Search by date and time

Search for entities or observables using any of their properties such as title or name, creation date, most recent update, ingestion date, threat start time and so on.

About dates and times in EclecticIQ Platform

Supported ISO 8601 formats

Elasticsearch only supports the following ISO 8601 date-time formats:

YYYY-MM-DD

YYYY-MM-DDTHHZ

YYYY-MM-DDTHH:mmZ

YYYY-MM-DDTHH:mm:ssZ

As a complete example, 12:35 p.m. on 25 January 2020 in Bucharest, Romania would be expressed as 2020-01-25T12:35:00+0200

RFC 3339 also provides more detail on and examples of standardized date and time formats.

Date ranges

Elasticsearch allows you to specify date ranges in your queries. Please be aware however that Elasticsearch treats queries using single dates differently to queries using date ranges. In the case of single dates, Elasticsearch only compares date values; it ignores time values and timezones. That's why if you use ranges in your search queries you are more likely to get the results you expect.

If you use single date values in your search queries, make sure that the timezone in your user profile is the same as your system timezone, which is also the timezone of all the entities and observables in your system.

To specify ranges, enclose them either square or curly brackets:

  • [min TO max] : square brackets include the lower and the upper limits in the specified range.

  • {min TO max} : curly brackets exclude the lower and the upper limits from the specified range.

The TO operator always has to be uppercase.

Examples:

Query string

Description

meta.ingest_time:["2020-01-01T00:00:00" TO *]

Returns all entities that were ingested on and after 1 January 2020

meta.ingest_time:{"2020-01-01T00:00:00" TO "2020-01-04T00:00:00"]

Returns all entities that were ingested on 2 and 3 January

meta.ingest_time:["2020-01-01T13" TO "2020-01-01T14"}

Returns all entities that were ingested on 1 January 2020 from 13:00 up to but excluding 14:00

Shortcuts

You can specify dates using Date Time.

Examples:

Query string

Description

meta.ingest_time:[now/d TO *]

Returns all entities that were ingested today.

meta.ingest_time:[now/M TO *]

Returns all entities that were ingested this month.

meta.ingest_time:[now-24h TO *]

Returns all entities that were ingested during last 24 hours

User timezone

The timezone you specified in your platform profile affects the value displayed for the timestamp of, for example, an entity, observable or relationship. It also serves as the default timezone for Elasticsearch queries.

If you specify a timezone in your query, Elasticsearch ignores your user timezone for the actual search. However, the search results are displayed according to your user timezone.
For example:

  • User timezone: CET (+0100)

  • Entity ingestion date-time: 21 Feb 2020 at 7:00 a.m. GMT (+0000)

  • Search string: meta.ingest_time:["2020-02-21T06:30:00+0000" TO "2020-02-21T07:30:00+0000"]

The entity appears in the search results, but because the user timezone is an hour later, the entity is displayed with a timestamp of 8:00 a.m.
This may be confusing; unless you need to share results with users in different timezones, it is preferable to avoid specifying a timezone in a search query.

Entity date-time attributes

There are several entity attributes that you can use to search by date and time. The most commonly used are listed below along with their explanations.

Entity attribute

Description

created_at

The date and time that an entity was created in EclecticIQ Platform.

last_updated_at

The date and time that an entity’s details were last edited in EclecticIQ Platform.

data.producer.time_produced

The date and time that an incident was created.
This field is specific to incidents.
You have to type the date value as a full string (for example: 2020-01-25T12:35:00+0200).

data.reporter.time_produced

The date and time that an incident was reported.
This field is specific to incidents.
You have to type the date value as a full string (for example: 2020-01-25T12:35:00+0200).

data.time_first_malicious_action

The date and time of the first malicious of an incident.
This field is specific to incidents.
You have to type the date value as a full string (for example: 2020-01-25T12:35:00+0200).

data.timestamp

A specific version of an entity.

data.valid_time_positions.start

The start of the time window during which an indicator is valid.
This field is specific to indicators.
You have to type the date value as a full string (for example: 2020-01-25T12:35:00+0200).

data.valid_time_positions.end

The end of the time window during which an indicator is valid.
This field is specific to indicators.
You have to type the date value as a full string (for example: 2020-01-25T12:35:00+0200).

meta.first_ingest_time

The date and time of an entity’s most recent ingestion into an organization’s cluster of platforms.
You can only search using a single value.

meta.ingest_time

The date and time of an entity’s ingestion into a particular platform.
You can search using a single value or a range of values.

meta.estimated_observed_time

The date and time when an entity is estimated to have been first observed.
You can search using a single value or a range of values.

meta.estimated_threat_start_time

The date and time when the threat posed by an entity is estimated to have started.
You can search using a single value or a range of values.

meta.estimated_threat_end_time

The date and time when the threat posed by an entity is estimated to have ended
You can search using a single value or a range of values.

How to search by date-time

  1. In the side navigation bar click the search icon .

  2. Either type in the query string manually or select from the query suggestions that are automatically displayed.

  3. Click the search icon to the right of the query string.