diff --git a/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif b/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif index cd48240fc187..1063c6dcd656 100644 --- a/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif +++ b/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif @@ -1,14 +1,20 @@ [INGEST:vendor="juniper", product="srx", target_dataset="juniper_srx_raw", no_hit = keep] -// event time 1 -alter tmp_event_time1 = arrayindex(regextract(_raw_log , "^(\w+\s+\d+\s+\d+\:\d+\:\d+)"),0) - ,tmp_year = format_timestamp("%Y",_insert_time ) -| alter tmp_event_time1 = parse_timestamp("%b %d %H:%M:%S %Y",concat(tmp_event_time1, " ", tmp_year)) -// event time 2 -| alter tmp_split_event_time2 = split(arrayindex(regextract(_raw_log , "\>\d+\s+(\d+\-\d+\-\d+T\d+\:\d+\:\d+\.\d+)"),0),".") -| alter tmp_time2_epoch_s = to_epoch(parse_timestamp("%Y-%m-%dT%H:%M:%S", arrayindex(tmp_split_event_time2 ,0)), "millis") - ,tmp_time2_epoch_ms = to_integer(arrayindex(tmp_split_event_time2 , 1)) -| alter tmp_cc = add(tmp_time2_epoch_s , tmp_time2_epoch_ms ) -| alter tmp_event_time2 = to_timestamp(tmp_cc, "millis") -// -| alter _time = coalesce(tmp_event_time1, tmp_event_time2) -| fields - tmp_event_time1 , tmp_year , tmp_event_time2 , tmp_time2_epoch_ms , tmp_time2_epoch_s , tmp_cc , tmp_split_event_time2; \ No newline at end of file +// Support only date time of format: yyyy-MM-ddThh:mm:%E3S or format: MMM dd hh:mm:ss. For example: "2021-12-08T10:00:00.665" or "Nov 10 10:00:00". +filter _raw_log ~= "\w+\s+\d+\s+\d+\:\d+\:\d+" or _raw_log ~= "\>\d+\s+\d+\-\d+\-\d+T\d+\:\d+\:\d+\.\d+" +// Parsing time format 1 +| alter tmp_time1 = arrayindex(regextract(_raw_log , "^(\w+\s+\d+\s+\d+\:\d+\:\d+)"),0), + tmp_Year = format_timestamp("%Y",_insert_time) +| alter tmp_time1_1 = concat(tmp_Year, " ", tmp_time1) +| alter tmp_time1_1 = parse_timestamp("%Y %b %e %H:%M:%S", tmp_time1_1) +| alter tmp_timeDiff = timestamp_diff(tmp_time1_1, current_time(), "DAY") +// Check if the date is a future date +| alter tmp_Year2 = if(tmp_timeDiff > 0, to_string(subtract(to_integer(tmp_Year),1)),null) +// Create timestamp minus 1 year if the timestamp is a future one +| alter tmp_time1_2 = if(tmp_Year2 != null, concat(tmp_Year2, " ", tmp_time1), null) +| alter tmp_time1_2 = if(tmp_time1_2 != null, parse_timestamp("%Y %b %e %H:%M:%S", tmp_time1_2), null) +| alter tmp_time1 = coalesce(tmp_time1_2, tmp_time1_1) +// Parsing time format 2 +| alter tmp_time2 = arrayindex(regextract(_raw_log , "\>\d+\s+(\d+\-\d+\-\d+T\d+\:\d+\:\d+\.\d+)"),0) +| alter tmp_time2 = parse_timestamp("%Y-%m-%dT%H:%M:%E3S", tmp_time2) +| alter _time = coalesce(tmp_time1, tmp_time2) +| fields -tmp_time1, tmp_Year, tmp_time1_1, tmp_timeDiff, tmp_Year2, tmp_time1_2, tmp_time2; \ No newline at end of file diff --git a/Packs/JuniperSRX/README.md b/Packs/JuniperSRX/README.md index ebb6ea711fd6..aaa0421a71cd 100644 --- a/Packs/JuniperSRX/README.md +++ b/Packs/JuniperSRX/README.md @@ -1,3 +1,29 @@ +# Juniper SRX +This pack includes Cortex XSIAM content. + +## Configuration on Server Side +You need to configure your Juniper SRX device to forward Syslog messages. + +Perform the following in order to configure log forwarding: +1. Log in to the Juniper SRX device CLI console. +2. Run the below command: +```bash +set system syslog host any any +``` +The instructions above set the logging with default configuration values. + + +Note: In order to parse the timestamp correctly, make sure that the SRX devices are configured with the default time zone (UTC). +The supported time formats are: +- yyyy-MM-ddThh:mm:%E3S (2021-12-08T10:00:00.665) +- MMM dd hh:mm:ss (Nov 10 10:00:00) + +More information can be found [here](https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-System-Logging?language=en_US) and [here](https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Logging?language=en_US). + + +## Collect Events from Vendor +In order to use the collector, use the [Broker VM](#broker-vm) option. + ### Broker VM You will need to use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).\ You can configure the specific vendor and product for this instance. @@ -6,3 +32,4 @@ You can configure the specific vendor and product for this instance. 3. When configuring the Syslog Collector, set: - vendor as vendor<- juniper - product as product<- srx + \ No newline at end of file diff --git a/Packs/JuniperSRX/ReleaseNotes/1_0_9.md b/Packs/JuniperSRX/ReleaseNotes/1_0_9.md new file mode 100644 index 000000000000..410fa95d29d9 --- /dev/null +++ b/Packs/JuniperSRX/ReleaseNotes/1_0_9.md @@ -0,0 +1,3 @@ +#### Parsing Rules +##### JuniperSRX Parsing Rule +Added a filter in the parsing rule to enhance its logic. diff --git a/Packs/JuniperSRX/pack_metadata.json b/Packs/JuniperSRX/pack_metadata.json index ce204980cc06..14ee804cc4f9 100644 --- a/Packs/JuniperSRX/pack_metadata.json +++ b/Packs/JuniperSRX/pack_metadata.json @@ -2,7 +2,7 @@ "name": "JuniperSRX", "description": "Modeling Rules for the JuniperSRX logs collector", "support": "xsoar", - "currentVersion": "1.0.8", + "currentVersion": "1.0.9", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/SonicWallNSv/ParsingRules/SonicWallNSvParsingRules/SonicWallNSvParsingRules.xif b/Packs/SonicWallNSv/ParsingRules/SonicWallNSvParsingRules/SonicWallNSvParsingRules.xif index f36b1813eac6..10a1caf14563 100644 --- a/Packs/SonicWallNSv/ParsingRules/SonicWallNSvParsingRules/SonicWallNSvParsingRules.xif +++ b/Packs/SonicWallNSv/ParsingRules/SonicWallNSvParsingRules/SonicWallNSvParsingRules.xif @@ -1,5 +1,6 @@ [INGEST:vendor="sonicwall", product="ns", target_dataset="sonicwall_ns_raw", no_hit=keep] -filter _raw_log contains "UTC" -|alter timestamp=arrayindex(regextract(_raw_log,"time\=\"([^=]+)\sUTC\""),0) -|alter _time=parse_timestamp("%Y-%m-%d %H:%M:%S", timestamp) -|fields -timestamp; \ No newline at end of file +// Support only date time of format: yyyy-MM-dd hh:mm:ss. For example: "2021-12-08 10:00:00". +filter _raw_log ~= "time\=\"(\d{4,}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})\sUTC\"" +| alter timestamp = arrayindex(regextract(_raw_log,"time\=\"([^=]+)\sUTC\""),0) +| alter _time = parse_timestamp("%Y-%m-%d %H:%M:%S", timestamp) +| fields -timestamp; \ No newline at end of file diff --git a/Packs/SonicWallNSv/README.md b/Packs/SonicWallNSv/README.md index 3bee5c53d7aa..81823624f4e1 100644 --- a/Packs/SonicWallNSv/README.md +++ b/Packs/SonicWallNSv/README.md @@ -11,7 +11,10 @@ To configure the Sonicwall NSv to send Syslog to XSIAM server (Broker VM), use t To configure Sonicwall to send logs in UTC formats please do the following: 1. Navigate to "Logs" -> "Syslog" -> "Syslog Settings" 2. Turn on "Display Syslog Timestamp in UTC" - + +Note: In order to parse the timestamp correctly, make sure that the timestamp is displayed in UTC. +The supported time format is yyyy-MM-dd hh:mm:ss (2021-12-08 10:00:00). + ## Collect Events from Vendor In order to use the collector, use the [Broker VM](#broker-vm) option. diff --git a/Packs/SonicWallNSv/ReleaseNotes/1_0_1.md b/Packs/SonicWallNSv/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..988dbfce871d --- /dev/null +++ b/Packs/SonicWallNSv/ReleaseNotes/1_0_1.md @@ -0,0 +1,3 @@ +#### Parsing Rules +##### SonicwallNSv Parsing Rule +Added a filter in the parsing rule to enhance its logic. diff --git a/Packs/SonicWallNSv/pack_metadata.json b/Packs/SonicWallNSv/pack_metadata.json index 8eeccd806ab5..91314430875b 100644 --- a/Packs/SonicWallNSv/pack_metadata.json +++ b/Packs/SonicWallNSv/pack_metadata.json @@ -2,7 +2,7 @@ "name": "SonicWall NSv", "description": "The SonicWall NSv Series virtual firewall offers all the security advantages of a physical firewall with the operational and economic benefits of virtualization, including system scalability and agility, speed of system provisioning, simple management and cost reduction.", "support": "xsoar", - "currentVersion": "1.0.0", + "currentVersion": "1.0.1", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Tenable_io/ParsingRules/Tenable_ioParsingRules/Tenable_ioParsingRules.xif b/Packs/Tenable_io/ParsingRules/Tenable_ioParsingRules/Tenable_ioParsingRules.xif index 382ca6614157..62cdd9a3fbb1 100644 --- a/Packs/Tenable_io/ParsingRules/Tenable_ioParsingRules/Tenable_ioParsingRules.xif +++ b/Packs/Tenable_io/ParsingRules/Tenable_ioParsingRules/Tenable_ioParsingRules.xif @@ -1,2 +1,3 @@ [INGEST:vendor="tenable", product="io", target_dataset="tenable_io_raw", no_hit=keep] - alter _time = coalesce(received, indexed); \ No newline at end of file +filter to_string(received) ~= "\d{2}:\d{2}:\d{2}.*" or to_string(indexed) ~= "\d{2}:\d{2}:\d{2}.*" +| alter _time = coalesce(received, indexed); \ No newline at end of file diff --git a/Packs/Tenable_io/ReleaseNotes/2_1_10.md b/Packs/Tenable_io/ReleaseNotes/2_1_10.md new file mode 100644 index 000000000000..138f9c4e35c5 --- /dev/null +++ b/Packs/Tenable_io/ReleaseNotes/2_1_10.md @@ -0,0 +1,3 @@ +#### Parsing Rules +##### Tenable.io Parsing Rule +Added a filter in the parsing rule to enhance its logic. diff --git a/Packs/Tenable_io/pack_metadata.json b/Packs/Tenable_io/pack_metadata.json index 21091915b20b..83d54ec6cae8 100644 --- a/Packs/Tenable_io/pack_metadata.json +++ b/Packs/Tenable_io/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Tenable.io", "description": "A comprehensive asset centric solution to accurately track resources while accommodating dynamic assets such as cloud, mobile devices, containers and web applications.", "support": "xsoar", - "currentVersion": "2.1.9", + "currentVersion": "2.1.10", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",