So the inner workings of core.executeQuery are a bit tricky when it comes to times. You're on the right track with trying to get to epoch time.
1) The timestamp operator just needs a long value (aka 64-bit int) as an operand (no quotes needed) that represents milliseconds since the epoch. The where string should look similar to the following:
(where (between EPOEvents.DetectedUTC (timestamp 1369900866140) (timestamp 1369987266140)))
2) Now, we have to get the time string into millis and with some stackoverflow help here's a sample script that should do what you want. You'll have to tweak the times a bit for your timezone (I assumed PDT here) and append the timezone offset to your time string to use the iso_to_timestamp function. If anybody knows an easier way to convert to millis, please share
import mcafee, calendar, datetime, time
Takes ISO 8601 format(string) and converts to epoch time in millis(string).
dt = datetime.datetime.strptime(ts[:-7],'%Y-%m-%dT%H:%M:%S.%f') - datetime.timedelta(hours=int(ts[-5:-3]),
seconds = calendar.timegm(dt.timetuple()) + dt.microsecond/1000000.0
# NOTE: the time strings include the TZ offset (assuming Pacific Daylight Time)
# I tweaked your example to include a 24 hour time window here
oldTime2 = iso_to_timestamp('2013-05-30T01:01:06.143-07:00')
newTime2 = iso_to_timestamp('2013-05-31T01:01:06.143-07:00')
# Here's arguments for a real simple example using the OrionAuditLog
# I successfully used this against some sample data.
#select_arg='(select OrionAuditLog.Message OrionAuditLog.StartTime OrionAuditLog.EndTime)'
#where_arg='(where (between OrionAuditLog.StartTime (timestamp ' + oldTime2 + ') (timestamp ' + newTime2 + ')))'
#order_arg='(order (desc OrionAuditLog.StartTime))'
# Here's arguments for yours against EPOEvents. Should work.
select_arg='(select EPOEvents.DetectedUTC EPOEvents.TargetHostName EPOEvents.ThreatName EPOEvents.ThreatActionTaken EPOEvents.AnalyzerIPV6 EPOEvents.AnalyzerMAC EPOEvents.AnalyzerDetectionMethod EPOEvents.ThreatCategory EPOEvents.SourceProcessName EPOEvents.AutoID)'
where_arg='(where (between EPOEvents.DetectedUTC (timestamp ' + oldTime2 + ') (timestamp ' + newTime2 + ')))'
order_arg='(order (desc EPOEvents.DetectedUTC))'
# Here's what the where argument should look like
print 'where = ' + where_arg
#replace with your server/port and credentials
#mc = mcafee.client('my-server-name',8443,'my-username','my-password')
r = mc.core.executeQuery(target=target_arg, select=select_arg, where=where_arg, order=order_arg);
# Spit out the results (JSON)
Let me know if that works for you.
Thank you for this excellent and timely method... Regards, Tom Smith