From 0ad4ed7b379ed0246029b3ea4776312d992e38e7 Mon Sep 17 00:00:00 2001
From: Yehonatan Asta <yasta@paloaltonetworks.com>
Date: Tue, 18 Nov 2025 16:00:51 +0200
Subject: [PATCH 1/3] Modified cloudflarewaf, prismacloudcompute and
 symantecbluecoatproxysg packs

---
 .../ModelingRules/CloudflareWAF/CloudflareWAF_schema.json | 8 ++++++++
 .../PrismaCloudCompute/PrismaCloudCompute.xif             | 2 +-
 .../SymantecBlueCoatProxySG/SymantecBlueCoatProxySG.xif   | 4 ++--
 .../SymantecBlueCoatProxySG/SymantecBlueCoatProxySG.xif   | 6 +++---
 4 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/Packs/CloudflareWAF/ModelingRules/CloudflareWAF/CloudflareWAF_schema.json b/Packs/CloudflareWAF/ModelingRules/CloudflareWAF/CloudflareWAF_schema.json
index efd1ad4973b2..d65491057829 100644
--- a/Packs/CloudflareWAF/ModelingRules/CloudflareWAF/CloudflareWAF_schema.json
+++ b/Packs/CloudflareWAF/ModelingRules/CloudflareWAF/CloudflareWAF_schema.json
@@ -111,6 +111,14 @@
       "securityruleid": {
         "type": "string",
         "is_array": false
+      },
+        "edgeendtimestamp": {
+        "type": "datetime",
+        "is_array": false
+      },
+        "Datetime": {
+        "type": "datetime",
+        "is_array": false
       }
     }
 }
\ No newline at end of file
diff --git a/Packs/PrismaCloudCompute/ParsingRules/PrismaCloudCompute/PrismaCloudCompute.xif b/Packs/PrismaCloudCompute/ParsingRules/PrismaCloudCompute/PrismaCloudCompute.xif
index cfc7121c63be..0e8b031ec430 100644
--- a/Packs/PrismaCloudCompute/ParsingRules/PrismaCloudCompute/PrismaCloudCompute.xif
+++ b/Packs/PrismaCloudCompute/ParsingRules/PrismaCloudCompute/PrismaCloudCompute.xif
@@ -1,6 +1,6 @@
 [INGEST:vendor="prisma", product="cloud_compute", target_dataset="prisma_cloud_compute_raw", no_hit=keep]
 alter
-    tmp_extract_time = replex(arraystring(regextract(time, ".*\d{2}:\d{2}:\d{2}"), ""), ",", "")
+    tmp_extract_time = replex(arraystring(regextract(to_string(time), ".*\d{2}:\d{2}:\d{2}"), ""), ",", "")
 | alter
     _time = parse_timestamp("%h %d %Y %H:%M:%S", tmp_extract_time)
 | fields -tmp_extract_time;
\ No newline at end of file
diff --git a/Packs/SymantecBlueCoatProxySG/ModelingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG.xif b/Packs/SymantecBlueCoatProxySG/ModelingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG.xif
index 63e3a874f394..60cef0579f7a 100644
--- a/Packs/SymantecBlueCoatProxySG/ModelingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG.xif
+++ b/Packs/SymantecBlueCoatProxySG/ModelingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG.xif
@@ -6,7 +6,7 @@
 */
 
 // filter out records which contain only metadata 
-filter _raw_log !~= "^#.*" 
+filter raw_log_cleaned !~= "^#.*"
 
 | alter // Extract fields based on their relative location in the list
     time_taken = parsed_fields -> time_taken, // Time taken (in milliseconds) to process the request
@@ -32,7 +32,7 @@ filter _raw_log !~= "^#.*"
     x_virus_id = parsed_fields -> x_virus_id, // Identifier of a virus if one was detected.
     s_ip = parsed_fields -> s_ip, // IP address of the appliance on which the client established its connection
     r_ip = parsed_fields -> r_ip, // IP address of the destination
-    event_description = arrayindex(regextract(_raw_log ,"\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s\S+\s(.*)"),0) // The raw log without headers
+    event_description = arrayindex(regextract(raw_log_cleaned ,"\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s\S+\s(.*)"),0) // The raw log without headers
 | alter // post extraction processing 
     // check IP addresses formats 
     c_ip_v4 = if(c_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", c_ip),
diff --git a/Packs/SymantecBlueCoatProxySG/ParsingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG.xif b/Packs/SymantecBlueCoatProxySG/ParsingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG.xif
index b052e2d7a31f..7058a65c526d 100644
--- a/Packs/SymantecBlueCoatProxySG/ParsingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG.xif
+++ b/Packs/SymantecBlueCoatProxySG/ParsingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG.xif
@@ -1,10 +1,10 @@
 [INGEST:vendor="symantec", product="bluecoatproxysg", target_dataset="symantec_bluecoatproxysg_raw", no_hit=keep]
-alter _raw_log = replex(_raw_log, "\r", "")
+alter raw_log_cleaned = replex(_raw_log, "\r", "")
 | alter parsed_fields = regexcapture(
-  _raw_log, "^(?P<date>\d{4}-\d{2}-\d{2}) (?P<time>\d{2}:\d{2}:\d{2}) (?P<time_taken>\S+) (?P<c_ip>\S+) (?P<sc_status>\S+) (?P<s_action>\S+) (?P<sc_bytes>\S+) (?P<cs_bytes>\S+) (?P<cs_method>\S+) (?P<cs_uri_scheme>\S+) (?P<cs_host>\S+) (?P<cs_uri_port>\S+) (?P<cs_uri_path>\S+) (?P<cs_uri_query>\S+) (?P<cs_username>\S+) (?P<cs_auth_group>\S+) (?P<s_supplier_name>\S+) (?P<rs_content_type>\S+) (?P<cs_referer>\S+) (?P<cs_user_agent>.*?\"|[-]) (?P<sc_filter_result>\S+) (?P<cs_categories>.*?\"|[-]) (?P<x_virus_id>\S+) (?P<s_ip>\S+)(?: (?P<r_ip>\S+))?(?:\\r)?$"
+  raw_log_cleaned, "^(?P<date>\d{4}-\d{2}-\d{2}) (?P<time>\d{2}:\d{2}:\d{2}) (?P<time_taken>\S+) (?P<c_ip>\S+) (?P<sc_status>\S+) (?P<s_action>\S+) (?P<sc_bytes>\S+) (?P<cs_bytes>\S+) (?P<cs_method>\S+) (?P<cs_uri_scheme>\S+) (?P<cs_host>\S+) (?P<cs_uri_port>\S+) (?P<cs_uri_path>\S+) (?P<cs_uri_query>\S+) (?P<cs_username>\S+) (?P<cs_auth_group>\S+) (?P<s_supplier_name>\S+) (?P<rs_content_type>\S+) (?P<cs_referer>\S+) (?P<cs_user_agent>.*?\"|[-]) (?P<sc_filter_result>\S+) (?P<cs_categories>.*?\"|[-]) (?P<x_virus_id>\S+) (?P<s_ip>\S+)(?: (?P<r_ip>\S+))?(?:\\r)?$"
   )
 | alter
-    tmp_timestamp_extract = parse_timestamp("%F %T", arrayindex(regextract(_raw_log, "^(\d{4}\-\d{2}\-\d{2}\s+\d{2}\:\d{2}\:\d{2})\s"), 0))
+    tmp_timestamp_extract = parse_timestamp("%F %T", arrayindex(regextract(raw_log_cleaned, "^(\d{4}\-\d{2}\-\d{2}\s+\d{2}\:\d{2}\:\d{2})\s"), 0))
 | alter
     _time = tmp_timestamp_extract
 | fields - tmp*;  
\ No newline at end of file

From 735c3375a89f9696150d6b01262d53480a6aa02d Mon Sep 17 00:00:00 2001
From: Yehonatan Asta <yasta@paloaltonetworks.com>
Date: Wed, 19 Nov 2025 11:01:50 +0200
Subject: [PATCH 2/3] Added RN

---
 Packs/CloudflareWAF/ReleaseNotes/1_0_34.md           | 3 +++
 Packs/CloudflareWAF/pack_metadata.json               | 2 +-
 Packs/PrismaCloudCompute/ReleaseNotes/1_7_26.md      | 3 +++
 Packs/PrismaCloudCompute/pack_metadata.json          | 2 +-
 Packs/SymantecBlueCoatProxySG/ReleaseNotes/1_0_13.md | 7 +++++++
 Packs/SymantecBlueCoatProxySG/pack_metadata.json     | 2 +-
 6 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 Packs/CloudflareWAF/ReleaseNotes/1_0_34.md
 create mode 100644 Packs/PrismaCloudCompute/ReleaseNotes/1_7_26.md
 create mode 100644 Packs/SymantecBlueCoatProxySG/ReleaseNotes/1_0_13.md

diff --git a/Packs/CloudflareWAF/ReleaseNotes/1_0_34.md b/Packs/CloudflareWAF/ReleaseNotes/1_0_34.md
new file mode 100644
index 000000000000..61a467c1fa48
--- /dev/null
+++ b/Packs/CloudflareWAF/ReleaseNotes/1_0_34.md
@@ -0,0 +1,3 @@
+#### Modeling Rules
+##### Cloudflare WAF Modeling Rule
+Implemented structure changes for backend compatibility.
diff --git a/Packs/CloudflareWAF/pack_metadata.json b/Packs/CloudflareWAF/pack_metadata.json
index a215af765909..8c2512d1c0c3 100644
--- a/Packs/CloudflareWAF/pack_metadata.json
+++ b/Packs/CloudflareWAF/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cloudflare WAF",
     "description": "Use Cloudflare WAF to manage firewall rules, filters, and IP-lists.",
     "support": "xsoar",
-    "currentVersion": "1.0.33",
+    "currentVersion": "1.0.34",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
diff --git a/Packs/PrismaCloudCompute/ReleaseNotes/1_7_26.md b/Packs/PrismaCloudCompute/ReleaseNotes/1_7_26.md
new file mode 100644
index 000000000000..ba93415025c4
--- /dev/null
+++ b/Packs/PrismaCloudCompute/ReleaseNotes/1_7_26.md
@@ -0,0 +1,3 @@
+#### Parsing Rules
+##### Prisma Cloud Compute Parsing Rule
+Updated the Prisma Cloud Compute Parsing Rule to support time field processing.
diff --git a/Packs/PrismaCloudCompute/pack_metadata.json b/Packs/PrismaCloudCompute/pack_metadata.json
index 67765cba93c4..6a3df507d450 100644
--- a/Packs/PrismaCloudCompute/pack_metadata.json
+++ b/Packs/PrismaCloudCompute/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Prisma Cloud Compute by Palo Alto Networks",
     "description": "Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment.",
     "support": "xsoar",
-    "currentVersion": "1.7.25",
+    "currentVersion": "1.7.26",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
diff --git a/Packs/SymantecBlueCoatProxySG/ReleaseNotes/1_0_13.md b/Packs/SymantecBlueCoatProxySG/ReleaseNotes/1_0_13.md
new file mode 100644
index 000000000000..4d5fec7f7334
--- /dev/null
+++ b/Packs/SymantecBlueCoatProxySG/ReleaseNotes/1_0_13.md
@@ -0,0 +1,7 @@
+#### Modeling Rules
+##### Symantec BlueCoat ProxySG Modeling Rules
+Updated the Symantec BlueCoat ProxySG Modeling Rules to reference the updated raw_log_cleaned field.
+
+#### Parsing Rules
+##### Symantec BlueCoat ProxySG Parsing Rules
+Updated the Symantec BlueCoat ProxySG Parsing Rules to prevent modification of system fields.
\ No newline at end of file
diff --git a/Packs/SymantecBlueCoatProxySG/pack_metadata.json b/Packs/SymantecBlueCoatProxySG/pack_metadata.json
index 67f9d188d630..f6ddc112b750 100644
--- a/Packs/SymantecBlueCoatProxySG/pack_metadata.json
+++ b/Packs/SymantecBlueCoatProxySG/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Symantec BlueCoat ProxySG",
     "description": "A component for on-premises deployment and web security.",
     "support": "xsoar",
-    "currentVersion": "1.0.12",
+    "currentVersion": "1.0.13",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

From a33e731545cf9196c3cc95efbe820af8a7beb0cc Mon Sep 17 00:00:00 2001
From: Yehonatan Asta <yasta@paloaltonetworks.com>
Date: Sat, 22 Nov 2025 15:07:44 +0200
Subject: [PATCH 3/3] Added field to schema file of symantecbluecoatproxysg

---
 .../SymantecBlueCoatProxySG_schema.json                       | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Packs/SymantecBlueCoatProxySG/ModelingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG_schema.json b/Packs/SymantecBlueCoatProxySG/ModelingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG_schema.json
index 1db5665649bd..89269f35ca4b 100644
--- a/Packs/SymantecBlueCoatProxySG/ModelingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG_schema.json
+++ b/Packs/SymantecBlueCoatProxySG/ModelingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG_schema.json
@@ -7,6 +7,10 @@
       "parsed_fields": {
         "type": "string",
         "is_array": false
+      },
+      "raw_log_cleaned": {
+        "type": "string",
+        "is_array": false
       }
     }
   }
\ No newline at end of file