Convert a time to IST in YARA L

Question

rule linux_user_account_created {

meta:

author = "ABC"

description = "User created"

severity = "Low"

priority = "Low"

events:

$e.metadata.vendor_name = "Linux"

$e.metadata.product_name = "AuditD"

$e.metadata.description = /new user/ nocase

$e.principal.user.userid = $user

$e.principal.hostname = $srcHost

match:

$user over 1m

outcome:

$risk_score = max(20)

$alertDescription = array_distinct(strings.concat("'A new user '", $user , "' was created on the linux server with the hostname'", $srcHost))

condition:

$e

}

So I have this field called,
metadata.event_timestamp"2024-10-05T10:15:18Z"
I want to convert this timestamp into IST (preferably in DD/MM/YYYY h:m:s format) and use it in the alertDescription variable. How am I supposed to do it?

Best answer by AymanC

Hi @anurag.q.singh

You can use the 'timestamp.get_timestamp' function [1] to achieve this.

[1] - https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#timestampget_timestamp

Kind Regards,

Ayman C

AymanC · Accepted Answer

Hi @anurag.q.singh

You can use the 'timestamp.get_timestamp' function [1] to achieve this.

[1] - https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#timestampget_timestamp

Kind Regards,

Ayman C

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded