From 4a9f1871459cdf2c0b9644cf24fce7bf8eab97df Mon Sep 17 00:00:00 2001 From: eepstain <116078117+eepstain@users.noreply.github.com> Date: Thu, 30 Jan 2025 08:56:34 +0200 Subject: [PATCH] Slaesforce Parsing Rule Update (#38390) * Updated ParsingRules * Updated ReleaseNotes * Updated ReleaseNotes * Update 2_1_2.md * Update 2_1_2.md * Update pack_metadata.json * Updated README * Reverted CyberArkEPV * Update Packs/Salesforce/ReleaseNotes/2_1_2.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Updated ParsingRules --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- .../SalesforceParsingRules.xif | 12 ++++-------- Packs/Salesforce/ReleaseNotes/2_1_2.md | 6 ++++++ Packs/Salesforce/pack_metadata.json | 12 ++++++++---- 3 files changed, 18 insertions(+), 12 deletions(-) create mode 100644 Packs/Salesforce/ReleaseNotes/2_1_2.md diff --git a/Packs/Salesforce/ParsingRules/SalesforceParsingRules/SalesforceParsingRules.xif b/Packs/Salesforce/ParsingRules/SalesforceParsingRules/SalesforceParsingRules.xif index 9f6c7e10f894..57faaebf629e 100644 --- a/Packs/Salesforce/ParsingRules/SalesforceParsingRules/SalesforceParsingRules.xif +++ b/Packs/Salesforce/ParsingRules/SalesforceParsingRules/SalesforceParsingRules.xif @@ -11,14 +11,10 @@ filter CreatedDate ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}[+-]\d{4}" [INGEST:vendor="salesforce", product="eventlogfile", target_dataset="salesforce_eventlogfile_raw", no_hit = keep] -filter to_string(_TIMESTAMP_DERIVED_) ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z" -| alter tmp_time_string = arrayindex(regextract(to_string(_TIMESTAMP_DERIVED_) , "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z"),0) -| alter _time = parse_timestamp("%Y-%m-%dT%H:%M:%E3SZ", tmp_time_string ) -| fields -tmp_time_string; +filter to_string(TIMESTAMP_DERIVED) ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z" +| alter _time = TIMESTAMP_DERIVED; [INGEST:vendor="salesforce", product="login", target_dataset="salesforce_login_raw", no_hit = keep] -filter to_string(_TIMESTAMP_DERIVED_) ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z" -| alter tmp_time_string = arrayindex(regextract(to_string(_TIMESTAMP_DERIVED_) , "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z"),0) -| alter _time = parse_timestamp("%Y-%m-%dT%H:%M:%E3SZ", tmp_time_string ) -| fields -tmp_time_string; \ No newline at end of file +filter to_string(TIMESTAMP_DERIVED) ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z" +| alter _time = TIMESTAMP_DERIVED; \ No newline at end of file diff --git a/Packs/Salesforce/ReleaseNotes/2_1_2.md b/Packs/Salesforce/ReleaseNotes/2_1_2.md new file mode 100644 index 000000000000..99911fe7010a --- /dev/null +++ b/Packs/Salesforce/ReleaseNotes/2_1_2.md @@ -0,0 +1,6 @@ + +#### Parsing Rules + +##### Salesforce Parsing Rule + +Updated the Salesforce Parsing Rule parsing rule. Removed the underscores at the beginning and end of the **TIMESTAMP_DERIVED** field. diff --git a/Packs/Salesforce/pack_metadata.json b/Packs/Salesforce/pack_metadata.json index 5946b16eca81..a94f9036853e 100644 --- a/Packs/Salesforce/pack_metadata.json +++ b/Packs/Salesforce/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Salesforce", "description": "CRM Services", "support": "xsoar", - "currentVersion": "2.1.1", + "currentVersion": "2.1.2", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -10,12 +10,16 @@ "categories": [ "Case Management" ], - "tags": [], + "tags": [ + "Security" + ], "useCases": [], - "keywords": [], + "keywords": [ + "salesforce" + ], "marketplaces": [ "xsoar", "marketplacev2" ], "defaultDataSource": "Salesforce" -} \ No newline at end of file +}