Parsing rules fix filter 3 (demisto#28118)

* Added filter to parsing rule of tanium threat response. * Added release note tanium threat response. * Added a filter to proofpoint tap parsing rule. * Added release note to proofpoint tap parsing rule. * revert proofpoint tap changes. * updated parsing rule of cisco ise * Added release notes. * Added filter to infoblox * Added release note to infoblox * Added release note to infoblox * Added comment to the parsing rules. * Updated the sql query in the readme for oracle
xsoar-contrib · Aug 2, 2023 · 28b1de6 · 28b1de6
1 parent 2c8771f
commit 28b1de6
Show file tree

Hide file tree

Showing 10 changed files with 29 additions and 14 deletions.
diff --git a/Packs/Infoblox/ParsingRules/InfobloxParsingRules/InfobloxParsingRules.xif b/Packs/Infoblox/ParsingRules/InfobloxParsingRules/InfobloxParsingRules.xif
@@ -1,5 +1,7 @@
 [INGEST:vendor="infoblox", product="infoblox", target_dataset="infoblox_infoblox_raw", no_hit=drop]
-alter tmp_time_without_year = arraystring(regextract( _raw_log, "\<\d+\>(\w{3}\s\d{2}\s\d{2}\:\d{2}\:\d{2})\s"), ""), 
+// Support only date time of format: MMM dd hh:mm:ss. For example: "Jan 01 10:00:00".
+filter _raw_log ~= "\<\d+\>\w{3}\s\d{2}\s\d{2}\:\d{2}\:\d{2}\s"
+| alter tmp_time_without_year = arraystring(regextract( _raw_log, "\<\d+\>(\w{3}\s\d{2}\s\d{2}\:\d{2}\:\d{2})\s"), ""),
     tmp_year = to_string(format_timestamp("%Y",current_time()))
 | alter tmp_time_format = arraystring(arraycreate(tmp_year, tmp_time_without_year), " ")
 | alter _time = parse_timestamp("%Y %b %d %H:%M:%S", tmp_time_format)

diff --git a/Packs/Infoblox/ReleaseNotes/1_0_17.md b/Packs/Infoblox/ReleaseNotes/1_0_17.md
@@ -0,0 +1,3 @@
+#### Parsing Rules
+##### Infoblox Parsing Rule
+- Added a filter in the parsing rule to enhance its logic.
diff --git a/Packs/Infoblox/pack_metadata.json b/Packs/Infoblox/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Infoblox NIOS",
     "description": "Infoblox enables you to receive metadata about IPs in your network and manages the DNS Firewall by configuring RPZs. It defines RPZ rules to block DNS resolution for malicious or unauthorized hostnames, or redirect clients to a walled garden by substituting responses.",
     "support": "xsoar",
-    "currentVersion": "1.0.16",
+    "currentVersion": "1.0.17",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/TaniumThreatResponse/ParsingRules/TaniumThreatResponse/TaniumThreatResponse.xif b/Packs/TaniumThreatResponse/ParsingRules/TaniumThreatResponse/TaniumThreatResponse.xif
@@ -1,2 +1,4 @@
 [INGEST:vendor="tanium", product="threat_response", target_dataset="tanium_threat_response_raw", no_hit = keep]
-alter _time = parse_timestamp("%Y-%m-%dT%H:%M:%E3SZ", json_extract_scalar(_raw_log, "$.Timestamp"));
+// Support only date time of format: yyyy-MM-ddThh:mm:ss.nnnZ. For example: "2022-01-01T10:00:00.000Z".
+filter json_extract_scalar(_raw_log, "$.Timestamp") ~= "\d+-\d+-\d+T\d+:\d+:\d+\.\d{3}Z"
+| alter _time = parse_timestamp("%Y-%m-%dT%H:%M:%E3SZ", json_extract_scalar(_raw_log, "$.Timestamp"));
diff --git a/Packs/TaniumThreatResponse/ReleaseNotes/2_2_4.md b/Packs/TaniumThreatResponse/ReleaseNotes/2_2_4.md
@@ -0,0 +1,4 @@
+#### Parsing Rules
+##### Tanium Threat Response
+- Added a filter in the parsing rule to enhance its logic.
+
diff --git a/Packs/TaniumThreatResponse/pack_metadata.json b/Packs/TaniumThreatResponse/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Tanium Threat Response",
     "description": "Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections.",
     "support": "xsoar",
-    "currentVersion": "2.2.3",
+    "currentVersion": "2.2.4",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/cisco-ise/ParsingRules/cisco-ise/cisco-ise.xif b/Packs/cisco-ise/ParsingRules/cisco-ise/cisco-ise.xif
@@ -1,6 +1,9 @@
 [INGEST:vendor="cisco", product="ise", target_dataset="cisco_ise_raw", no_hit=keep]
-alter tmp_time2 = arrayindex(regextract(_raw_log,"<\d+>(\w+\s*\d+\s\d+:\d+:\d+)\s"),0),
-        tmp_time1 = arrayindex(regextract(_raw_log,"(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d{3})\s"),0),
+// Support only date time of format: MMM dd hh:mm:ss or format: yyyy-MM-dd hh:mm:ss.nnn [+|-]nn:nn or format: yyyy-MM-dd hh:mm:ss.nnn [+|-]nnnn. For example: "Jan 01 10:00:00" or "2022-01-01 10:00:00.123 +03:00" or "2022-01-01 10:00:00.123 +0300".
+filter _raw_log ~= "<\d+>\w+\s*\d+\s\d+:\d+:\d+\s" or _raw_log ~= "\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d{3}\s[+|-]\d+:?\d+\s"
+| alter
+        tmp_time2 = arrayindex(regextract(_raw_log,"<\d+>(\w+\s*\d+\s\d+:\d+:\d+)\s"),0),
+        tmp_time1 = arrayindex(regextract(_raw_log,"(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d{3}\s[+|-]\d+:?\d+)\s"),0),
         tmp_Year = format_timestamp("%Y",_insert_time)
 // Parsing time format 2
 | alter tmp_time2_1 = concat(tmp_Year, " ", tmp_time2)
@@ -10,10 +13,6 @@ alter tmp_time2 = arrayindex(regextract(_raw_log,"<\d+>(\w+\s*\d+\s\d+:\d+:\d+)\
 | alter tmp_time2_2 = if(tmp_Year2 != null, concat(tmp_Year2, " ", tmp_time2), null)
 | alter tmp_time2_2 = if(tmp_time2_2 != null, parse_timestamp("%Y %b %e %H:%M:%S", tmp_time2_2), null)
 // Parsing time format 1
-| alter tmp_splitStr = split(tmp_time1 , ".")
-| alter tmp_time1 = to_string(to_epoch(parse_timestamp("%Y-%m-%d %H:%M:%S", arrayindex(tmp_splitStr ,0)), "seconds")),
-        tmp_epoch_ms = to_string(arrayindex(regextract(arrayindex(tmp_splitStr, 1),"^(\d{3})"),0))
-| alter tmp_time1 = concat(tmp_time1 , tmp_epoch_ms)
-| alter tmp_time1 = to_timestamp(to_integer(tmp_time1), "millis")
+| alter tmp_time1 = parse_timestamp("%Y-%m-%d %H:%M:%E3S %Ez", tmp_time1)
 | alter _time = coalesce(tmp_time1, tmp_time2_2, tmp_time2_1)
-| fields -tmp_time1, tmp_time2, tmp_splitStr, tmp_epoch_ms, tmp_Year, tmp_Year2, tmp_time2_1, tmp_time2_2, tmp_timeDiff;
+| fields -tmp_time1, tmp_time2, tmp_Year, tmp_Year2, tmp_time2_1, tmp_time2_2, tmp_timeDiff;
diff --git a/Packs/cisco-ise/ParsingRules/cisco-ise/cisco-ise.yml b/Packs/cisco-ise/ParsingRules/cisco-ise/cisco-ise.yml
@@ -1,6 +1,6 @@
 id: Cisco_ISE
 name: Cisco ISE
-fromversion: 6.10.0
+fromversion: 8.2.0
 tags: []
 rules: ''
 samples: ''
diff --git a/Packs/cisco-ise/ReleaseNotes/1_0_12.md b/Packs/cisco-ise/ReleaseNotes/1_0_12.md
@@ -0,0 +1,5 @@
+#### Parsing Rules
+##### Cisco ISE
+- Added a filter in the parsing rule to enhance its logic.
+- Improved implementation of _time parsing.
+
diff --git a/Packs/cisco-ise/pack_metadata.json b/Packs/cisco-ise/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cisco ISE",
     "description": "Next-generation secure network access.",
     "support": "xsoar",
-    "currentVersion": "1.0.11",
+    "currentVersion": "1.0.12",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",