This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Getting to Know Google SecOps: Time Functions: Formatting a Timestamp The Way You Want It

on ‎11-13-2024 08:00 AM

jstoner
Staff
3 0 357

Working with and viewing timestamps can be a drag, particularly if you want to work with something other than Year-Month-Day Hours:Minutes:Seconds. Well guess what? Using the timestamp.get_timestamp function will allow you to format timestamp values in formats that you want to use! Let's take a look how this function can be used as you build searches and rules in Google SecOps!

Time Function - get_timestamp.png

The timestamp.get_timestamp function, without any arguments will output the timestamp in the form year-month-day followed by a space and the hours, minutes and seconds. But if you would like a different format for the date or just a portion of the timestamp, this function can provide this flexibility.

The format elements align with Google SQL for BigQuery and are enclosed in quotes.The default is %F %T where %F handles the date portion and the %T is the time portion. Because we can use these different format elements with the function, we can easily isolate the month, day or even day of the week, all with this function. Different format elements that can be mixed and matched together for greater flexiblity.

Follow along in this video to see how we can apply timestamp.get_timestamp to our searches and rules. 

timestamp.get_timestamp provides the ability to take a timestamp, extract portions of the date or time as well as change the formatting for display purposes to more easily work with datasets when hunting, building detections or developing reporting. This function accepts up to three arguments, the field or variable with the timestamp, the format we want the timestamp to appear in and the timezone. The timezone is always optional and will default to GMT. If you prefer a format other than the default, select the desired format elements and enclose them in quotes!

Finally, remember that portions of the timestamp can be extracted to variables that can then be used in searches or rules, either to aggregate data, output as an outcome variable or perhaps use as a condition in a rule. timestamp.get_timestamp provides a great deal of flexibility and can be applied to your hunts and investigations!

Time Function - get_timestamp (1).png

Check out these additional resources with more information and learning opportunities:

 
Topic Labels
Contributors
Version history
Last update:
‎11-12-2024 11:11 AM
Updated by: