Fix AWS S3 Access Log Date to be ISO Compliant

SigmaRoss · September 16, 2020, 9:27pm

When trying to use Sigma against S3 access logs there is an issue because of the date format that AWS uses for the logs.

The time at which the request was received; these dates and times are in Coordinated Universal time (UTC). The format, using strftime() terminology, is as follows: [%d/%b/%Y:%H:%M:%S %z]

[06/Feb/2019:00:00:38 +0000]

darien · September 16, 2020, 9:27pm

Per @SigmaRoss:

To put the date in a compatible format use the following function:

DateTrunc(“hour”, CallDatetime(“try_to_timestamp”, [COLUMN/TIME], “[DD/MON/YYYY:HH24:MI:SS +0000]”))

Credit: Don H.

system · October 16, 2020, 9:42am

system · October 30, 2020, 11:05pm

system · November 19, 2020, 12:21pm

system · December 8, 2020, 7:50pm

system · December 28, 2020, 7:33am

system · January 17, 2021, 11:48am

system · February 6, 2021, 8:36pm

system · February 28, 2021, 5:50am

system · March 21, 2021, 3:49pm

system · April 12, 2021, 5:39am

system · May 4, 2021, 12:57am