After installing and configuring an integration, you need to map their fields
to Google Security Operations fields in order to show the information in the platform.
When configuring the Elasticsearch connector, you need to convert
or map the custom date and time, such as \_source\_@timestamps, to
startTime and endTime of Google SecOps cases.
Navigate to SOAR Settings > Ontology > Ontology
Status.
Click
settings
Configure in the same row as the Elasticsearch connector.
In the Event Configuration page, select Mapping.
Under System Fields, select the StartTime row and choose
Edit Field from the menu.
In the Map Target Field: StartTime dialog:
For Extracted Field, select \_source\_@timestamp, which is
from the ELK stack.
For Transformation Function, select FROM_CUSTOM_DATETIME
from the menu.
In the Enter Parameters field, enter YYYY-MM-DDTHH:MM:SS:zzzZ.
In the Map Target Field: EndTime dialog:
For Extracted Field, select \_source\_@timestamp, which is
from the ELK stack.
For Transformation Function, select FROM_CUSTOM_DATETIME
from the menu.
In the Enter Parameters field, enter
YYYY-MM-DDTHH:MM:SS:zzzZ. This is to generalize the time
format.
Click Save.
The Elasticsearch timestamp fields are now converted to the standardized time
and date fields.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe Elasticsearch connector in Google SecOps requires mapping custom date and time fields to the platform's \u003cstrong\u003estartTime\u003c/strong\u003e and \u003cstrong\u003eendTime\u003c/strong\u003e fields for proper data display.\u003c/p\u003e\n"],["\u003cp\u003eTo map a custom timestamp, navigate to \u003cstrong\u003eSOAR Settings > Ontology > Ontology Status\u003c/strong\u003e, and configure the Elasticsearch connector, specifically under the \u003cstrong\u003eEvent Configuration\u003c/strong\u003e and then the \u003cstrong\u003eMapping\u003c/strong\u003e section.\u003c/p\u003e\n"],["\u003cp\u003eBoth the \u003cstrong\u003eStartTime\u003c/strong\u003e and \u003cstrong\u003eEndTime\u003c/strong\u003e fields should be configured with the \u003cstrong\u003e_source_@timestamp\u003c/strong\u003e extracted field and the \u003cstrong\u003eFROM_CUSTOM_DATETIME\u003c/strong\u003e transformation function.\u003c/p\u003e\n"],["\u003cp\u003eWhen setting up the transformation function, provide the \u003ccode\u003eYYYY-MM-DDTHH:MM:SS:zzzZ\u003c/code\u003e format in the \u003cstrong\u003eEnter Parameters\u003c/strong\u003e field for both \u003cstrong\u003eStartTime\u003c/strong\u003e and \u003cstrong\u003eEndTime\u003c/strong\u003e to standardize the time.\u003c/p\u003e\n"]]],[],null,["# Elasticsearch connector: Map a custom date and time\n===================================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nAfter installing and configuring an integration, you need to map their fields\nto Google Security Operations fields in order to show the information in the platform.\n\n\nWhen configuring the Elasticsearch connector, you need to *convert*\nor map the custom date and time, such as *\\\\_source\\\\_@timestamps* , to\n**startTime** and **endTime** of Google SecOps cases.\n\n1. Navigate to **SOAR Settings \\\u003e Ontology \\\u003e Ontology\n Status**.\n2. Click settings **Configure** in the same row as the Elasticsearch connector.\n3. In the **Event Configuration** page, select **Mapping**.\n4. Under **System Fields** , select the **StartTime** row and choose **Edit Field** from the menu.\n5. In the **Map Target Field: StartTime** dialog:\n 1. For **Extracted Field** , select **\\\\_source\\\\_@timestamp**, which is from the ELK stack.\n 2. For **Transformation Function** , select **FROM_CUSTOM_DATETIME** from the menu.\n 3. In the **Enter Parameters** field, enter `YYYY-MM-DDTHH:MM:SS:zzzZ`.\n[](/static/chronicle/images/soar/elasticsearch2.png)\n6. In the **Map Target Field: EndTime** dialog:\n 1. For **Extracted Field** , select **\\\\_source\\\\_@timestamp**, which is from the ELK stack.\n 2. For **Transformation Function** , select **FROM_CUSTOM_DATETIME** from the menu.\n 3. In the **Enter Parameters** field, enter `YYYY-MM-DDTHH:MM:SS:zzzZ`. This is to generalize the time format.\n7. Click **Save**.\n\n\nThe Elasticsearch timestamp fields are now converted to the standardized time\nand date fields.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
