+1
$expiry = re.capture($e.metadata.description, ".*will expire on (\\\\d{4}/\\\\d{2}/\\\\d{2})")
// $expiry = "2025/01/22"
Best answer by alube
There are two functions you can use to create dates via your own input.
timestamp.as_unix_seconds("2025-01-15 00:00:00","UTC")
The output of this is an integer. This allows you to use math operators to compare the event_timestamp.seconds to the converted int above.
Any date prior to the January 15th 2025 timestamp will be a lesser value.
+3There are two functions you can use to create dates via your own input.
timestamp.as_unix_seconds("2025-01-15 00:00:00","UTC")
The output of this is an integer. This allows you to use math operators to compare the event_timestamp.seconds to the converted int above.
Any date prior to the January 15th 2025 timestamp will be a lesser value.
+22Here are a few accompanying blogs that might help based on the syntax links that @alube shared above. The timestamp.diff function also will give you an integer output based on the time unit specified so I provided that option as well. Mathematical operations to calculate the difference between two time values within the outcome section is also another method.
+1Here are a few accompanying blogs that might help based on the syntax links that @alube shared above. The timestamp.diff function also will give you an integer output based on the time unit specified so I provided that option as well. Mathematical operations to calculate the difference between two time values within the outcome section is also another method.
Thank you for the helpful information. However, I encountered an issue while using timestamp.diff in our tenant.
I received the following exception:
parsing: function timestamp.diff not foundI tried using timestamp.diff in various sections of the rule, but the outcome remained the same.
Is timestamp.diff a recent addition? I couldn’t find it mentioned in the Yara-L syntax documentation:
https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax
+22Thank you for the helpful information. However, I encountered an issue while using timestamp.diff in our tenant.
I received the following exception:
parsing: function timestamp.diff not foundI tried using timestamp.diff in various sections of the rule, but the outcome remained the same.
Is timestamp.diff a recent addition? I couldn’t find it mentioned in the Yara-L syntax documentation:
https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax
it is a fairly recent addition and it is possible it may not be turned on within your tenant yet. You may be able to request it by opening a ticket to request it.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.