Parsingrule Update 2 (#28216)

* Updated Barracuda_Cloudgen_Firewall ParsingRules * Updated Barracuda_Cloudgen_Firewall ReleaseNotes * Updated Barracuda_Cloudgen_Firewall ReleaseNotes * Updated ParsingRules BluecatAddressManager_1_3 * Updated BluecatAddressManager ReleaseNotes * Updated BluecatAddressManager ReleaseNotes * Updated Box ParsingRules * Updated Box ReleaseNotes * Updated Box ReleaseNotes * Updated the Barracuda_Cloudgen_Firewall README * Update README.md * Updated ParsingRules Box
demisto · Jul 19, 2023 · 6692a19 · 6692a19
1 parent 8f15d27
commit 6692a19
Show file tree

Hide file tree

Showing 10 changed files with 45 additions and 16 deletions.
diff --git a/...Rules/Barracuda_Cloudgen_FirewallParsingRules/Barracuda_Cloudgen_FirewallParsingRules.xif b/...Rules/Barracuda_Cloudgen_FirewallParsingRules/Barracuda_Cloudgen_FirewallParsingRules.xif
@@ -1,5 +1,6 @@
 [INGEST:vendor="barracuda", product="cgfw", target_dataset="barracuda_cgfw_raw", no_hit=keep]
-alter
+filter _raw_log ~= "^.*(\d{10})\s.*BYF" OR _raw_log ~= "\S{3}\s+\S+\s\d{2}\:\d{2}\:\d{2}"
+| alter
     tmp_time1_get_epoch = arraystring(regextract(_raw_log, "^.*(\d{10})\s.*BYF"), ""),
     tmp_time2_gen_year = arraystring(regextract(to_string(_insert_time) , "^.{0,4}"),""), // 2023
     tmp_time2_get_datetime_log = replace(arraystring(regextract(_raw_log , "\S{3}\s+\S+\s\d{2}\:\d{2}\:\d{2}"), ""), "  ", " ") // Mar 13 07:11:42

diff --git a/Packs/Barracuda_Cloudgen_Firewall/README.md b/Packs/Barracuda_Cloudgen_Firewall/README.md
@@ -8,6 +8,8 @@ You need to configure Check Point to forward Syslog messages in CEF format.
 3. Set **Enable Syslog Streaming** to **yes**.
 4. Click **Send Changes** and **Activate**.
 
+* Pay attention: Timestamp parsing is only supported for UNIX timestamp (UTC). 
+
 More details, see [here](https://campus.barracuda.com/product/cloudgenfirewall/doc/96026562/how-to-configure-syslog-streaming/)
 ## Collect Events from Vendor
 
@@ -18,9 +20,8 @@ To create or configure the Broker VM, use the information described [here](https
 
 You can configure the specific vendor and product for this instance.
 
-
 1. Navigate to **Settings** > **Configuration** > **Data Broker** > **Broker VMs**. 
 2. Right-click and select **Syslog Collector** > **Configure**.
 3. When configuring the Syslog Collector, set the following values:
    - vendor as vendor - barracuda
-   - product as product - cgfw
+   - product as product - cgfw
diff --git a/Packs/Barracuda_Cloudgen_Firewall/ReleaseNotes/1_0_1.md b/Packs/Barracuda_Cloudgen_Firewall/ReleaseNotes/1_0_1.md
@@ -0,0 +1,6 @@
+
+#### Parsing Rules
+
+##### Barracuda Cloudgen Firewall Parsing Rules
+
+- Added a filter for the Parsing Rule to enhance its logic.
diff --git a/Packs/Barracuda_Cloudgen_Firewall/pack_metadata.json b/Packs/Barracuda_Cloudgen_Firewall/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Barracuda Cloudgen Firewall",
     "description": "Barracuda Cloudgen Friewall modeling rule and parsing rule for XSIAM",
     "support": "xsoar",
-    "currentVersion": "1.0.0",
+    "currentVersion": "1.0.1",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/...luecatAddressManager/ParsingRules/BluecatAddressManager_1_3/BluecatAddressManager_1_3.xif b/...luecatAddressManager/ParsingRules/BluecatAddressManager_1_3/BluecatAddressManager_1_3.xif
@@ -1,15 +1,23 @@
 [INGEST:vendor="bluecat", product="address_manager", target_dataset="bluecat_address_manager_raw", no_hit=keep]
-alter tmp_time1 = arrayindex(regextract(_raw_log,"<\d+>(\w+\s*\d+\s\d+:\d+:\d+)\s"),0),
-        tmp_Year = format_timestamp("%Y",_insert_time)
+filter _raw_log ~= "<\d+>(\w+\s*\d+\s\d+:\d+:\d+)\s"
+| alter 
+    tmp_time1 = arrayindex(regextract(_raw_log,"<\d+>(\w+\s*\d+\s\d+:\d+:\d+)\s"),0),
+    tmp_Year = format_timestamp("%Y",_insert_time)
 // Parsing time format 1
-| alter tmp_time1_1 = concat(tmp_Year, " ", tmp_time1)
-| alter tmp_time1_1 = parse_timestamp("%Y %b %e %H:%M:%S", tmp_time1_1)
-| alter tmp_timeDiff = timestamp_diff(tmp_time1_1, current_time(), "DAY")
+| alter 
+    tmp_time1_1 = concat(tmp_Year, " ", tmp_time1)
+| alter 
+    tmp_time1_1 = parse_timestamp("%Y %b %e %H:%M:%S", tmp_time1_1)
+| alter 
+    tmp_timeDiff = timestamp_diff(tmp_time1_1, current_time(), "DAY")
 // Check if the date is a future date
-| alter tmp_Year2 = if(tmp_timeDiff > 0, to_string(subtract(to_integer(tmp_Year),1)),null)
+| alter 
+    tmp_Year2 = if(tmp_timeDiff > 0, to_string(subtract(to_integer(tmp_Year),1)),null)
 // Create timestamp minus 1 year if the timestamp is a future one
-| alter tmp_time1_2 = if(tmp_Year2 != null, concat(tmp_Year2, " ", tmp_time1), null)
-| alter tmp_time1_2 = if(tmp_time1_2 != null, parse_timestamp("%Y %b %e %H:%M:%S", tmp_time1_2), null)
+| alter 
+    tmp_time1_2 = if(tmp_Year2 != null, concat(tmp_Year2, " ", tmp_time1), null)
+| alter 
+    tmp_time1_2 = if(tmp_time1_2 != null, parse_timestamp("%Y %b %e %H:%M:%S", tmp_time1_2), null)
 // final result
 | alter _time = coalesce(tmp_time1_2, tmp_time1_1)
 | fields -tmp_time1, tmp_Year, tmp_Year2, tmp_timeDiff, tmp_time1_1, tmp_time1_2;
diff --git a/Packs/BluecatAddressManager/ReleaseNotes/1_1_11.md b/Packs/BluecatAddressManager/ReleaseNotes/1_1_11.md
@@ -0,0 +1,6 @@
+
+#### Parsing Rules
+
+##### Bluecat Address Manager
+
+- Added a filter for the Parsing Rule to enhance its logic.
diff --git a/Packs/BluecatAddressManager/pack_metadata.json b/Packs/BluecatAddressManager/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Bluecat Address Manager",
     "description": "Use the BlueCat Address Manager integration to enrich IP addresses and manage response policies.",
     "support": "xsoar",
-    "currentVersion": "1.1.10",
+    "currentVersion": "1.1.11",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/Box/ParsingRules/BoxEventCollectorParsingRules/BoxEventCollectorParsingRules.xif b/Packs/Box/ParsingRules/BoxEventCollectorParsingRules/BoxEventCollectorParsingRules.xif
@@ -1,8 +1,9 @@
 [INGEST:vendor="box", product="box", target_dataset="box_box_raw", no_hit=keep]
-alter 
+filter created_at ~= "\d{4}-\d{2}-\d{2}T"
+| alter 
     tmp_create_at_string = to_string(created_at)
 | alter 
-    tmp_parse_created =  if(created_at ~= "\d{4}-\d{2}-\d{2}T", parse_timestamp("%Y-%m-%dT%H:%M:%S%Ez", tmp_create_at_string), _insert_time)
+    tmp_parse_created = parse_timestamp("%Y-%m-%dT%H:%M:%S%Ez", tmp_create_at_string)
 | alter 
     _time = tmp_parse_created
 | fields -tmp_create_at_string, tmp_parse_created;
diff --git a/Packs/Box/ReleaseNotes/3_1_28.md b/Packs/Box/ReleaseNotes/3_1_28.md
@@ -0,0 +1,6 @@
+
+#### Parsing Rules
+
+##### BoxEventCollector Parsing Rule
+
+- Added a filter for the Parsing Rule to enhance its logic.
diff --git a/Packs/Box/pack_metadata.json b/Packs/Box/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Box",
     "description": "Manage Box users",
     "support": "xsoar",
-    "currentVersion": "3.1.27",
+    "currentVersion": "3.1.28",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",