Modified parsing rule to support future dates scenarios - Symantec EP (…

…demisto#36728) * Modified parsing rule to support future dates scenarios * Added release note * Modified release note
adi88d · Oct 15, 2024 · 7211d85 · 7211d85
1 parent 003f76e
commit 7211d85
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 5 deletions.
diff --git a/...EndpointProtection/ParsingRules/SymantecEndpointProtection/SymantecEndpointProtection.xif b/...EndpointProtection/ParsingRules/SymantecEndpointProtection/SymantecEndpointProtection.xif
@@ -1,7 +1,20 @@
 [INGEST:vendor="symantec", product="ep", target_dataset="symantec_ep_raw", no_hit = keep]
 // Support only date time of format: MMM dd hh:mm:ss.nnn. For example: "Dec 1 10:00:00".
 filter _raw_log ~= "[a-zA-z]{3}\s*\d*\s\d*:\d*:\d*\s"
-| alter tmp_time1 = to_string(arrayindex(regextract(_raw_log, "([a-zA-z]{3}\s*\d*\s\d*:\d*:\d*)\s"),0))
-| alter tmp_time1 = concat(format_timestamp("%Y",_insert_time)," ", tmp_time1)
-| alter _time = parse_timestamp("%Y %b %d %T", tmp_time1)
-| fields -tmp_time1;
+| alter
+        tmp_time_without_year = to_string(arrayindex(regextract(_raw_log, "([a-zA-z]{3}\s*\d*\s\d*:\d*:\d*)\s"),0)),
+        tmp_current_year = format_timestamp("%Y",_insert_time)
+| alter tmp_time_current_year = if(tmp_time_without_year != null and tmp_time_without_year != "", concat(tmp_current_year, " ", tmp_time_without_year), null)
+// Parse timestamp with current year
+| alter tmp_time_current_year = parse_timestamp("%Y %b %d %T", tmp_time_current_year)
+// Calculate time diff
+| alter tmp_timeDiff = timestamp_diff(tmp_time_current_year, current_time(), "MILLISECOND")
+// Check if the date is a future date
+| alter tmp_last_year = if(tmp_timeDiff > 0, to_string(subtract(to_integer(tmp_current_year),1)), null)
+// Create timestamp minus 1 year if the timestamp is a future one
+| alter tmp_time_last_year = if(tmp_last_year != null, concat(tmp_last_year, " ", tmp_time_without_year), null)
+// Parse timestamp with last year value
+| alter
+        tmp_time_last_year = if(tmp_time_last_year != null, parse_timestamp("%Y %b %d %T", tmp_time_last_year), null)
+| alter _time = coalesce(tmp_time_last_year, tmp_time_current_year)
+| fields -tmp_time_without_year, tmp_current_year, tmp_time_current_year, tmp_timeDiff, tmp_last_year, tmp_time_last_year;
diff --git a/Packs/SymantecEndpointProtection/ReleaseNotes/1_1_11.md b/Packs/SymantecEndpointProtection/ReleaseNotes/1_1_11.md
@@ -0,0 +1,3 @@
+#### Parsing Rules
+##### Symantec_Endpoint_Protection
+Improved implementation of _time parsing, to support timestamps without a year.
diff --git a/Packs/SymantecEndpointProtection/pack_metadata.json b/Packs/SymantecEndpointProtection/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Symantec Endpoint Protection",
     "description": "Query the Symantec Endpoint Protection Manager using the official REST API.",
     "support": "xsoar",
-    "currentVersion": "1.1.10",
+    "currentVersion": "1.1.11",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",