Salesforce Parsing Update (#38423)

* Updated ParsingRules logic

* Updated ReleaseNotes

* Updated ReleaseNotes

* Updated ParsingRules

Packs/Salesforce/ParsingRules/SalesforceParsingRules/SalesforceParsingRules.xif

@@ -12,9 +12,13 @@ filter CreatedDate ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}[+-]\d{4}"
 
 [INGEST:vendor="salesforce", product="eventlogfile", target_dataset="salesforce_eventlogfile_raw", no_hit = keep]
 filter to_string(TIMESTAMP_DERIVED) ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z"
-| alter _time = TIMESTAMP_DERIVED;
+| alter tmp_time_string = arrayindex(regextract(to_string(TIMESTAMP_DERIVED), "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z"),0)
+| alter _time = parse_timestamp("%Y-%m-%dT%H:%M:%E3SZ", tmp_time_string)
+| fields -tmp_time_string;
 
 
 [INGEST:vendor="salesforce", product="login", target_dataset="salesforce_login_raw", no_hit = keep]
 filter to_string(TIMESTAMP_DERIVED) ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z"
-| alter _time = TIMESTAMP_DERIVED;
+| alter tmp_time_string = arrayindex(regextract(to_string(TIMESTAMP_DERIVED), "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z"),0)
+| alter _time = parse_timestamp("%Y-%m-%dT%H:%M:%E3SZ", tmp_time_string)
+| fields -tmp_time_string;

Packs/Salesforce/ReleaseNotes/2_1_3.md

@@ -0,0 +1,6 @@
+
+#### Parsing Rules
+
+##### Salesforce Parsing Rule
+
+Updated the Salesforce Parsing Rule parsing rule, ingesting the **TIMESTAMP_DERIVED** field as String in the logic.

Packs/Salesforce/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Salesforce",
     "description": "CRM Services",
     "support": "xsoar",
-    "currentVersion": "2.1.2",
+    "currentVersion": "2.1.3",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
@@ -22,4 +22,4 @@
         "marketplacev2"
     ],
     "defaultDataSource": "Salesforce"
-}
+}