This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Timestamp.diff

Posted on 10-09-2024 06:09 AM
Omskirt
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Does anyone here know where to finds the documentation on how to use the timestamp.diff into yara-l? Coz Iโ€™m struggling to find it. Thanks

Solved Solved
0 7 319
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM
$diff = timestamp.diff(metadata.event_timestamp.seconds, metadata.collected_timestamp.seconds, "SECOND")

View solution in original post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

 

I threw these couple ideas into a search, but they could be adapted to a rule so feel free to use whatever makes the most sense. Some of this will depend on what goes into the match section to group the like events together.  You could use something like get_timestamp to just get the date and then count that or if you want to calculate a difference, you could use the timestamp.diff function in the events section or depending on your aggregation (group by) in the match section, you could add an aggregation function like count_distinct in the outcome section. There are a few different permutations here, so try them out if you want.

 

metadata.event_type = "PROCESS_LAUNCH"
$edate = timestamp.get_timestamp(metadata.event_timestamp.seconds, "%F")
$diff1 = math.abs(timestamp.diff(metadata.event_timestamp.seconds, metadata.collected_timestamp.seconds, "DAY"))
match:
 principal.hostname
outcome:
$num_times = count_distinct($edate)
$edays = array_distinct($edate)
$diff = count_distinct(timestamp.diff(metadata.event_timestamp.seconds, metadata.collected_timestamp.seconds, "DAY"))
$diff_calc = count_distinct($diff1)

 To bound the number of times seen, you could also do something like this in the rule to say if we see it more than n times include it. Not sure if that helps but figure i would mention it.

condition:
 $e and $num_times > 5

View solution in original post

Jump to Solution
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @Omskirt,

This is currently a preview Yara-L 2.0 function, however this should help - https://cloud.google.com/chronicle/docs/preview/detection-engine/yara-l-2-0-syntax#timestampdiff

 
Kind Regards,

Ayman

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Omskirt
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Thank you so much highly appreciated this reference

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM
$diff = timestamp.diff(metadata.event_timestamp.seconds, metadata.collected_timestamp.seconds, "SECOND")
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Omskirt
Bronze 4
Bronze 4
In response to jstoner
Reply posted on --/--/---- --:-- AM

This is much more well explained. Thanks โค๏ธ

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Omskirt
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

IMG_4263.jpeg

I'm wondering if thereโ€™s any way to avoid repeating days. For example, in a span of 10 days, I want to capture more than 7 unique days. Is there a way to ensure that the days are distinct? However, since I used timestamp.diff, I noticed that in 8 days, it seems to count as 3. Can it be adjusted to count the 8 days as one unique result only? Thanks!

โ€ƒ

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

 

I threw these couple ideas into a search, but they could be adapted to a rule so feel free to use whatever makes the most sense. Some of this will depend on what goes into the match section to group the like events together.  You could use something like get_timestamp to just get the date and then count that or if you want to calculate a difference, you could use the timestamp.diff function in the events section or depending on your aggregation (group by) in the match section, you could add an aggregation function like count_distinct in the outcome section. There are a few different permutations here, so try them out if you want.

 

metadata.event_type = "PROCESS_LAUNCH"
$edate = timestamp.get_timestamp(metadata.event_timestamp.seconds, "%F")
$diff1 = math.abs(timestamp.diff(metadata.event_timestamp.seconds, metadata.collected_timestamp.seconds, "DAY"))
match:
 principal.hostname
outcome:
$num_times = count_distinct($edate)
$edays = array_distinct($edate)
$diff = count_distinct(timestamp.diff(metadata.event_timestamp.seconds, metadata.collected_timestamp.seconds, "DAY"))
$diff_calc = count_distinct($diff1)

 To bound the number of times seen, you could also do something like this in the rule to say if we see it more than n times include it. Not sure if that helps but figure i would mention it.

condition:
 $e and $num_times > 5
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Omskirt
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Got it. I understood now. Thanks for this output I am more confident on how to use the timestamp.diff. Thanks for this 

Jump to Solution
0 Likes
Top Solution Authors
View all