+3Hello,
I am trying to find a way to dynamically fill the timezone in timestamp function for example like below:
timestamp.get_day_of_week($timestamp, $user_timezone)
but unfortunately, this did not work for me and i got this error: parsing: unknown time zone type: <nil>
do we have a way to dynamically fill out the timezone in timestamp functions in google secops rules ?
Any help will be appreciated !!
Thanks,
Leo
+7Unfortunately the timestamp functions won’t accept dynamic timezones. To get around that constraint in the past I have prepoluated placeholder variables with all my possible user timezones, then used an IF statement out the outcome section to pull the value of the correct placeholder.
Example:
events:
$e.metadata.event_type = "USER_LOGIN"
$e.target.user.userid = $user
$graph.graph.metadata.entity_type = "USER"
$graph.graph.entity.user.userid = $user
$graph.graph.entity.user.attribute.labels["offset"] = $offset
$m12_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"-12:00")
$m11_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"-11:00")
$m10_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"-10:00")
$m9_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"-09:00")
$m8_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"-08:00")
$m7_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"-07:00")
$m6_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"-06:00")
$m5_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"-05:00")
$m4_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"-04:00")
$m3_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"-03:00")
$m2_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"-02:00")
$m1_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"-01:00")
$utc_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"UTC")
$p1_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"+01:00")
$p2_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"+02:00")
$p3_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"+03:00")
$p4_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"+04:00")
$p5_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"+05:00")
$p6_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"+06:00")
$p7_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"+07:00")
$p8_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"+08:00")
$p9_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"+09:00")
$p10_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"+10:00")
$p11_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"+11:00")
$p12_time = timestamp.get_hour($e.metadata.event_timestamp.seconds ,"+12:00")
match:
$user over 1h
outcome:
$risk_score = 0
$login_hour = max(
if($offset = "-12:00",$m12_time,0) +
if($offset = "-11:00",$m11_time,0) +
if($offset = "-10:00",$m10_time,0) +
if($offset = "-09:00",$m9_time,0) +
if($offset = "-08:00",$m8_time,0) +
if($offset = "-07:00",$m7_time,0) +
if($offset = "-06:00",$m6_time,0) +
if($offset = "-05:00",$m5_time,0) +
if($offset = "-04:00",$m4_time,0) +
if($offset = "-03:00",$m3_time,0) +
if($offset = "-02:00",$m2_time,0) +
if($offset = "-01:00",$m1_time,0) +
if($offset = "00:00",$utc_time,0) +
if($offset = "+01:00",$p1_time,0) +
if($offset = "+02:00",$p2_time,0) +
if($offset = "+03:00",$p3_time,0) +
if($offset = "+04:00",$p4_time,0) +
if($offset = "+05:00",$p5_time,0) +
if($offset = "+06:00",$p6_time,0) +
if($offset = "+07:00",$p7_time,0) +
if($offset = "+08:00",$p8_time,0) +
if($offset = "+09:00",$p9_time,0) +
if($offset = "+10:00",$p10_time,0) +
if($offset = "+11:00",$p11_time,0) +
if($offset = "+12:00",$p12_time,0) +
if($offset = "",99,0)
)
condition:
$e and $graph and $login_hour < 7 or $login_hour > 18
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
