Technical Note: ZoneFox 3 - EPL documentation - for creating custom rules

FAQ

The EPL in ZoneFox uses NEsper, the documentation can be accessed here, chapter 5 covers the EPL.

Some of the rules provided with ZoneFox use EPL, these can be reviewed for examples of code.  E.g the User login out of hours:

select * from pattern [every ae1=ActivityEvent ( NOT User.StartsWith('window manager__dwm', StringComparison.InvariantCultureIgnoreCase), NOT User.StartsWith('nt authority', StringComparison.InvariantCultureIgnoreCase), Activity = 'user logged on', OccurredOn.getDayOfWeek() = DayOfWeek.Saturday OR OccurredOn.getDayOfWeek() = DayOfWeek.Sunday OR OccurredOn.getHourOfDay() >= 22 OR OccurredOn.getHourOfDay() <= 6)]