Skip to main content
I’d like to create a rule that matches if the date mentioned in an event field falls within the next 7 days. I’ve noticed various timestamp functions, but I’m not sure how to calculate the timestamp from dates other than those stored in event metadata.
 
Below is the regex capture of the date available in the event:

 

 

$expiry = re.capture($e.metadata.description, ".*will expire on (\\\\d{4}/\\\\d{2}/\\\\d{2})")

// $expiry = "2025/01/22"

 

 

Appreciate ideas how to calculate the time diff... 

There are two functions you can use to create dates via your own input. 

 

 

timestamp.as_unix_seconds("2025-01-15 00:00:00","UTC")

 

The output of this is an integer. This allows you to use math operators to compare the event_timestamp.seconds to the converted int above.

Any date prior to the January 15th 2025 timestamp will be a lesser value.

 
 
You'd have to convert your date to Unix timestamp and use that integer as the first parameter. This returns a String though so its less useful in comparison. 
 

Here are a few accompanying blogs that might help based on the syntax links that @alube shared above. The timestamp.diff function also will give you an integer output based on the time unit specified so I provided that option as well. Mathematical operations to calculate the difference between two time values within the outcome section is also another method.


https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-What-Difference-Does-It-Make/ba-p/832247


https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Time-Time-Time-See-What-s-Become-of-Me/ba-p/813704


 

Here are a few accompanying blogs that might help based on the syntax links that @alube shared above. The timestamp.diff function also will give you an integer output based on the time unit specified so I provided that option as well. Mathematical operations to calculate the difference between two time values within the outcome section is also another method.


https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-What-Difference-Does-It-Make/ba-p/832247


https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Time-Time-Time-See-What-s-Become-of-Me/ba-p/813704


 


Thank you for the helpful information. However, I encountered an issue while using timestamp.diff in our tenant.

I received the following exception:

parsing: function timestamp.diff not found

I tried using timestamp.diff in various sections of the rule, but the outcome remained the same.

Is timestamp.diff a recent addition? I couldn’t find it mentioned in the Yara-L syntax documentation:

https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax

 

Thank you for the helpful information. However, I encountered an issue while using timestamp.diff in our tenant.

I received the following exception:

parsing: function timestamp.diff not found

I tried using timestamp.diff in various sections of the rule, but the outcome remained the same.

Is timestamp.diff a recent addition? I couldn’t find it mentioned in the Yara-L syntax documentation:

https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax

 


it is a fairly recent addition and it is possible it may not be turned on within your tenant yet. You may be able to request it by opening a ticket to request it.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.