Elasticsearch connector: mapping custom date and time

After installing and configuring an integration, you need to map their fields to Google Security Operations fields in order to show the information in the platform.

When configuring the Elasticsearch connector, you need to convert or map the custom date and time, such as _source_@timestamps, to startTime and endTime of Google Security Operations cases.

  1. Navigate to SOAR Settings > Ontology > Ontology Status.
  2. Click settings Configure in the same row as the Elasticsearch connector.
  3. In the Event Configuration page, select Mapping.
  4. Under System Fields, select the StartTime row and choose Edit Field from the menu.
  5. In the Map Target Field: StartTime dialog:
    1. For Extracted Field, select _source_@timestamp, which is from the ELK stack.
    2. For Transformation Function, select FROM_CUSTOM_DATETIME from the menu.
    3. In the Enter Parameters field, enter YYYY-MM-DDTHH:MM:SS:zzzZ.
      4. elasticsearch2
  6. In the Map Target Field: EndTime dialog:
    1. For Extracted Field, select _source_@timestamp, which is from the ELK stack.
    2. For Transformation Function, select FROM_CUSTOM_DATETIME from the menu.
    3. In the Enter Parameters field, enter YYYY-MM-DDTHH:MM:SS:zzzZ. This is to generalize the time format.
  7. Click Save.

The Elasticsearch timestamp fields are now converted to the standardized time and date fields.