XSUP 45126 Cyberark Identity Update (#38071)

* Updated ModelingRules ParsingRules

* Updated pack_metadata

* Updated README

* Updated README

* Updated README

* Update Packs/CyberArkIdentity/README.md

Co-authored-by: ShirleyDenkberg <[email protected]>

* Update pack_metadata.json

* Updated ReleaseNotes

* Updated ReleaseNotes

---------

Co-authored-by: ShirleyDenkberg <[email protected]>

Packs/CyberArkIdentity/ModelingRules/CyberArkIdentityEventCollector_1_3/CyberArkIdentityEventCollector_1_3.xif

@@ -11,9 +11,7 @@ filter
 	xdm.auth.auth_method = AuthMethod,
     xdm.event.type=EventType,
     xdm.source.ipv4 = FromIPAddress,
-    xdm.source.application.name = AppId,
-    xdm.observer.vendor=_vendor,
-    xdm.observer.product=_product;
+    xdm.source.application.name = AppId;
 
 filter  EventType not in ("Cloud.Core.OAuthToken.Create", "Cloud.Core.Logout", "Cloud.Core.MfaSummary", "Cloud.Core.StartImpersonate","Cloud.Core.Login", "Cloud.Core.LoginFail", "Cloud.Core.Logout", "Cloud.Core.OAuthToken.InvalidClient" )
  |   alter
@@ -33,6 +31,4 @@ filter  EventType not in ("Cloud.Core.OAuthToken.Create", "Cloud.Core.Logout", "
     xdm.target.resource_before.type = OldLicenseType,
     xdm.target.resource.sub_type = MobileAppType,
     xdm.session_context_id = coalesce(JobUniqueId, SessionId),
-	xdm.event.type=EventType,
-    xdm.observer.vendor=_vendor,
-    xdm.observer.product=_product;
+	xdm.event.type=EventType;

Packs/CyberArkIdentity/ParsingRules/CyberArkIdentityParsingRules/CyberArkIdentityParsingRules.xif

@@ -1,3 +1,3 @@
 [INGEST:vendor="cyberark", product="identity", target_dataset="cyberark_identity_raw", no_hit=keep]
-filter WhenOccurred ~= "[0-9]+"
-| alter _time = to_timestamp(to_integer(arrayindex(regextract(WhenOccurred, "[0-9]+"), 0)), "MILLIS");
+filter to_string(WhenOccurred) ~= "[0-9]+"
+| alter _time = to_timestamp(to_integer(arrayindex(regextract(to_string(WhenOccurred), "[0-9]+"), 0)), "MILLIS");

Packs/CyberArkIdentity/README.md

@@ -22,6 +22,10 @@ This integration was integrated and tested with version 22.4 of CyberArk Identit
 
 * Pay attention: Timestamp parsing is currently supported for the **WhenOccurred** field with Epoch string in it.
 
+### Timestamp Ingestion
+Timestamp parsing is performed according to the *WhenOccurred* field, in the format **/Date(EpochMillis>)/**.
+E.g., /Date(1677206879107)/ (Millis - 13 Digits).
+
 ## Commands
 You can execute these commands from the Cortex XSIAM Alerts War Room as part of an automation, or in a playbook.
 After you successfully execute a command, a DBot message appears in the War Room with the command details.

Packs/CyberArkIdentity/ReleaseNotes/1_1_3.md

@@ -0,0 +1,12 @@
+
+#### Modeling Rules
+
+##### CyberArkIdentityEventCollector
+
+Updated the Modeling Rule logic, deprecated the XDM Vendor and Product Observer fields.
+
+#### Parsing Rules
+
+##### CyberArkIdentity Parsing Rule
+
+Updated the Parsing Rule logic, added String casting for the **WhenOccurred** field.

Packs/CyberArkIdentity/pack_metadata.json

@@ -2,16 +2,22 @@
     "name": "CyberArk Identity",
     "description": "This integration collects events from the Idaptive Next-Gen Access (INGA) using REST APIs.",
     "support": "xsoar",
-    "currentVersion": "1.1.2",
+    "currentVersion": "1.1.3",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
     "categories": [
         "Analytics & SIEM"
     ],
-    "tags": [],
+    "tags": [
+        "Security",
+        "IAM"
+    ],
     "useCases": [],
-    "keywords": [],
+    "keywords": [
+        "cyberark",
+        "identity"
+    ],
     "marketplaces": [
         "marketplacev2"
     ]