After you and configure an integration, you must map its fields to
Google Security Operations fields to accurately display the information on the
platform. More specifically, this document explains how to map a custom date
and time for the Elasticsearch connector.
When you configure the Elasticsearch connector, you must convert
or map the custom date and time fields, such as \_source\_@timestamps, to
startTime and endTime of Google SecOps cases.
Go to SOAR Settings > Ontology > Ontology
Status.
Click
settings
Configure in the same row as the Elasticsearch connector.
On the Event Configuration page, select Mapping.
Under System Fields, select the StartTime row and choose
Edit Field from the menu.
In the Map Target Field: StartTime dialog, set the following fields:
Extracted: Select \_source\_@timestamp, which is
from the ELK stack.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThe Elasticsearch connector in Google SecOps requires mapping custom date and time fields to the platform's \u003cstrong\u003estartTime\u003c/strong\u003e and \u003cstrong\u003eendTime\u003c/strong\u003e fields for proper data display.\u003c/p\u003e\n"],["\u003cp\u003eTo map a custom timestamp, navigate to \u003cstrong\u003eSOAR Settings > Ontology > Ontology Status\u003c/strong\u003e, and configure the Elasticsearch connector, specifically under the \u003cstrong\u003eEvent Configuration\u003c/strong\u003e and then the \u003cstrong\u003eMapping\u003c/strong\u003e section.\u003c/p\u003e\n"],["\u003cp\u003eBoth the \u003cstrong\u003eStartTime\u003c/strong\u003e and \u003cstrong\u003eEndTime\u003c/strong\u003e fields should be configured with the \u003cstrong\u003e_source_@timestamp\u003c/strong\u003e extracted field and the \u003cstrong\u003eFROM_CUSTOM_DATETIME\u003c/strong\u003e transformation function.\u003c/p\u003e\n"],["\u003cp\u003eWhen setting up the transformation function, provide the \u003ccode\u003eYYYY-MM-DDTHH:MM:SS:zzzZ\u003c/code\u003e format in the \u003cstrong\u003eEnter Parameters\u003c/strong\u003e field for both \u003cstrong\u003eStartTime\u003c/strong\u003e and \u003cstrong\u003eEndTime\u003c/strong\u003e to standardize the time.\u003c/p\u003e\n"]]],[],null,["Map date and time fields for Elasticsearch \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nAfter you and configure an integration, you must map its fields to\nGoogle Security Operations fields to accurately display the information on the\nplatform. More specifically, this document explains how to map a custom date\nand time for the Elasticsearch connector.\n\n\nWhen you configure the **Elasticsearch** connector, you must *convert*\nor map the custom date and time fields, such as *\\\\_source\\\\_@timestamps* , to\n**startTime** and **endTime** of Google SecOps cases.\n\n1. Go to **SOAR Settings \\\u003e Ontology \\\u003e Ontology\n Status**.\n2. Click settings **Configure** in the same row as the Elasticsearch connector.\n3. On the **Event Configuration** page, select **Mapping**.\n4. Under **System Fields** , select the **StartTime** row and choose **Edit Field** from the menu.\n5. In the **Map Target Field: StartTime** dialog, set the following fields:\n - **Extracted** : Select **\\\\_source\\\\_@timestamp**, which is from the ELK stack.\n - **Transformation Function** : Select **FROM_CUSTOM_DATETIME**.\n - **Enter Parameters** : Enter `YYYY-MM-DDTHH:MM:SS:zzzZ`.\n6. In the **Map Target Field: EndTime** dialog, set the following fields:\n - **Extracted Field** : Select **\\\\_source\\\\_@timestamp**, which is from the ELK stack.\n - **Transformation Function** : Select **FROM_CUSTOM_DATETIME**.\n - **Enter Parameters** : Enter `YYYY-MM-DDTHH:MM:SS:zzzZ` to generalize the time format.\n7. Click **Save**.\n\n\nThe Elasticsearch timestamp fields are now converted to the standardized time\nand date fields.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
