Microsoft DNS Parsing Rule Drop (demisto#29765)

* Updated ParsingRules

* Updated ReleaseNotes

* Updated ReleaseNotes

* Updated ReleaseNotes

* Updated pack_metadata

* Updated pack_metadata

* Updated pack_metadata

* Updated README

* Updated README

* Updated README

Packs/MicrosoftADFS/pack_metadata.json

@@ -12,6 +12,12 @@
     "tags": [],
     "useCases": [],
     "keywords": [],
+    "dependencies": {
+        "MicrosoftWindowsEvents": {
+            "mandatory": true,
+            "display_name": "Microsoft Windows Event Logs"
+        }
+    },
     "marketplaces": [
         "marketplacev2"
     ]

Packs/MicrosoftDNS/ParsingRules/MicrosoftDNS/MicrosoftDNS.xif

@@ -1,4 +1,4 @@
-[INGEST:vendor="microsoft", product="windows", target_dataset="microsoft_dns_raw", no_hit=keep]
+[INGEST:vendor="microsoft", product="windows", target_dataset="microsoft_dns_raw", no_hit=drop]
 // Support only date time of format: MM/dd/yyyy hh:mm:ss [AM|PM]. For example: 6/10/2022 5:11:49 AM
 filter _raw_log ~= "\d+\/\d+\/\d+\s\d+\:\d+\:\d+ \w{2}"
 | alter 

Packs/MicrosoftDNS/ReleaseNotes/1_0_7.md

@@ -0,0 +1,6 @@
+
+#### Parsing Rules
+
+##### MicrosoftDNS
+
+Updated the Parsing Rule logic to consider only the logs caught in the filters.

Packs/MicrosoftDNS/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Microsoft DNS",
     "description": "The Microsoft Domain Name Server (DNS) produces audit logs that identify resources from your company that are connected to the internet or your private network, and translate domain names to IP addresses.",
     "support": "xsoar",
-    "currentVersion": "1.0.6",
+    "currentVersion": "1.0.7",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
@@ -12,6 +12,12 @@
     "tags": [],
     "useCases": [],
     "keywords": [],
+    "dependencies": {
+        "MicrosoftWindowsEvents": {
+            "mandatory": true,
+            "display_name": "Microsoft Windows Event Logs"
+        }
+    },
     "marketplaces": [
         "marketplacev2"
     ]

Packs/MicrosoftWindowsAMSI/pack_metadata.json

@@ -12,6 +12,12 @@
     "tags": [],
     "useCases": [],
     "keywords": [],
+    "dependencies": {
+        "MicrosoftWindowsEvents": {
+            "mandatory": true,
+            "display_name": "Microsoft Windows Event Logs"
+        }
+    },
     "marketplaces": [
         "marketplacev2"
     ]

Packs/MicrosoftWindowsEvents/README.md

@@ -8,6 +8,16 @@ Notes:
 
 To view logs only from the Windows Event log, apply the following filter to the datamodel query: *| filter xdm.observer.type="Microsoft-Windows-Security-\*" or xdm.event.type="System" or xdm.event.type="Application"*
 
+**Pay Attention**: 
+This pack excludes several events for the DNS, ADFS and AMSI Windows services according to the *provider_name* field:
+* AD FS Auditing
+* Microsoft-Windows-DNSServer
+* Microsoft-Windows-DNS-Server-Service
+* Microsoft-Antimalware-Scan-Interface
+Should you wish to collect those logs as well, the installation of the following packs is required:
+* Microsoft DNS
+* Microsoft Windows AMSI
+* Microsoft AD FS Collection
 
 ## Collect Events from Vendor
 

Packs/MicrosoftWindowsEvents/pack_metadata.json

@@ -12,6 +12,20 @@
     "tags": [],
     "useCases": [],
     "keywords": [],
+    "dependencies": {
+        "MicrosoftDNS": {
+            "mandatory": false,
+            "display_name": "Microsoft DNS"
+        },
+        "MicrosoftADFS": {
+            "mandatory": false,
+            "display_name": "Microsoft AD FS Collection"
+        },
+        "MicrosoftWindowsAMSI": {
+            "mandatory": false,
+            "display_name": "Microsoft Windows AMSI"
+        }
+    },
     "marketplaces": [
         "marketplacev2"
     ]