topic Re: Return results only if Previous_Time and New_Time difference is more than 5s in Getting Data In

How to return results only if Previous_Time and New_Time difference is more than 5s?

evallja — Tue, 15 Aug 2023 19:52:26 GMT

Hello everyone,

I have the below fields and I want the search to generate only the results when Previous_Time and New_Time difference is more than 5s:

_time	host	EventCode	EventCodeDescription	Name	Previous_Time	New_Time
Tue Aug 15 09:35:01 2023	hostname	4616	The system time was changed.	C:\Program Files (x86)\TrueTime\WinSync\WinSync.exe	‎2023‎-‎08‎-‎15T07:35:01.152758200Z	‎2023‎-‎08‎-‎15T07:35:01.152000000Z

Thank you.

Re: Return results only if Previous_Time and New_Time difference is more than 5s

ITWhisperer — Tue, 15 Aug 2023 10:16:58 GMT

You need to parse the time strings into numeric times, then you can calculate the difference

| eval Previous_Time=strptime(Previous_Time,"%Y-%m-%dT%T.%9N%Z") | eval New_Time=strptime(New_Time,"%Y-%m-%dT%T.%9N%Z") | eval diff=abs(Previous_Time - New_Time) | where diff > 5

Re: Return results only if Previous_Time and New_Time difference is more than 5s

evallja — Tue, 15 Aug 2023 11:47:28 GMT

I have tried the eval command before for this case, but just like in this search, it will return blank field values for Previous_Time and New_Time fields.

I even tried to change their names by creating totally new fields but still the same results.

Re: Return results only if Previous_Time and New_Time difference is more than 5s

ITWhisperer — Tue, 15 Aug 2023 11:53:15 GMT

I am not sure I understand what the issue is - this code works with the samples you have given, although perhaps the samples are not an accurate representation of your events.

Please can you share anonymised samples of your actual events, preferably in a code block </> to prevent loss of information due to formatting changes.

Re: Return results only if Previous_Time and New_Time difference is more than 5s

evallja — Tue, 15 Aug 2023 12:18:05 GMT

The table is copied from the results, the only field value I anonymized is the host value "hostname".

However, if it helps I am also pasting the _raw text changing only the sensitive info to "Anonymized"

08/15/2023 09:35:01 AM

LogName=Security

SourceName=Microsoft Windows security auditing.

EventCode=4616

EventType=0

Type=Information

ComputerName=Anonymized

TaskCategory=Security State Change

OpCode=Info

RecordNumber=828401024

Keywords=Audit Success

Message=The system time was changed.

Subject:

Security ID: Anonymized\Administrator

Account Name: Administrator

Account Domain: Anonymized

Logon ID: 0x1B00AE

Process Information:

Process ID: 0x231c

Name: C:\Program Files (x86)\TrueTime\WinSync\WinSync.exe

Previous Time: ‎2023‎-‎08‎-‎15T07:35:01.152758200Z

New Time: ‎2023‎-‎08‎-‎15T07:35:01.152000000Z

Re: Return results only if Previous_Time and New_Time difference is more than 5s

ITWhisperer — Tue, 15 Aug 2023 12:25:05 GMT

Wow! you have some extra characters in there, no wonder the parsing didn't work! Please try this

| eval Previous_Time=strptime(Previous_Time,"<u+200e>%Y<u+200e>-<u+200e>%m<u+200e>-<u+200e>%dT%T.%9N%Z") | eval New_Time=strptime(New_Time,"<u+200e>%Y<u+200e>-<u+200e>%m<u+200e>-<u+200e>%dT%T.%9N%Z") | eval diff=abs(Previous_Time - New_Time)

Re: Return results only if Previous_Time and New_Time difference is more than 5s

evallja — Tue, 15 Aug 2023 13:06:42 GMT

Still not working... As I already spent too much time on this search I'm going with regex as below:

| rex field=Previous_Time "T(?P<Previous_Time>.([0-9]+(:[0-9]+)+))"

| rex field=New_Time "T(?P<New_Time>.([0-9]+(:[0-9]+)+))"

and then I will use "where" for the other filtering about the exact difference I want to choose (which also shall remain anonymized).

Thank you for your replies and your time!
Best regards.