This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Calculating days until date in Yara-L Rule

Posted on 12-25-2024 08:45 PM
fbaumgar
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM
I’d like to create a rule that matches if the date mentioned in an event field falls within the next 7 days. I’ve noticed various timestamp functions, but I’m not sure how to calculate the timestamp from dates other than those stored in event metadata.
 
Below is the regex capture of the date available in the event:

 

 

 $expiry = re.capture($e.metadata.description, ".*will expire on (\\d{4}/\\d{2}/\\d{2})")

//  $expiry = "2025/01/22"

 

 

Appreciate ideas how to calculate the time diff... 
Solved Solved
0 4 271
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
alube
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

There are two functions you can use to create dates via your own input. 

 

 

timestamp.as_unix_seconds("2025-01-15 00:00:00","UTC")

 

The output of this is an integer. This allows you to use math operators to compare the event_timestamp.seconds to the converted int above.

Any date prior to the January 15th 2025 timestamp will be a lesser value.

 
 
You'd have to convert your date to Unix timestamp and use that integer as the first parameter. This returns a String though so its less useful in comparison. 
 

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4
Top Solution Authors
View all