Packs modifications persistence ya

Packs/CloudflareWAF/ModelingRules/CloudflareWAF/CloudflareWAF_schema.json

@@ -111,6 +111,14 @@
       "securityruleid": {
         "type": "string",
         "is_array": false
+      },
+        "edgeendtimestamp": {
+        "type": "datetime",
+        "is_array": false
+      },
+        "Datetime": {
+        "type": "datetime",
+        "is_array": false
       }
     }
 }

Packs/CloudflareWAF/ReleaseNotes/1_0_34.md

@@ -0,0 +1,3 @@
+#### Modeling Rules
+##### Cloudflare WAF Modeling Rule
+Implemented structure changes for backend compatibility.

Packs/CloudflareWAF/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cloudflare WAF",
     "description": "Use Cloudflare WAF to manage firewall rules, filters, and IP-lists.",
     "support": "xsoar",
-    "currentVersion": "1.0.33",
+    "currentVersion": "1.0.34",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/PrismaCloudCompute/ParsingRules/PrismaCloudCompute/PrismaCloudCompute.xif

@@ -1,6 +1,6 @@
 [INGEST:vendor="prisma", product="cloud_compute", target_dataset="prisma_cloud_compute_raw", no_hit=keep]
 alter
-    tmp_extract_time = replex(arraystring(regextract(time, ".*\d{2}:\d{2}:\d{2}"), ""), ",", "")
+    tmp_extract_time = replex(arraystring(regextract(to_string(time), ".*\d{2}:\d{2}:\d{2}"), ""), ",", "")
 | alter
     _time = parse_timestamp("%h %d %Y %H:%M:%S", tmp_extract_time)
 | fields -tmp_extract_time;

Packs/PrismaCloudCompute/ReleaseNotes/1_7_26.md

@@ -0,0 +1,3 @@
+#### Parsing Rules
+##### Prisma Cloud Compute Parsing Rule
+Updated the Prisma Cloud Compute Parsing Rule to support time field processing.

Packs/PrismaCloudCompute/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Prisma Cloud Compute by Palo Alto Networks",
     "description": "Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment.",
     "support": "xsoar",
-    "currentVersion": "1.7.25",
+    "currentVersion": "1.7.26",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/SymantecBlueCoatProxySG/ModelingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG.xif

@@ -6,7 +6,7 @@
 */
 
 // filter out records which contain only metadata 
-filter _raw_log !~= "^#.*" 
+filter raw_log_cleaned !~= "^#.*"
 
 | alter // Extract fields based on their relative location in the list
     time_taken = parsed_fields -> time_taken, // Time taken (in milliseconds) to process the request
@@ -32,7 +32,7 @@ filter _raw_log !~= "^#.*"
     x_virus_id = parsed_fields -> x_virus_id, // Identifier of a virus if one was detected.
     s_ip = parsed_fields -> s_ip, // IP address of the appliance on which the client established its connection
     r_ip = parsed_fields -> r_ip, // IP address of the destination
-    event_description = arrayindex(regextract(_raw_log ,"\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s\S+\s(.*)"),0) // The raw log without headers
+    event_description = arrayindex(regextract(raw_log_cleaned ,"\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s\S+\s(.*)"),0) // The raw log without headers
 | alter // post extraction processing 
     // check IP addresses formats 
     c_ip_v4 = if(c_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", c_ip),

Packs/SymantecBlueCoatProxySG/ModelingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG_schema.json

@@ -7,6 +7,10 @@
       "parsed_fields": {
         "type": "string",
         "is_array": false
+      },
+      "raw_log_cleaned": {
+        "type": "string",
+        "is_array": false
       }
     }
   }

Packs/SymantecBlueCoatProxySG/ParsingRules/SymantecBlueCoatProxySG/SymantecBlueCoatProxySG.xif

@@ -1,10 +1,10 @@
 [INGEST:vendor="symantec", product="bluecoatproxysg", target_dataset="symantec_bluecoatproxysg_raw", no_hit=keep]
-alter _raw_log = replex(_raw_log, "\r", "")
+alter raw_log_cleaned = replex(_raw_log, "\r", "")
 | alter parsed_fields = regexcapture(
-  _raw_log, "^(?P<date>\d{4}-\d{2}-\d{2}) (?P<time>\d{2}:\d{2}:\d{2}) (?P<time_taken>\S+) (?P<c_ip>\S+) (?P<sc_status>\S+) (?P<s_action>\S+) (?P<sc_bytes>\S+) (?P<cs_bytes>\S+) (?P<cs_method>\S+) (?P<cs_uri_scheme>\S+) (?P<cs_host>\S+) (?P<cs_uri_port>\S+) (?P<cs_uri_path>\S+) (?P<cs_uri_query>\S+) (?P<cs_username>\S+) (?P<cs_auth_group>\S+) (?P<s_supplier_name>\S+) (?P<rs_content_type>\S+) (?P<cs_referer>\S+) (?P<cs_user_agent>.*?\"|[-]) (?P<sc_filter_result>\S+) (?P<cs_categories>.*?\"|[-]) (?P<x_virus_id>\S+) (?P<s_ip>\S+)(?: (?P<r_ip>\S+))?(?:\\r)?$"
+  raw_log_cleaned, "^(?P<date>\d{4}-\d{2}-\d{2}) (?P<time>\d{2}:\d{2}:\d{2}) (?P<time_taken>\S+) (?P<c_ip>\S+) (?P<sc_status>\S+) (?P<s_action>\S+) (?P<sc_bytes>\S+) (?P<cs_bytes>\S+) (?P<cs_method>\S+) (?P<cs_uri_scheme>\S+) (?P<cs_host>\S+) (?P<cs_uri_port>\S+) (?P<cs_uri_path>\S+) (?P<cs_uri_query>\S+) (?P<cs_username>\S+) (?P<cs_auth_group>\S+) (?P<s_supplier_name>\S+) (?P<rs_content_type>\S+) (?P<cs_referer>\S+) (?P<cs_user_agent>.*?\"|[-]) (?P<sc_filter_result>\S+) (?P<cs_categories>.*?\"|[-]) (?P<x_virus_id>\S+) (?P<s_ip>\S+)(?: (?P<r_ip>\S+))?(?:\\r)?$"
   )
 | alter
-    tmp_timestamp_extract = parse_timestamp("%F %T", arrayindex(regextract(_raw_log, "^(\d{4}\-\d{2}\-\d{2}\s+\d{2}\:\d{2}\:\d{2})\s"), 0))
+    tmp_timestamp_extract = parse_timestamp("%F %T", arrayindex(regextract(raw_log_cleaned, "^(\d{4}\-\d{2}\-\d{2}\s+\d{2}\:\d{2}\:\d{2})\s"), 0))
 | alter
     _time = tmp_timestamp_extract
 | fields - tmp*;  

Packs/SymantecBlueCoatProxySG/ReleaseNotes/1_0_13.md

@@ -0,0 +1,7 @@
+#### Modeling Rules
+##### Symantec BlueCoat ProxySG Modeling Rules
+Updated the Symantec BlueCoat ProxySG Modeling Rules to reference the updated raw_log_cleaned field.
+
+#### Parsing Rules
+##### Symantec BlueCoat ProxySG Parsing Rules
+Updated the Symantec BlueCoat ProxySG Parsing Rules to prevent modification of system fields.

Packs/SymantecBlueCoatProxySG/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Symantec BlueCoat ProxySG",
     "description": "A component for on-premises deployment and web security.",
     "support": "xsoar",
-    "currentVersion": "1.0.12",
+    "currentVersion": "1.0.13",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",