Skip to main content


Hi all,

I'm building a detection rule in Google Chronicle using metrics.auth_attempts_total to retrieve the first_seen and last_seen values for a user login event. I'm trying to exclude results where these timestamps are defaulted to "1970-01-01 00:00:00", which I understand represents a lack of metric history (i.e., a value of 0).

Here’s what I’m doing:

metadata.event_type = "USER_LOGIN"
principal.ip = /[1.1.1.1/
target.user.userid = /[jdoe/
$date = timestamp.get_timestamp(metadata.event_timestamp.seconds, "%b %d %H:00")
$logon_outcome = security_result.action
principal.ip_geo_artifact.network.carrier_name = $IP_Carrier_Name
principal.location.country_or_region = $IP_Region
$userid = target.user.userid
match:
$userid, $logon_outcome, principal.ip, $IP_Carrier_Name, $IP_Region
outcome:
  $first_seen = timestamp.get_timestamp(cast.as_int(max(metrics.auth_attempts_total(
      period:1d, window:30d,
      metric:first_seen,
      agg:min,
      target.user.userid: $userid
  ))))

  $last_seen = timestamp.get_timestamp(cast.as_int(max(metrics.auth_attempts_total(
      period:1d, window:30d,
      metric:last_seen,
      agg:max,
      target.user.userid: $userid
  ))))

  condition:
  $first_seen != "1970-01-01 00:00:00" AND $last_seen != "1970-01-01 00:00:00"


This works fine, and I can see $first_seen values — including "1970-01-01 00:00:00" — in the outcome: section when I don’t apply any condition.

However, when I try to filter those out using:

condition:
  $first_seen != "1970-01-01 00:00:00"


I get no results, even though I have triggered events recently and expected a proper first_seen timestamp. I also tried filtering using integer comparisons like:

condition:
  cast.as_int($first_seen) > 0


But that also results in no data.

My core questions:

What’s the correct way to filter out the default/epoch timestamp from metrics.auth_attempts_total?

Is comparing to "1970-01-01 00:00:00" reliable?

Should I be comparing integer values before converting to timestamp strings?

Is there a known issue or delay in how metrics are populated for recent events or new users?

Even when triggering fresh login activity, I only get the default epoch value in metrics.

What’s the best practice for checking if first_seen or last_seen is “valid” in Chronicle detections?

Any guidance would be appreciated — I’m trying to build detections that react only when the user has a login history, and ignore cases where the metric is blank/default.

Thanks!

You should be able to use a filter section in your metrics functions. Below is an example:

 

$last_seen = timestamp.get_timestamp(cast.as_int(max(metrics.auth_attempts_success(
      period:1d, window:30d,
      metric:last_seen,
      agg:max,
      target.user.userid: $userid,
      filter:timestamp.get_timestamp(cast.as_int(last_seen)) != "1970-01-01 00:00:00"
  ))))

[removed by moderator] thank you for your response unfortunately, that dint work for me either.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.