forked from demisto/content
-
Notifications
You must be signed in to change notification settings - Fork 13
/
MicrosoftDNS.xif
20 lines (18 loc) · 1018 Bytes
/
MicrosoftDNS.xif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[INGEST:vendor="microsoft", product="windows", target_dataset="microsoft_dns_raw", no_hit=drop]
// Support only date time of format: MM/dd/yyyy hh:mm:ss [AM|PM]. For example: 6/10/2022 5:11:49 AM
filter _raw_log ~= "\d+\/\d+\/\d+\s\d+\:\d+\:\d+ \w{2}"
| alter
tmp_time_String1 = arrayindex(regextract(_raw_log,"\d+\/\d+\/\d+\s\d+\:\d+\:\d+ \w{2}" ),0)
| alter
tmp_event_time1 = parse_timestamp("%m/%d/%Y %I:%M:%S %p",tmp_time_String1)
// 30/01/2023 13:18:25
| alter
tmp_time_String2 = arrayindex(regextract(_raw_log,"\d+\/\d+\/\d+\s\d+\:\d+\:\d+" ),0)
| alter
tmp_event_time2 = parse_timestamp("%d/%m/%Y %H:%M:%S",tmp_time_String2)
| alter
_time = coalesce(tmp_event_time1,tmp_event_time2)
| fields - tmp_time_String1, tmp_event_time1,tmp_time_String2, tmp_event_time2;
filter _raw_log = null AND to_string(time_created) ~= ".*\d{2}:\d{2}:\d{2}.*" AND (provider_name = "Microsoft-Windows-DNSServer" OR provider_name = "Microsoft-Windows-DNS-Server-Service")
| alter
_time = time_created;