From a19adb8a7548cd10dab1cfbcceacf63dffd6cbcc Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Mon, 24 Jul 2023 13:01:57 +0300 Subject: [PATCH 01/13] Updated parsing rules for JuniperSRX --- .../ParsingRules/JuniperSRX/JuniperSRX.xif | 31 +++++++++++-------- Packs/JuniperSRX/README.md | 27 ++++++++++++++++ 2 files changed, 45 insertions(+), 13 deletions(-) diff --git a/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif b/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif index cd48240fc187..ae9f0a768621 100644 --- a/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif +++ b/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif @@ -1,14 +1,19 @@ [INGEST:vendor="juniper", product="srx", target_dataset="juniper_srx_raw", no_hit = keep] -// event time 1 -alter tmp_event_time1 = arrayindex(regextract(_raw_log , "^(\w+\s+\d+\s+\d+\:\d+\:\d+)"),0) - ,tmp_year = format_timestamp("%Y",_insert_time ) -| alter tmp_event_time1 = parse_timestamp("%b %d %H:%M:%S %Y",concat(tmp_event_time1, " ", tmp_year)) -// event time 2 -| alter tmp_split_event_time2 = split(arrayindex(regextract(_raw_log , "\>\d+\s+(\d+\-\d+\-\d+T\d+\:\d+\:\d+\.\d+)"),0),".") -| alter tmp_time2_epoch_s = to_epoch(parse_timestamp("%Y-%m-%dT%H:%M:%S", arrayindex(tmp_split_event_time2 ,0)), "millis") - ,tmp_time2_epoch_ms = to_integer(arrayindex(tmp_split_event_time2 , 1)) -| alter tmp_cc = add(tmp_time2_epoch_s , tmp_time2_epoch_ms ) -| alter tmp_event_time2 = to_timestamp(tmp_cc, "millis") -// -| alter _time = coalesce(tmp_event_time1, tmp_event_time2) -| fields - tmp_event_time1 , tmp_year , tmp_event_time2 , tmp_time2_epoch_ms , tmp_time2_epoch_s , tmp_cc , tmp_split_event_time2; \ No newline at end of file +// // Support only date time of format: yyyy-MM-ddThh:mm:%E3S or format: MMM dd hh:mm:ss. For example: "2021-12-08T10:00:00.665" or "Nov 10 10:00:00". +// Parsing time format 1 +alter tmp_time1 = arrayindex(regextract(_raw_log , "^(\w+\s+\d+\s+\d+\:\d+\:\d+)"),0), + tmp_year = format_timestamp("%Y",_insert_time) +| alter tmp_time1_1 = concat(tmp_Year, " ", tmp_time1) +| alter tmp_time1_1 = parse_timestamp("%Y %b %e %H:%M:%S", tmp_time1_1) +| alter tmp_timeDiff = timestamp_diff(tmp_time1_1, current_time(), "DAY") +// Check if the date is a future date +| alter tmp_Year2 = if(tmp_timeDiff > 0, to_string(subtract(to_integer(tmp_Year),1)),null) +// Create timestamp minus 1 year if the timestamp is a future one +| alter tmp_time1_2 = if(tmp_Year2 != null, concat(tmp_Year2, " ", tmp_time1), null) +| alter tmp_time1_2 = if(tmp_time1_2 != null, parse_timestamp("%Y %b %e %H:%M:%S", tmp_time1_2), null) +| alter tmp_time1 = coalesce(tmp_time1_2, tmp_time1_1) +// Parsing time format 2 +| alter tmp_time2 = arrayindex(regextract(_raw_log , "\>\d+\s+(\d+\-\d+\-\d+T\d+\:\d+\:\d+\.\d+)"),0) +| alter tmp_time2 = parse_timestamp("%Y-%m-%dT%H:%M:%E3S", tmp_time2) +| alter _time = coalesce(tmp_time1, tmp_time2) +| fields -tmp_time1, tmp_year, tmp_time1_1, tmp_timeDiff, tmp_Year2, tmp_time1_2, tmp_time2; \ No newline at end of file diff --git a/Packs/JuniperSRX/README.md b/Packs/JuniperSRX/README.md index ebb6ea711fd6..aaa0421a71cd 100644 --- a/Packs/JuniperSRX/README.md +++ b/Packs/JuniperSRX/README.md @@ -1,3 +1,29 @@ +# Juniper SRX +This pack includes Cortex XSIAM content. + +## Configuration on Server Side +You need to configure your Juniper SRX device to forward Syslog messages. + +Perform the following in order to configure log forwarding: +1. Log in to the Juniper SRX device CLI console. +2. Run the below command: +```bash +set system syslog host any any +``` +The instructions above set the logging with default configuration values. + + +Note: In order to parse the timestamp correctly, make sure that the SRX devices are configured with the default time zone (UTC). +The supported time formats are: +- yyyy-MM-ddThh:mm:%E3S (2021-12-08T10:00:00.665) +- MMM dd hh:mm:ss (Nov 10 10:00:00) + +More information can be found [here](https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-System-Logging?language=en_US) and [here](https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Logging?language=en_US). + + +## Collect Events from Vendor +In order to use the collector, use the [Broker VM](#broker-vm) option. + ### Broker VM You will need to use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).\ You can configure the specific vendor and product for this instance. @@ -6,3 +32,4 @@ You can configure the specific vendor and product for this instance. 3. When configuring the Syslog Collector, set: - vendor as vendor<- juniper - product as product<- srx + \ No newline at end of file From 02441c53ffed1f0d9fc2d507abf0015426a91499 Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Mon, 24 Jul 2023 14:52:40 +0300 Subject: [PATCH 02/13] Removed extra // from the comment and added release note --- Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif | 6 +++--- Packs/JuniperSRX/ReleaseNotes/1_0_9.md | 3 +++ Packs/JuniperSRX/pack_metadata.json | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) create mode 100644 Packs/JuniperSRX/ReleaseNotes/1_0_9.md diff --git a/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif b/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif index ae9f0a768621..ab11ff0dacc9 100644 --- a/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif +++ b/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif @@ -1,8 +1,8 @@ [INGEST:vendor="juniper", product="srx", target_dataset="juniper_srx_raw", no_hit = keep] -// // Support only date time of format: yyyy-MM-ddThh:mm:%E3S or format: MMM dd hh:mm:ss. For example: "2021-12-08T10:00:00.665" or "Nov 10 10:00:00". +// Support only date time of format: yyyy-MM-ddThh:mm:%E3S or format: MMM dd hh:mm:ss. For example: "2021-12-08T10:00:00.665" or "Nov 10 10:00:00". // Parsing time format 1 alter tmp_time1 = arrayindex(regextract(_raw_log , "^(\w+\s+\d+\s+\d+\:\d+\:\d+)"),0), - tmp_year = format_timestamp("%Y",_insert_time) + tmp_Year = format_timestamp("%Y",_insert_time) | alter tmp_time1_1 = concat(tmp_Year, " ", tmp_time1) | alter tmp_time1_1 = parse_timestamp("%Y %b %e %H:%M:%S", tmp_time1_1) | alter tmp_timeDiff = timestamp_diff(tmp_time1_1, current_time(), "DAY") @@ -16,4 +16,4 @@ alter tmp_time1 = arrayindex(regextract(_raw_log , "^(\w+\s+\d+\s+\d+\:\d+\:\d+) | alter tmp_time2 = arrayindex(regextract(_raw_log , "\>\d+\s+(\d+\-\d+\-\d+T\d+\:\d+\:\d+\.\d+)"),0) | alter tmp_time2 = parse_timestamp("%Y-%m-%dT%H:%M:%E3S", tmp_time2) | alter _time = coalesce(tmp_time1, tmp_time2) -| fields -tmp_time1, tmp_year, tmp_time1_1, tmp_timeDiff, tmp_Year2, tmp_time1_2, tmp_time2; \ No newline at end of file +| fields -tmp_time1, tmp_Year, tmp_time1_1, tmp_timeDiff, tmp_Year2, tmp_time1_2, tmp_time2; \ No newline at end of file diff --git a/Packs/JuniperSRX/ReleaseNotes/1_0_9.md b/Packs/JuniperSRX/ReleaseNotes/1_0_9.md new file mode 100644 index 000000000000..b7ad59089aab --- /dev/null +++ b/Packs/JuniperSRX/ReleaseNotes/1_0_9.md @@ -0,0 +1,3 @@ +#### Parsing Rules +##### JuniperSRX Parsing Rule +- Added a filter in the parsing rule to enhance its logic. diff --git a/Packs/JuniperSRX/pack_metadata.json b/Packs/JuniperSRX/pack_metadata.json index ce204980cc06..14ee804cc4f9 100644 --- a/Packs/JuniperSRX/pack_metadata.json +++ b/Packs/JuniperSRX/pack_metadata.json @@ -2,7 +2,7 @@ "name": "JuniperSRX", "description": "Modeling Rules for the JuniperSRX logs collector", "support": "xsoar", - "currentVersion": "1.0.8", + "currentVersion": "1.0.9", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 00544c1878fb34df372c51d6b452519978e6f04a Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Mon, 24 Jul 2023 15:19:31 +0300 Subject: [PATCH 03/13] Added filter to SonicWallNSvParsingRules --- .../SonicWallNSvParsingRules.xif | 9 +++++---- Packs/SonicWallNSv/README.md | 5 ++++- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/Packs/SonicWallNSv/ParsingRules/SonicWallNSvParsingRules/SonicWallNSvParsingRules.xif b/Packs/SonicWallNSv/ParsingRules/SonicWallNSvParsingRules/SonicWallNSvParsingRules.xif index f36b1813eac6..10a1caf14563 100644 --- a/Packs/SonicWallNSv/ParsingRules/SonicWallNSvParsingRules/SonicWallNSvParsingRules.xif +++ b/Packs/SonicWallNSv/ParsingRules/SonicWallNSvParsingRules/SonicWallNSvParsingRules.xif @@ -1,5 +1,6 @@ [INGEST:vendor="sonicwall", product="ns", target_dataset="sonicwall_ns_raw", no_hit=keep] -filter _raw_log contains "UTC" -|alter timestamp=arrayindex(regextract(_raw_log,"time\=\"([^=]+)\sUTC\""),0) -|alter _time=parse_timestamp("%Y-%m-%d %H:%M:%S", timestamp) -|fields -timestamp; \ No newline at end of file +// Support only date time of format: yyyy-MM-dd hh:mm:ss. For example: "2021-12-08 10:00:00". +filter _raw_log ~= "time\=\"(\d{4,}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})\sUTC\"" +| alter timestamp = arrayindex(regextract(_raw_log,"time\=\"([^=]+)\sUTC\""),0) +| alter _time = parse_timestamp("%Y-%m-%d %H:%M:%S", timestamp) +| fields -timestamp; \ No newline at end of file diff --git a/Packs/SonicWallNSv/README.md b/Packs/SonicWallNSv/README.md index 3bee5c53d7aa..81823624f4e1 100644 --- a/Packs/SonicWallNSv/README.md +++ b/Packs/SonicWallNSv/README.md @@ -11,7 +11,10 @@ To configure the Sonicwall NSv to send Syslog to XSIAM server (Broker VM), use t To configure Sonicwall to send logs in UTC formats please do the following: 1. Navigate to "Logs" -> "Syslog" -> "Syslog Settings" 2. Turn on "Display Syslog Timestamp in UTC" - + +Note: In order to parse the timestamp correctly, make sure that the timestamp is displayed in UTC. +The supported time format is yyyy-MM-dd hh:mm:ss (2021-12-08 10:00:00). + ## Collect Events from Vendor In order to use the collector, use the [Broker VM](#broker-vm) option. From d8fe70e078c4ec649a4051a12e069626cb7aea13 Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Mon, 24 Jul 2023 15:55:31 +0300 Subject: [PATCH 04/13] Added release note to SonicWallNSvParsingRules --- Packs/SonicWallNSv/pack_metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/SonicWallNSv/pack_metadata.json b/Packs/SonicWallNSv/pack_metadata.json index 8eeccd806ab5..91314430875b 100644 --- a/Packs/SonicWallNSv/pack_metadata.json +++ b/Packs/SonicWallNSv/pack_metadata.json @@ -2,7 +2,7 @@ "name": "SonicWall NSv", "description": "The SonicWall NSv Series virtual firewall offers all the security advantages of a physical firewall with the operational and economic benefits of virtualization, including system scalability and agility, speed of system provisioning, simple management and cost reduction.", "support": "xsoar", - "currentVersion": "1.0.0", + "currentVersion": "1.0.1", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 83b81522ef07376e5946df741f591571fae8fe3d Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Mon, 24 Jul 2023 15:55:38 +0300 Subject: [PATCH 05/13] Added release note to SonicWallNSvParsingRules --- Packs/SonicWallNSv/ReleaseNotes/1_0_1.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 Packs/SonicWallNSv/ReleaseNotes/1_0_1.md diff --git a/Packs/SonicWallNSv/ReleaseNotes/1_0_1.md b/Packs/SonicWallNSv/ReleaseNotes/1_0_1.md new file mode 100644 index 000000000000..1e2a2fc82be8 --- /dev/null +++ b/Packs/SonicWallNSv/ReleaseNotes/1_0_1.md @@ -0,0 +1,3 @@ +#### Parsing Rules +##### SonicwallNSv Parsing Rule +- Added a filter in the parsing rule to enhance its logic. From cf0c1255f4f28fd274b154b84fe753e26af01304 Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Mon, 24 Jul 2023 15:59:52 +0300 Subject: [PATCH 06/13] Added filter to Tenable_ioParsingRules --- .../Tenable_ioParsingRules/Tenable_ioParsingRules.xif | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Packs/Tenable_io/ParsingRules/Tenable_ioParsingRules/Tenable_ioParsingRules.xif b/Packs/Tenable_io/ParsingRules/Tenable_ioParsingRules/Tenable_ioParsingRules.xif index 382ca6614157..641fde79ae41 100644 --- a/Packs/Tenable_io/ParsingRules/Tenable_ioParsingRules/Tenable_ioParsingRules.xif +++ b/Packs/Tenable_io/ParsingRules/Tenable_ioParsingRules/Tenable_ioParsingRules.xif @@ -1,2 +1,3 @@ [INGEST:vendor="tenable", product="io", target_dataset="tenable_io_raw", no_hit=keep] - alter _time = coalesce(received, indexed); \ No newline at end of file +filter received != null or indexed!= null +| alter _time = coalesce(received, indexed); \ No newline at end of file From 2bee4ed43d60b7bed0ea4d0de557c7489ff8808d Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Mon, 24 Jul 2023 16:08:57 +0300 Subject: [PATCH 07/13] Added release note to Tenable_ioParsingRules --- Packs/Tenable_io/ReleaseNotes/2_1_10.md | 3 +++ Packs/Tenable_io/pack_metadata.json | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 Packs/Tenable_io/ReleaseNotes/2_1_10.md diff --git a/Packs/Tenable_io/ReleaseNotes/2_1_10.md b/Packs/Tenable_io/ReleaseNotes/2_1_10.md new file mode 100644 index 000000000000..b3ca1828ebee --- /dev/null +++ b/Packs/Tenable_io/ReleaseNotes/2_1_10.md @@ -0,0 +1,3 @@ +#### Parsing Rules +##### Tenable.io Parsing Rule +- Added a filter in the parsing rule to enhance its logic. diff --git a/Packs/Tenable_io/pack_metadata.json b/Packs/Tenable_io/pack_metadata.json index 21091915b20b..83d54ec6cae8 100644 --- a/Packs/Tenable_io/pack_metadata.json +++ b/Packs/Tenable_io/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Tenable.io", "description": "A comprehensive asset centric solution to accurately track resources while accommodating dynamic assets such as cloud, mobile devices, containers and web applications.", "support": "xsoar", - "currentVersion": "2.1.9", + "currentVersion": "2.1.10", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 0df1a60019cf2cc16fe6f8db8c54cba8e61b597a Mon Sep 17 00:00:00 2001 From: yasta5 <112320333+yasta5@users.noreply.github.com> Date: Tue, 25 Jul 2023 10:37:56 +0300 Subject: [PATCH 08/13] Update Packs/Tenable_io/ReleaseNotes/2_1_10.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/Tenable_io/ReleaseNotes/2_1_10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Tenable_io/ReleaseNotes/2_1_10.md b/Packs/Tenable_io/ReleaseNotes/2_1_10.md index b3ca1828ebee..138f9c4e35c5 100644 --- a/Packs/Tenable_io/ReleaseNotes/2_1_10.md +++ b/Packs/Tenable_io/ReleaseNotes/2_1_10.md @@ -1,3 +1,3 @@ #### Parsing Rules ##### Tenable.io Parsing Rule -- Added a filter in the parsing rule to enhance its logic. +Added a filter in the parsing rule to enhance its logic. From cd30335f4e18b32b90db672895821b6798a121c6 Mon Sep 17 00:00:00 2001 From: yasta5 <112320333+yasta5@users.noreply.github.com> Date: Tue, 25 Jul 2023 10:38:15 +0300 Subject: [PATCH 09/13] Update Packs/JuniperSRX/ReleaseNotes/1_0_9.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/JuniperSRX/ReleaseNotes/1_0_9.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/JuniperSRX/ReleaseNotes/1_0_9.md b/Packs/JuniperSRX/ReleaseNotes/1_0_9.md index b7ad59089aab..410fa95d29d9 100644 --- a/Packs/JuniperSRX/ReleaseNotes/1_0_9.md +++ b/Packs/JuniperSRX/ReleaseNotes/1_0_9.md @@ -1,3 +1,3 @@ #### Parsing Rules ##### JuniperSRX Parsing Rule -- Added a filter in the parsing rule to enhance its logic. +Added a filter in the parsing rule to enhance its logic. From e1fd2484fd6f8dc495ce886bce7c90b1db275ec0 Mon Sep 17 00:00:00 2001 From: yasta5 <112320333+yasta5@users.noreply.github.com> Date: Tue, 25 Jul 2023 10:38:22 +0300 Subject: [PATCH 10/13] Update Packs/SonicWallNSv/ReleaseNotes/1_0_1.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/SonicWallNSv/ReleaseNotes/1_0_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/SonicWallNSv/ReleaseNotes/1_0_1.md b/Packs/SonicWallNSv/ReleaseNotes/1_0_1.md index 1e2a2fc82be8..988dbfce871d 100644 --- a/Packs/SonicWallNSv/ReleaseNotes/1_0_1.md +++ b/Packs/SonicWallNSv/ReleaseNotes/1_0_1.md @@ -1,3 +1,3 @@ #### Parsing Rules ##### SonicwallNSv Parsing Rule -- Added a filter in the parsing rule to enhance its logic. +Added a filter in the parsing rule to enhance its logic. From 695bb1551b64305c4269622e8d50994a8ec3acce Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Wed, 26 Jul 2023 14:04:16 +0300 Subject: [PATCH 11/13] Modified Tenable_io ParsingRules. --- .../Tenable_ioParsingRules/Tenable_ioParsingRules.xif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Tenable_io/ParsingRules/Tenable_ioParsingRules/Tenable_ioParsingRules.xif b/Packs/Tenable_io/ParsingRules/Tenable_ioParsingRules/Tenable_ioParsingRules.xif index 641fde79ae41..62cdd9a3fbb1 100644 --- a/Packs/Tenable_io/ParsingRules/Tenable_ioParsingRules/Tenable_ioParsingRules.xif +++ b/Packs/Tenable_io/ParsingRules/Tenable_ioParsingRules/Tenable_ioParsingRules.xif @@ -1,3 +1,3 @@ [INGEST:vendor="tenable", product="io", target_dataset="tenable_io_raw", no_hit=keep] -filter received != null or indexed!= null +filter to_string(received) ~= "\d{2}:\d{2}:\d{2}.*" or to_string(indexed) ~= "\d{2}:\d{2}:\d{2}.*" | alter _time = coalesce(received, indexed); \ No newline at end of file From 08ae6fd0883027b91d9a28d62500a15162bde8e2 Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Thu, 27 Jul 2023 14:34:52 +0300 Subject: [PATCH 12/13] Added filter to juniper srx --- Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif b/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif index ab11ff0dacc9..29e66bee5c55 100644 --- a/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif +++ b/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif @@ -1,7 +1,8 @@ [INGEST:vendor="juniper", product="srx", target_dataset="juniper_srx_raw", no_hit = keep] // Support only date time of format: yyyy-MM-ddThh:mm:%E3S or format: MMM dd hh:mm:ss. For example: "2021-12-08T10:00:00.665" or "Nov 10 10:00:00". +filter _raw_log ~= "\w+\s+\d+\s+\d+\:\d+\:\d+" and _raw_log ~= "\>\d+\s+\d+\-\d+\-\d+T\d+\:\d+\:\d+\.\d+" // Parsing time format 1 -alter tmp_time1 = arrayindex(regextract(_raw_log , "^(\w+\s+\d+\s+\d+\:\d+\:\d+)"),0), +| alter tmp_time1 = arrayindex(regextract(_raw_log , "^(\w+\s+\d+\s+\d+\:\d+\:\d+)"),0), tmp_Year = format_timestamp("%Y",_insert_time) | alter tmp_time1_1 = concat(tmp_Year, " ", tmp_time1) | alter tmp_time1_1 = parse_timestamp("%Y %b %e %H:%M:%S", tmp_time1_1) From 4590493ada84c005031039e5188fb85450c74ba7 Mon Sep 17 00:00:00 2001 From: Yehonatan Asta Date: Thu, 27 Jul 2023 14:39:25 +0300 Subject: [PATCH 13/13] Added filter to juniper srx --- Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif b/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif index 29e66bee5c55..1063c6dcd656 100644 --- a/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif +++ b/Packs/JuniperSRX/ParsingRules/JuniperSRX/JuniperSRX.xif @@ -1,6 +1,6 @@ [INGEST:vendor="juniper", product="srx", target_dataset="juniper_srx_raw", no_hit = keep] // Support only date time of format: yyyy-MM-ddThh:mm:%E3S or format: MMM dd hh:mm:ss. For example: "2021-12-08T10:00:00.665" or "Nov 10 10:00:00". -filter _raw_log ~= "\w+\s+\d+\s+\d+\:\d+\:\d+" and _raw_log ~= "\>\d+\s+\d+\-\d+\-\d+T\d+\:\d+\:\d+\.\d+" +filter _raw_log ~= "\w+\s+\d+\s+\d+\:\d+\:\d+" or _raw_log ~= "\>\d+\s+\d+\-\d+\-\d+T\d+\:\d+\:\d+\.\d+" // Parsing time format 1 | alter tmp_time1 = arrayindex(regextract(_raw_log , "^(\w+\s+\d+\s+\d+\:\d+\:\d+)"),0), tmp_Year = format_timestamp("%Y",_insert_time)