Skip to main content
Question

how to make exception for working hours in secops rules

  • February 9, 2026
  • 1 reply
  • 49 views
bitshock1015
Forum|alt.badge.img+2

Hello everyone

 

I am having some difficulties with the SECOPS detection rules. 
I need to make an exception in the following cases:

-If the account is in the Data Table and the action occurs during business hours, no alert should be generated.
-If the account is not in the Data Table, generate an alarm.
-If the account is not in the Data Table and outside business hours, increase the severity.

I tried to draft some conditions, but the values are incorrect.

        $score_hours = max(if(timestamp.get_timestamp($win.metadata.event_timestamp.seconds,  "%T","America/Sao_Paulo") = /([8-9]|1[0-8])/ and $win.principal.user.userid in %CCC_WIN_ACCOUNT_CHANGE, 30, 0))
        $score_hoursII = max(if(timestamp.get_timestamp($win.metadata.event_timestamp.seconds,  "%T","America/Sao_Paulo") = /([8-9]|1[0-8])/ and not $win.principal.user.userid in %CCC_WIN_ACCOUNT_CHANGE, 20, 50))
        $risk_score = $score_hours + $score_hoursII + 30

1 reply

jstoner
Staff
Forum|alt.badge.img+23
  • jstoner
  • Staff
  • February 9, 2026

As I look at the three case exceptions, I’m not clear what the rule should trigger on in general and then apply these three exceptions so what I am sharing below is probably not the complete answer but hopefully will help get you going.

 

The key items that I want to call out here are in the outcome and condition sections of the rule.

  • To look at just the hour of the day, use the format elements. %T is the entire timestamp and what you want to use is %H which is the hours from 0-23.
  • To determine if the user is in the list, I used the $user_in_list outcome variable which returns a 0 or 1 if they are in the data table list (my list.field is shown here so just swap yours in). I will note that depending on what I want the rule to do, I could just as easily put that data table join in the events section of the rule and if it doesn’t join, that we move on with our day, but I assume you still want the rule to trigger in general.
  • With the 1 or 0 value, we can add to the condition section that says the user has to be not 0 for this to trigger. I did this rather than putting the join in events since again I am assuming you might want this to trigger anyway.
  • Finally I have the severity outcome variable that is using a similar 1 or 0 for the biz_hours mainly to highlight that if you wanted to use that elsewhere you could, but a more advanced outcome variable like the scores you wrote would work as well.

 

rule test_rule {
 meta:
   author = "analyst123"
 events:
   $e.metadata.event_type = "PROCESS_LAUNCH"
   $e.principal.hostname = $host
  match:
   $host over 1h
  outcome:
    $user_in_list = max(if($e.principal.user.userid in %users_probation.userid, 1, 0))
    $biz_hours = max(if(timestamp.get_timestamp($e.metadata.event_timestamp.seconds, "%H","GMT") = /([8-9]|1[0-8])/, 1, 0))
    $severity = if($biz_hours > 0, "medium", "high")
 condition:
   $e and $user_in_list > 0

Anyway, this might not answer everything but hopefully gets you going in your intended direction.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.