – 08:30 am.

Below is an example for 24-hour Centers that may have users logging into hosts running HIDS agents any time during 24-hour period.

 <group name="policy_violation,”> </rule> <group>login_time,</group> <description>Successful login during non-business hours.</description> <time>00:00 – 24:00 pm</time> <if_group>authentication_success</if_group> <rule id="17101" level="9"> <rule id="17102" level="9"> <if_group>authentication_success</if_group> <weekday>weekends</weekday> <description>Successful login during weekend.</description> <group>login_day,</group>

</rule> </group> <!-- POLICY_RULES -->

Optional: You have the option to also specify wekdays using the <weekday> </weekday>. If not included in the rule, then the rule will apply to all 7 days in the week. There is a default rule that will alert for login during weekend (Sat:Sun).