Subtract two timestamps from eachother

dvuchev1 · January 17, 2025, 7:36am

Hello,
I’m quite new to InsightIDR and just getting used to writing queries.
I need to subtract two timestamps from eachother and cannot find a way to do this.

What I’m after is a calculation between the time field for the ALERT_OPENED action and the ALERT_ASSIGNED action contained in Audit Logs/InsightIDR Alerts.
Essentially I need to subtract the timestamp for ALERT_OPENED from ALERT_ASSIGNED and track the SOC’s SLA this way - the difference.

I can see that the Security Operations Activity dashboard has something similar, but it’s not as granular (shows <1hour) and I can’t see the search that drives the infromation behind that card.

Does anyone have an idea on how to do something like this? Thanks!

sgroeneveld · January 17, 2025, 8:52am

Datetime plugin should help.
Otherwise the python plugin

david_smith1 · January 20, 2025, 7:04am

This is not possible within log search itself, as @sgroeneveld alluded to, using some other means outside of the log search UI would be needed to calculate and compare values as you described.

David