Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
FortiKoala
Staff
Staff

Created on ‎03-01-2019 09:21 AM

Article Id 196246

Technical Note: ZoneFox 3 - EPL documentation - for creating custom rules

Description

EPL documentation - for creating custom rules


Scope

FAQ


Solution

The EPL in ZoneFox uses NEsper, the documentation can be accessed here, chapter 5 covers the EPL.


Some of the rules provided with ZoneFox use EPL, these can be reviewed for examples of code.  E.g the User login out of hours:


select * from pattern [every ae1=ActivityEvent ( NOT User.StartsWith('window manager__dwm', StringComparison.InvariantCultureIgnoreCase), NOT User.StartsWith('nt authority', StringComparison.InvariantCultureIgnoreCase), Activity = 'user logged on', OccurredOn.getDayOfWeek() = DayOfWeek.Saturday OR OccurredOn.getDayOfWeek() = DayOfWeek.Sunday OR OccurredOn.getHourOfDay() >= 22 OR OccurredOn.getHourOfDay() <= 6)]



Labels:
248
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.