Use time range matching

Time range matching makes it possible to write rules that specify days of the week and hour/minute ranges as part of the rule matching criteria. This can be useful, for example, when filtering out an activity that is considered acceptable during business hours, but which is highly suspicious outside of business hours. Time range matching is performed using the timematch function, as shown in the following example:

bool timematch(uint64 timestamp, uint32 day_mask, time_range range)

where timestamp is the 64-bit timestamp attribute from an event, day_mask is a bitmask indicating days of the week, and range indicates an hour/minute time. The range value is specified using the timerange operator, as shown in the following example:

timerange(string start_time,  string end_time)

where start_time and end_time are specified as strings in the format "HH: MM". The start_time must be smaller than the end_time. When matching against a time range, the start_time is treated as inclusive and the end_time is treated as exclusive. So,

timerange("07:00", "07:30")

specifies any time greater than or equal to 7:00:00 AM and less than 7:30 AM. Hours are specified in a 24-hour format, and valid hour values for range include 00 through 24. In order to match up through the end of the day the pseudo-hour "24:00" is allowed, so events that occur before midnight are matched.

Time range matching is relative to the day and hour/minute on the endpoint where the rules are executed and not to the server from where the rules are being pushed.

Example rules:

uint32 weekday = MON | TUES | WEDS | THURS | FRI;

uint32 weekend = SAT | SUN;

temp bool bRemovableMediaUsage = false;

temp bool bNonWorkHours = false;

set  { bNonWorkHours = TRUE; } when  

timematch(CurrentEventTimestamp(), weekday, timerange("17:30","24:00")) or

timematch(CurrentEventTimestamp(),weekday, timerange("00:00", "07:00"));

set  { bRemovableMediaUsage = TRUE; } when event.type == media;

alert when bNonWorkHours and bRemovableMediaUsage ; 

The first rule sets a temporary variable when the timestamp of the current event being processed falls on a weekend between 17:30 and 24:00 or between 00:00 and 07:30. The second rule sets a temporary variable to indicate when a removable media insertion or removal has occurred. The third rule alerts if both temporary variables are true.