This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Timestamp.now

Posted on 10-29-2024 09:37 AM
Omskirt
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Is there any documentation for the timestamp.now. Much better if you have an example. I am not sure on how to use it. I’m a bit confused on that one. Also,  if you have any documentation references for new release features in YARA-l kindly send the link here. Thank you so much. 

Solved Solved
0 7 340
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

as far as i know they are identical... you can obviously use it nested with other functions. i think now() may be a better understood term across google sql and other database functions that some users are familiar with...

View solution in original post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
cmorris
Staff
In response to Omskirt
Reply posted on --/--/---- --:-- AM

@Omskirt - The functions with examples are documented here - https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#functions_2

View solution in original post

Jump to Solution
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
vaskenh
Staff
Reply posted on --/--/---- --:-- AM

Hi @Omskirt.   You may want to bookmark the SecOps Release Notes page to browse the high level release notes for each release.  In here, you can get more information about Parser updates, changes to UDM fields (like deprecation of existing fields) and more.

timestamp.now is a YARA-L 2.0 function that you can leverage in both Rules and Search.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Omskirt
Bronze 4
Bronze 4
In response to vaskenh
Reply posted on --/--/---- --:-- AM

Aside from that, Is there any demo or example on how to use the new features in YARA-L? I am very much looking forward to any references on that, as I sometimes find it confusing when applying the queries

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
cmorris
Staff
In response to Omskirt
Reply posted on --/--/---- --:-- AM

@Omskirt - The functions with examples are documented here - https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#functions_2

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Here is an example using this function. The function is the same as timestamp.curent_seconds()

 

metadata.event_type = "NETWORK_CONNECTION"
principal.ip = $pip
target.ip = $tip
net.ip_in_range_cidr(principal.ip, "10.128.0.0/24") and net.ip_in_range_cidr(target.ip, "10.128.0.0/24") and network.sent_bytes > 0
match:
  $pip, $tip
outcome:
  $event_count = count_distinct(metadata.id)
  $current_seconds = timestamp.current_seconds()
  $now = timestamp.now()
  $max_minutes_since_event = max(timestamp.diff($now, metadata.event_timestamp.seconds, "MINUTE"))
order:
  $event_count desc
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Omskirt
Bronze 4
Bronze 4
In response to jstoner
Reply posted on --/--/---- --:-- AM

Ow got it, But what’s the value of this timestamp.now compare to current seconds? Or there are just the same only? Nothing more? Thanks

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

as far as i know they are identical... you can obviously use it nested with other functions. i think now() may be a better understood term across google sql and other database functions that some users are familiar with...

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Omskirt
Bronze 4
Bronze 4
In response to jstoner
Reply posted on --/--/---- --:-- AM

I see, thanks for letting me know this. Much clearer now. 

Jump to Solution
0 Likes
Top Solution Authors
View all