I am trying to configure the rule Policy View/Change so that it will send an email alert only if the rule is fired out of business hours, not during business hours. I have correctly put the time in business hours group.
Default rule has for correlations PolicyModify.InsertionIP does not equal to PolicyModify.DetectionIP
I am adding all sorts of things after AND to not fire during business hours to no avail. Last thing I tried and what makes the most sense to me is this:
PolicyModify.InsertionIP does not equal to PolicyModify.DetectionIP
AND
InternalRuleFired.InsertionTime Does not contain Business Hours.
This still does not work. When I test, I still get the alert even though the change I do to test is performed during business hours.
Anybody know what I need to add to make it so the rule only alerts if happens not during business hours. I have multiple rules that are disabled that I would like to enable so that they alert only if it fires after business hours but I need to make this work before I can enable all the other rules I want.
Thanks