Parsingrule Update 6

Packs/Okta/ParsingRules/Okta/Okta.xif

@@ -1,2 +1,3 @@
 [INGEST:vendor="okta", product="okta", target_dataset="okta_okta_raw" , no_hit=keep]
-alter _time = published;
+filter published ~= ".*T\d{2}:\d{2}:\d{2}[\.\dZ]+"
+| alter _time = published;

Packs/Okta/README.md

@@ -1,3 +1,6 @@
+# Okta
+This pack includes Cortex XSIAM content.
+
 Okta integrates with Palo Alto Network’s Cortex XSOAR to help security analysts better understand and get in front of threats as they emerge. Okta enrichment gives security teams visibility into each user’s groups and roles, what apps and data they can access, and other contextual information that can streamline the investigation process for rapid response. For example, when a suspicious log-in from a new device or location is detected, security teams can automatically restricting access to sensitive applications, prompt step-up authentication, force a password reset, or suspend a compromised account.
 
 ## **Orchestrate and automate an informed security response**
@@ -9,3 +12,5 @@ With Okta + Cortex XSOAR working together, enterprises can provide better integr
 - Prioritize alerts and orchestrate informed security responses in order of importance
 - Contain and remediate threats quickly and decisively, through a range of automated identity-centric actions
 - Enhance your visibility and response by enabling identity as a key control point
+
+* Pay attention: Timestamp parsing is supported with **T** and **Z** notation for the UTC format.

Packs/Okta/ReleaseNotes/3_1_24.md

@@ -0,0 +1,6 @@
+
+#### Parsing Rules
+
+##### Okta Parsing Rule
+
+Added a filter for the Parsing Rule to enhance its logic.

Packs/Okta/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Okta",
     "description": "Integration with Okta's cloud-based identity management service.",
     "support": "xsoar",
-    "currentVersion": "3.1.23",
+    "currentVersion": "3.1.24",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/OktaOAG/ParsingRules/OktaOAGParsingRules/OktaOAGParsingRules.xif

@@ -1,12 +1,11 @@
 [INGEST:vendor="okta", product="oag", target_dataset="okta_oag_raw", no_hit=keep]
-alter 
-    tmp_date_part = arraystring(regextract(_raw_log, "^(\d{4}\-\d{2}\-\d{2})T"), ""),
-    tmp_time_part = arraystring(regextract(_raw_log, "T(\d{2}\:\d{2}\:\d{2})\."), ""),
-    tmp_mili_part = arraystring(regextract(_raw_log, "\.(\d{3})[\-|\+]"), "")
+filter _raw_log ~= "^(\d{4}\-\d{2}\-\d{2})[\s\w]\d{2}:\d{2}:\d{2}\.\d{3}[+-]\d{2}:\d{2}"
 | alter 
-    tmp_time_format = to_string(to_epoch(parse_timestamp("%Y-%m-%d %H:%M:%S", arraystring(arraycreate(tmp_date_part, tmp_time_part), " ")), "seconds"))
+    tmp_date_part = arraystring(regextract(_raw_log, "^(\d{4}\-\d{2}\-\d{2})[\s\w]\d{2}:\d{2}:\d{2}\.\d{3}[+-]\d{2}:\d{2}"), ""),
+    tmp_time_part = arraystring(regextract(_raw_log, "^\d{4}\-\d{2}\-\d{2}[\s\w](\d{2}:\d{2}:\d{2})\.\d{3}[+-]\d{2}:\d{2}"), ""),
+    tmp_mili_zone_part = arraystring(regextract(_raw_log, "^\d{4}\-\d{2}\-\d{2}[\s\w]\d{2}:\d{2}:\d{2}(\.\d{3}[+-]\d{2}:\d{2})"), "")
 | alter 
-    tmp_timeseconds_string = to_integer(arraystring(arraycreate(tmp_time_format, tmp_mili_part), ""))
+    tmp_timestamp_format = concat(tmp_date_part, " ", arraystring(arraycreate(tmp_time_part, tmp_mili_zone_part), ""))
 | alter 
-    _time = to_timestamp(tmp_timeseconds_string, "millis")
-| fields -tmp_date_part, tmp_time_part, tmp_mili_part, tmp_time_format, tmp_timeseconds_string;
+    _time = parse_timestamp("%Y-%m-%d %H:%M:%E3S%Ez", tmp_timestamp_format)
+| fields -tmp_date_part, tmp_time_part, tmp_mili_zone_part, tmp_timestamp_format;

Packs/OktaOAG/README.md

@@ -19,6 +19,8 @@ This pack includes Cortex XSIAM content.
 6. Click ***Validate Forwarder***. The Access Gateway then attempts to validate the remote logger connection information. If required, correct any input errors. On successful validation, the **Validate Forwarder** button changes to **Forwarder Validated**.
 7. Click **Okay**. The log forwarder definition appears in the list of log forwarders.
 
+* Pay attention: Timestamp support is available for the format **%Y-%m-%d{Key}%H:%M:%E3S%Ez**.
+
 ## Collect Events from Vendor
 
 In order to use the collector, you can use the following option to collect events from the vendor:

Packs/OktaOAG/ReleaseNotes/1_0_5.md

@@ -0,0 +1,6 @@
+
+#### Parsing Rules
+
+##### OktaOAG Parsing Rule
+
+Added a filter for the Parsing Rule to enhance its logic.

Packs/OktaOAG/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Okta Access Gateway",
     "description": "Okta Access Gateway is a reverse proxy based virtual application, designed to secure web applications that don't natively support SAML or OIDC.",
     "support": "xsoar",
-    "currentVersion": "1.0.4",
+    "currentVersion": "1.0.5",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/Oracle/ParsingRules/Oracle/Oracle.xif

@@ -1,2 +1,3 @@
 [INGEST:vendor="oracle", product="db", target_dataset="oracle_db_raw", no_hit=keep]
-alter _time = EVENT_TIMESTAMP_UTC;
+filter to_string(EVENT_TIMESTAMP_UTC) ~= ".*\d{2}:\d{2}:\d{2}.*"
+| alter _time = EVENT_TIMESTAMP_UTC;

Packs/Oracle/ReleaseNotes/1_0_4.md

@@ -0,0 +1,6 @@
+
+#### Parsing Rules
+
+##### Oracle
+
+Added a filter for the Parsing Rule to enhance its logic.

Packs/Oracle/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Oracle",
     "description": "The modeling rules for Oracle event collectors.",
     "support": "xsoar",
-    "currentVersion": "1.0.3",
+    "currentVersion": "1.0.4",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",