Azure app service remove case_sensitive (#41932)

yasta5 · web-flow · commit 432810020d3d · 2025-11-19T17:06:08.000+02:00
* Removed case_sensitive from workflowruntime section

* Added rn

* Mdofied modeling rule
diff --git a/Packs/AzureAppService/ModelingRules/AzureAppService/AzureAppService.xif b/Packs/AzureAppService/ModelingRules/AzureAppService/AzureAppService.xif
@@ -148,8 +148,7 @@ filter category = "AppServiceAuditLogs"
 		xdm.source.ipv6 = if(tmp_UserAddress ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", arrayindex(regextract(tmp_UserAddress, "((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})"), 0), null);
 
 // Azure App Service - "Workflow Runtime"
-config case_sensitive = true
-| filter category = "WorkflowRuntime"
+filter category = "WorkflowRuntime"
 // Common fields from general rule
 | alter
         xdm.event.original_event_type = category,
@@ -165,7 +164,7 @@ config case_sensitive = true
         tmp_endTime = to_string(coalesce(properties -> startTime, EndTime))
 | alter
         log_level = if(to_string(Level) !~= "^\d+$", uppercase(to_string(Level)), null),
-        code = uppercase(replex(tmp_code, "([A-Z][a-z]+)([A-Z][a-z]+)", "\1_\2"))
+        code = uppercase(tmp_code)
 | alter
         xdm.event.log_level = if(
             log_level in ("CRITICAL"), XDM_CONST.LOG_LEVEL_CRITICAL,
@@ -175,7 +174,7 @@ config case_sensitive = true
             null),
         xdm.event.operation_sub_type = if(tmp_actionName != null and tmp_actionName != "", concat(operationName, " - ", tmp_actionName), operationName),
         xdm.event.outcome = if(tmp_status contains "succ", XDM_CONST.OUTCOME_SUCCESS, tmp_status contains "fail", XDM_CONST.OUTCOME_FAILED, tmp_status),
-        xdm.network.http.response_code = if(code = "CONTINUE", XDM_CONST.HTTP_RSP_CODE_CONTINUE, code = "SWITCHING_PROTOCOLS", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, code = "PROCESSING", XDM_CONST.HTTP_RSP_CODE_PROCESSING, code = "EARLY_HINTS", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, code = "OK", XDM_CONST.HTTP_RSP_CODE_OK, code = "CREATED", XDM_CONST.HTTP_RSP_CODE_CREATED, code = "ACCEPTED", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, code = "NON__AUTHORITATIVE_INFORMATION", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, code = "NO_CONTENT", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, code = "RESET_CONTENT", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, code = "PARTIAL_CONTENT", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, code = "MULTI__STATUS", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, code = "ALREADY_REPORTED", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, code = "IM_USED", XDM_CONST.HTTP_RSP_CODE_IM_USED, code = "MULTIPLE_CHOICES", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, code = "MOVED_PERMANENTLY", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, code = "FOUND", XDM_CONST.HTTP_RSP_CODE_FOUND, code = "SEE_OTHER", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, code = "NOT_MODIFIED", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, code = "USE_PROXY", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, code = "TEMPORARY_REDIRECT", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, code = "PERMANENT_REDIRECT", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, code = "BAD_REQUEST", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, code = "UNAUTHORIZED", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, code = "PAYMENT_REQUIRED", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, code = "FORBIDDEN", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, code = "NOT_FOUND", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, code = "METHOD_NOT_ALLOWED", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, code = "NOT_ACCEPTABLE", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, code = "PROXY_AUTHENTICATION_REQUIRED", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, code = "REQUEST_TIMEOUT", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, code = "CONFLICT", XDM_CONST.HTTP_RSP_CODE_CONFLICT, code = "GONE", XDM_CONST.HTTP_RSP_CODE_GONE, code = "LENGTH_REQUIRED", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, code = "PRECONDITION_FAILED", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, code = "CONTENT_TOO_LARGE", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, code = "URI_TOO_LONG", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, code = "UNSUPPORTED_MEDIA_TYPE", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, code = "RANGE_NOT_SATISFIABLE", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, code = "EXPECTATION_FAILED", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, code = "MISDIRECTED_REQUEST", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, code = "UNPROCESSABLE_CONTENT", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, code = "LOCKED", XDM_CONST.HTTP_RSP_CODE_LOCKED, code = "FAILED_DEPENDENCY", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, code = "TOO_EARLY", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, code = "UPGRADE_REQUIRED", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, code = "PRECONDITION_REQUIRED", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, code = "TOO_MANY_REQUESTS", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, code = "REQUEST_HEADER_FIELDS_TOO_LARGE", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, code = "UNAVAILABLE_FOR_LEGAL_REASONS", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, code = "INTERNAL_SERVER_ERROR", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, code = "NOT_IMPLEMENTED", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, code = "BAD_GATEWAY", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, code = "SERVICE_UNAVAILABLE", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, code = "GATEWAY_TIMEOUT", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, code = "HTTP_VERSION_NOT_SUPPORTED", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, code = "VARIANT_ALSO_NEGOTIATES", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, code = "INSUFFICIENT_STORAGE", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, code = "LOOP_DETECTED", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, code = "NETWORK_AUTHENTICATION_REQUIRED", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, to_string(code)),
+        xdm.network.http.response_code = if(code = "CONTINUE", XDM_CONST.HTTP_RSP_CODE_CONTINUE, code = "SWITCHINGPROTOCOLS", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, code = "PROCESSING", XDM_CONST.HTTP_RSP_CODE_PROCESSING, code = "EARLYHINTS", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, code = "OK", XDM_CONST.HTTP_RSP_CODE_OK, code = "CREATED", XDM_CONST.HTTP_RSP_CODE_CREATED, code = "ACCEPTED", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, code = "NONAUTHORITATIVEINFORMATION", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, code = "NOCONTENT", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, code = "RESETCONTENT", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, code = "PARTIALCONTENT", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, code = "MULTISTATUS", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, code = "ALREADYREPORTED", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, code = "IMUSED", XDM_CONST.HTTP_RSP_CODE_IM_USED, code = "MULTIPLECHOICES", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, code = "MOVEDPERMANENTLY", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, code = "FOUND", XDM_CONST.HTTP_RSP_CODE_FOUND, code = "SEEOTHER", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, code = "NOTMODIFIED", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, code = "USEPROXY", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, code = "TEMPORARYREDIRECT", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, code = "PERMANENTREDIRECT", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, code = "BADREQUEST", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, code = "UNAUTHORIZED", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, code = "PAYMENTREQUIRED", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, code = "FORBIDDEN", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, code = "NOTFOUND", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, code = "METHODNOTALLOWED", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, code = "NOTACCEPTABLE", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, code = "PROXYAUTHENTICATIONREQUIRED", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, code = "REQUESTTIMEOUT", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, code = "CONFLICT", XDM_CONST.HTTP_RSP_CODE_CONFLICT, code = "GONE", XDM_CONST.HTTP_RSP_CODE_GONE, code = "LENGTHREQUIRED", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, code = "PRECONDITIONFAILED", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, code = "CONTENTTOOLARGE", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, code = "URITOOLONG", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, code = "UNSUPPORTEDMEDIATYPE", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, code = "RANGENOTSATISFIABLE", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, code = "EXPECTATIONFAILED", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, code = "MISDIRECTEDREQUEST", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, code = "UNPROCESSABLECONTENT", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, code = "LOCKED", XDM_CONST.HTTP_RSP_CODE_LOCKED, code = "FAILEDDEPENDENCY", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, code = "TOOEARLY", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, code = "UPGRADEREQUIRED", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, code = "PRECONDITIONREQUIRED", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, code = "TOOMANYREQUESTS", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, code = "REQUESTHEADERFIELDSTOOLARGE", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, code = "UNAVAILABLEFORLEGALREASONS", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, code = "INTERNALSERVERERROR", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, code = "NOTIMPLEMENTED", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, code = "BADGATEWAY", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, code = "SERVICEUNAVAILABLE", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, code = "GATEWAYTIMEOUT", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, code = "HTTPVERSIONNOTSUPPORTED", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, code = "VARIANTALSONEGOTIATES", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, code = "INSUFFICIENTSTORAGE", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, code = "LOOPDETECTED", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, code = "NETWORKAUTHENTICATIONREQUIRED", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, to_string(code)),
         xdm.event.outcome_reason = coalesce(properties -> error.message, Message),
         xdm.target.resource.id = coalesce(properties -> resource.workflowId, WorkflowId),
         xdm.target.resource.name = coalesce(properties -> resource.workflowName, WorkflowName),
diff --git a/Packs/AzureAppService/ReleaseNotes/1_0_7.md b/Packs/AzureAppService/ReleaseNotes/1_0_7.md
@@ -0,0 +1,3 @@
+#### Modeling Rules
+##### Azure App Service Modeling Rule
+Updated the Azure App Service Modeling Rule to improve its implementation.
diff --git a/Packs/AzureAppService/pack_metadata.json b/Packs/AzureAppService/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure App Service",
     "description": "Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. This pack contains normalization rules for ingesting and modeling Azure App Service Resource logs.",
     "support": "xsoar",
-    "currentVersion": "1.0.6",
+    "currentVersion": "1.0.7",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+#### Modeling Rules`
	`2`	`+##### Azure App Service Modeling Rule`
	`3`	`+Updated the Azure App Service Modeling Rule to improve its implementation.`