This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Calculating days until date in Yara-L Rule

Posted on 12-25-2024 08:45 PM
fbaumgar
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM
I’d like to create a rule that matches if the date mentioned in an event field falls within the next 7 days. I’ve noticed various timestamp functions, but I’m not sure how to calculate the timestamp from dates other than those stored in event metadata.
 
Below is the regex capture of the date available in the event:

 

 

 $expiry = re.capture($e.metadata.description, ".*will expire on (\\d{4}/\\d{2}/\\d{2})")

//  $expiry = "2025/01/22"

 

 

Appreciate ideas how to calculate the time diff... 
Solved Solved
0 4 270
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
alube
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

There are two functions you can use to create dates via your own input. 

 

 

timestamp.as_unix_seconds("2025-01-15 00:00:00","UTC")

 

The output of this is an integer. This allows you to use math operators to compare the event_timestamp.seconds to the converted int above.

Any date prior to the January 15th 2025 timestamp will be a lesser value.

 
 
You'd have to convert your date to Unix timestamp and use that integer as the first parameter. This returns a String though so its less useful in comparison. 
 

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
alube
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

There are two functions you can use to create dates via your own input. 

 

 

timestamp.as_unix_seconds("2025-01-15 00:00:00","UTC")

 

The output of this is an integer. This allows you to use math operators to compare the event_timestamp.seconds to the converted int above.

Any date prior to the January 15th 2025 timestamp will be a lesser value.

 
 
You'd have to convert your date to Unix timestamp and use that integer as the first parameter. This returns a String though so its less useful in comparison. 
 
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Here are a few accompanying blogs that might help based on the syntax links that @alube shared above. The timestamp.diff function also will give you an integer output based on the time unit specified so I provided that option as well. Mathematical operations to calculate the difference between two time values within the outcome section is also another method.

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-What-Difference-Does-It-...

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Time-Time-Time-See-What-...

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
fbaumgar
Bronze 2
Bronze 2
In response to jstoner
Reply posted on --/--/---- --:-- AM

Thank you for the helpful information. However, I encountered an issue while using timestamp.diff in our tenant.

I received the following exception:

parsing: function timestamp.diff not found

I tried using timestamp.diff in various sections of the rule, but the outcome remained the same.

Is timestamp.diff a recent addition? I couldn’t find it mentioned in the Yara-L syntax documentation:

https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
In response to fbaumgar
Reply posted on --/--/---- --:-- AM

it is a fairly recent addition and it is possible it may not be turned on within your tenant yet. You may be able to request it by opening a ticket to request it.

Jump to Solution
0 Likes
Top Solution Authors
View all