DateTime Formatting

brandon_mcclure · December 14, 2023, 3:29pm

I pull a UCT Timestamp from an alert, does anyone have a good way to convert this to human readable without using a custom Python Script?
e.g.
“2023-12-07T17:48:50Z” to “12/17/2023 5:48:50 PM”

darrick_hall1 · December 14, 2023, 5:41pm

I do not have a current solution outside of scripting. The Get Date Time action in the Date/Time plugin supports modifying the output to meet your needs, but does not accept input. I put in a feature enhancement request for the plugin to allow actions such as “convert to local time” to be customizable. If it is picked up I will update this thread Brandon.

tristan_harward · December 14, 2023, 9:08pm

I’ve just run into this as well, trying to grab the last 1d of Closed investigations on a Timer trigger from InsightIDR.

Formatting the date to the format that InsightIDR expects it appears not to be possible with the Datetime plugin. It’s outputting 2023-12-07T17:48:50Z, which InsightIDR plugin doesn’t accept, and the Datetime plugin doesn’t have a formatter that takes arbitrary input.

@darrick_hall1 if we update the plugin I’d recommend looking at consistency (or at least a way to make consistent) with the date format of the Timer trigger, and the input of the InsightIDR actions.

Eric-Wilson · December 14, 2023, 10:24pm

You can use pattern match to pull specific parts of the date/time and reorganize it with their respective variables latter on, but you wouldn’t be able to convert from 24h to 12h format without scripting.

Example:

Pull Time and date as separate variables in pattern match: Alert creation time: {{creation_date:/\S/}} {{creation_time:/[^.]*/}}.**
Reorganize in artifact: {{[“Pattern Match - 1”].[creation_date]}}T{{[“Pattern Match - 1”].[creation_time]}}+00:00

brandon_mcclure · December 20, 2023, 3:32pm

If I’m going to do Regex, than I might as well use a PowerShell step.
It would be nice if the Datetime → Get Datetime had the option to put a string or leave blank for current time, and provided this output.

Get-Date 2023-12-07T18:48:50Z | Select-Object *

DisplayHint : DateTime
DateTime    : Thursday, December 7, 2023 1:48:50PM
Date        : 12/7/2023 12:00:00AM
Day         : 7
DayOfWeek   : Thursday
DayOfYear   : 341
Hour        : 13
Kind        : Local
Millisecond : 0
Microsecond : 0
Nanosecond  : 0
Minute      : 48
Month       : 12
Second      : 50
Ticks       : 638375537300000000
TimeOfDay   : 13:48:50
Year        : 2023

OR

Get-Date 2023-12-07T18:48:50Z | Select-Object * | ConvertTo-Json
{
  "DisplayHint": 2,
  "DateTime": "Thursday, December 7, 2023 1:48:50PM",
  "Date": "2023-12-07T00:00:00-05:00",
  "Day": 7,
  "DayOfWeek": 4,
  "DayOfYear": 341,
  "Hour": 13,
  "Kind": 2,
  "Millisecond": 0,
  "Microsecond": 0,
  "Nanosecond": 0,
  "Minute": 48,
  "Month": 12,
  "Second": 50,
  "Ticks": 638375537300000000,
  "TimeOfDay": {
    "Ticks": 497300000000,
    "Days": 0,
    "Hours": 13,
    "Milliseconds": 0,
    "Microseconds": 0,
    "Nanoseconds": 0,
    "Minutes": 48,
    "Seconds": 50,
    "TotalDays": 0.5755787037037037,
    "TotalHours": 13.813888888888888,
    "TotalMilliseconds": 49730000.0,
    "TotalMicroseconds": 49730000000.0,
    "TotalNanoseconds": 49730000000000.0,
    "TotalMinutes": 828.8333333333334,
    "TotalSeconds": 49730.0
  },
  "Year": 2023
}