Is there any documentation for the timestamp.now. Much better if you have an example. I am not sure on how to use it. I’m a bit confused on that one. Also, if you have any documentation references for new release features in YARA-l kindly send the link here. Thank you so much.
Page 1 / 1
Hi @Omskirt. You may want to bookmark the SecOps Release Notes page to browse the high level release notes for each release. In here, you can get more information about Parser updates, changes to UDM fields (like deprecation of existing fields) and more.
timestamp.now is a YARA-L 2.0 function that you can leverage in both Rules and Search.
Hi @Omskirt. You may want to bookmark the SecOps Release Notes page to browse the high level release notes for each release. In here, you can get more information about Parser updates, changes to UDM fields (like deprecation of existing fields) and more.
timestamp.now is a YARA-L 2.0 function that you can leverage in both Rules and Search.
Aside from that, Is there any demo or example on how to use the new features in YARA-L? I am very much looking forward to any references on that, as I sometimes find it confusing when applying the queries
Here is an example using this function. The function is the same as timestamp.curent_seconds()
metadata.event_type = "NETWORK_CONNECTION"
principal.ip = $pip
target.ip = $tip
net.ip_in_range_cidr(principal.ip, "10.128.0.0/24") and net.ip_in_range_cidr(target.ip, "10.128.0.0/24") and network.sent_bytes > 0
match:
$pip, $tip
outcome:
$event_count = count_distinct(metadata.id)
$current_seconds = timestamp.current_seconds()
$now = timestamp.now()
$max_minutes_since_event = max(timestamp.diff($now, metadata.event_timestamp.seconds, "MINUTE"))
order:
$event_count desc
Here is an example using this function. The function is the same as timestamp.curent_seconds()
metadata.event_type = "NETWORK_CONNECTION"
principal.ip = $pip
target.ip = $tip
net.ip_in_range_cidr(principal.ip, "10.128.0.0/24") and net.ip_in_range_cidr(target.ip, "10.128.0.0/24") and network.sent_bytes > 0
match:
$pip, $tip
outcome:
$event_count = count_distinct(metadata.id)
$current_seconds = timestamp.current_seconds()
$now = timestamp.now()
$max_minutes_since_event = max(timestamp.diff($now, metadata.event_timestamp.seconds, "MINUTE"))
order:
$event_count desc
Ow got it, But what’s the value of this timestamp.now compare to current seconds? Or there are just the same only? Nothing more? Thanks
as far as i know they are identical... you can obviously use it nested with other functions. i think now() may be a better understood term across google sql and other database functions that some users are familiar with...
as far as i know they are identical... you can obviously use it nested with other functions. i think now() may be a better understood term across google sql and other database functions that some users are familiar with...
I see, thanks for letting me know this. Much clearer now.
Aside from that, Is there any demo or example on how to use the new features in YARA-L? I am very much looking forward to any references on that, as I sometimes find it confusing when applying the queries
@Omskirt - The functions with examples are documented here - https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#functions_2
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.