Today we're going to use a time function to calculate the difference between two time values with a focus on the time units. This is a subtle but important difference as compared to a mathematical difference of seconds. This function can be used as you build searches, rules and dashboards in Google SecOps!

Oftentimes, we use mathematical operations to calculate the difference between two timestamps, but there are times we want to calculate the difference in a time unit other than seconds. While timestamp.diff can be used with the time unit of seconds, the differences between a mathematical operation and this function only appear when using it with other time units.

Follow along in this video to see how we can apply timestamp.diff to our searches, rules and dashboards.

timestamp.diff requires start and end dates as well as the time unit. The time unit, if not specified will be seconds. The larger value, the more recent date/time, is first in the arguments. Sometimes users get the time value order mixed up and to mitigate this, using the function math.abs, short for absolute value can mitigate this issue because no one like getting a negative result between two timestamps.

 Check out these additional resources with more information and learning opportunities:

• New to Google SecOps blog series
• Google SecOps Learning Path on Google Cloud Skills Boost
• Google SecOps documentation
• Google Cloud Security Community Events