Does anyone here know where to finds the documentation on how to use the timestamp.diff into yara-l? Coz I’m struggling to find it. Thanks
Solved
Timestamp.diff
+7- Bronze 2
Best answer by jstoner
$diff = timestamp.diff(metadata.event_timestamp.seconds, metadata.collected_timestamp.seconds, "SECOND")
+14- Bronze 5
Hi @Omskirt,
This is currently a preview Yara-L 2.0 function, however this should help - https://cloud.google.com/chronicle/docs/preview/detection-engine/yara-l-2-0-syntax#timestampdiff
Kind Regards,
Ayman
+23$diff = timestamp.diff(metadata.event_timestamp.seconds, metadata.collected_timestamp.seconds, "SECOND")
+7- Bronze 2
$diff = timestamp.diff(metadata.event_timestamp.seconds, metadata.collected_timestamp.seconds, "SECOND")
This is much more well explained. Thanks ❤️
+7- Bronze 2
I'm wondering if there’s any way to avoid repeating days. For example, in a span of 10 days, I want to capture more than 7 unique days. Is there a way to ensure that the days are distinct? However, since I used timestamp.diff, I noticed that in 8 days, it seems to count as 3. Can it be adjusted to count the 8 days as one unique result only? Thanks!
+23
I threw these couple ideas into a search, but they could be adapted to a rule so feel free to use whatever makes the most sense. Some of this will depend on what goes into the match section to group the like events together. You could use something like get_timestamp to just get the date and then count that or if you want to calculate a difference, you could use the timestamp.diff function in the events section or depending on your aggregation (group by) in the match section, you could add an aggregation function like count_distinct in the outcome section. There are a few different permutations here, so try them out if you want.
metadata.event_type = "PROCESS_LAUNCH"
$edate = timestamp.get_timestamp(metadata.event_timestamp.seconds, "%F")
$diff1 = math.abs(timestamp.diff(metadata.event_timestamp.seconds, metadata.collected_timestamp.seconds, "DAY"))
match:
principal.hostname
outcome:
$num_times = count_distinct($edate)
$edays = array_distinct($edate)
$diff = count_distinct(timestamp.diff(metadata.event_timestamp.seconds, metadata.collected_timestamp.seconds, "DAY"))
$diff_calc = count_distinct($diff1)
To bound the number of times seen, you could also do something like this in the rule to say if we see it more than n times include it. Not sure if that helps but figure i would mention it.
condition:
$e and $num_times > 5
+7- Bronze 2
Got it. I understood now. Thanks for this output I am more confident on how to use the timestamp.diff. Thanks for this
+10https://docs.cloud.google.com/chronicle/docs/yara-l/functions
the new URL for the link, but the functino not yet listed any more timestamp.diff
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.