Elasticsearch connector: Map a custom date and time

Supported in:

After installing and configuring an integration, you need to map their fields to Google Security Operations fields in order to show the information in the platform.

When configuring the Elasticsearch connector, you need to convert or map the custom date and time, such as \_source\_@timestamps, to startTime and endTime of Google SecOps cases.

  1. Navigate to SOAR Settings > Ontology > Ontology Status.
  2. Click settings Configure in the same row as the Elasticsearch connector.
  3. In the Event Configuration page, select Mapping.
  4. Under System Fields, select the StartTime row and choose Edit Field from the menu.
  5. In the Map Target Field: StartTime dialog:
    1. For Extracted Field, select \_source\_@timestamp, which is from the ELK stack.
    2. For Transformation Function, select FROM_CUSTOM_DATETIME from the menu.
    3. In the Enter Parameters field, enter YYYY-MM-DDTHH:MM:SS:zzzZ.
      4. elasticsearch2
  6. In the Map Target Field: EndTime dialog:
    1. For Extracted Field, select \_source\_@timestamp, which is from the ELK stack.
    2. For Transformation Function, select FROM_CUSTOM_DATETIME from the menu.
    3. In the Enter Parameters field, enter YYYY-MM-DDTHH:MM:SS:zzzZ. This is to generalize the time format.
  7. Click Save.

The Elasticsearch timestamp fields are now converted to the standardized time and date fields.

Need more help? Get answers from Community members and Google SecOps professionals.