Hi everyone,
I need to migrate a SPL rule to Chronicle, can someone assit how this can be converted to YARA-L?
| eval date=strftime(_time,"%d/%m/%Y")
| eval date_dm=strftime(_time,"%d/%m")
| eval date_wday=strftime(_time, "%w")
The main goal would be to use these new fields in order to be able to search for events in a certain range of hours or days (for example in 2 p.m. and 6 p.m. or on Saturday between 3 p.m. and 8 p.m.).
Thank you in advance for your help.
Best regards
Having more context on the full rule may help, but we have an example rule on our GitHub that assesses day-of-week and times to assess if a user is logging-in off-hours. This likely has all the elements you're looking for: https://github.com/chronicle/detection-rules/blob/ac3cae1b3127be7b5c20831998724aaae0e7cf61/community/okta/okta_user_login_out_of_hours.yaral
If not, let me know and I'd be able to help further.
-mike
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.