XSUP-45343 - symantec ep parsing fix (#37926)

* Updated ParsingRules * Updated the README * Updated pack_metadata * Updated ReleaseNotes * Updated ReleaseNotes * Updated README * Update Packs/SymantecEndpointProtection/README.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update pack_metadata.json --------- Co-authored-by: ShirleyDenkberg <[email protected]>
demisto · Jan 5, 2025 · bcf7beb · bcf7beb
1 parent 44bbe93
commit bcf7beb
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 15 deletions.
diff --git a/...EndpointProtection/ParsingRules/SymantecEndpointProtection/SymantecEndpointProtection.xif b/...EndpointProtection/ParsingRules/SymantecEndpointProtection/SymantecEndpointProtection.xif
@@ -1,20 +1,31 @@
 [INGEST:vendor="symantec", product="ep", target_dataset="symantec_ep_raw", no_hit = keep]
 // Support only date time of format: MMM dd hh:mm:ss.nnn. For example: "Dec 1 10:00:00".
 filter _raw_log ~= "[a-zA-z]{3}\s*\d*\s\d*:\d*:\d*\s"
-| alter
-        tmp_time_without_year = to_string(arrayindex(regextract(_raw_log, "([a-zA-z]{3}\s*\d*\s\d*:\d*:\d*)\s"),0)),
-        tmp_current_year = format_timestamp("%Y",_insert_time)
-| alter tmp_time_current_year = if(tmp_time_without_year != null and tmp_time_without_year != "", concat(tmp_current_year, " ", tmp_time_without_year), null)
+| alter        
+    tmp_time_without_year = to_string(arrayindex(regextract(_raw_log, "([a-zA-z]{3}\s*\d*\s\d*:\d*:\d*)\s"),0)),
+    tmp_current_year = format_timestamp("%Y",_insert_time)
+| alter 
+    tmp_time_current_year = if(tmp_time_without_year != null and tmp_time_without_year != "", concat(tmp_current_year, " ", tmp_time_without_year), null)
 // Parse timestamp with current year
-| alter tmp_time_current_year = parse_timestamp("%Y %b %d %T", tmp_time_current_year)
+    // Set this field according to the time zone from which the log is generated.
+    // Default time zone setting is for UTC time 00:00
+| alter 
+    tmp_time_current_year = parse_timestamp("%Y %b %d %T", tmp_time_current_year, "+00:00")
 // Calculate time diff
-| alter tmp_timeDiff = timestamp_diff(tmp_time_current_year, current_time(), "MILLISECOND")
+| alter 
+    tmp_timeDiff = timestamp_diff(tmp_time_current_year, current_time(), "MILLISECOND")
 // Check if the date is a future date
-| alter tmp_last_year = if(tmp_timeDiff > 0, to_string(subtract(to_integer(tmp_current_year),1)), null)
+| alter 
+    tmp_last_year = if(tmp_timeDiff > 0, to_string(subtract(to_integer(tmp_current_year),1)), null)
 // Create timestamp minus 1 year if the timestamp is a future one
-| alter tmp_time_last_year = if(tmp_last_year != null, concat(tmp_last_year, " ", tmp_time_without_year), null)
+| alter 
+    tmp_time_last_year = if(tmp_last_year != null, concat(tmp_last_year, " ", tmp_time_without_year), null)
 // Parse timestamp with last year value
+    // Set this field according to the time zone from which the log is generated.
+    // Default time zone setting is for UTC time 00:00
 | alter
-        tmp_time_last_year = if(tmp_time_last_year != null, parse_timestamp("%Y %b %d %T", tmp_time_last_year), null)
-| alter _time = coalesce(tmp_time_last_year, tmp_time_current_year)
+    tmp_time_last_year = if(tmp_time_last_year != null, parse_timestamp("%Y %b %d %T", tmp_time_last_year, "+00:00"), null)
+// Adding the extracted timestamp to the _time field.
+| alter 
+    _time = coalesce(tmp_time_last_year, tmp_time_current_year)
 | fields -tmp_time_without_year, tmp_current_year, tmp_time_current_year, tmp_timeDiff, tmp_last_year, tmp_time_last_year;
diff --git a/Packs/SymantecEndpointProtection/README.md b/Packs/SymantecEndpointProtection/README.md
@@ -1,6 +1,7 @@
 # Symantec Endpoint Protection
 This pack includes Cortex XSIAM content.
 <~XSIAM>
+
 ## Configuration on Server Side
 
 1. Log in to Symantec Endpoint Protection Manager.
@@ -20,10 +21,15 @@ To create or configure the Broker VM, use the information described [here](https
 
 You can configure the specific vendor and product for this instance.
 
-
 1. Navigate to **Settings** > **Configuration** > **Data Broker** > **Broker VMs**. 
 2. Right-click, and select **Syslog Collector** > **Configure**.
 3. When configuring the Syslog Collector, set the following values:
    - vendor as vendor - symantec
    - product as product - ep
+
+### Timestamp Ingestion
+Timestamp ingestion from raw logs is supported only for the format: **MMM dd hh:mm:ss.nnn** (e.g., Dec 1 10:00:00).
+The default time zone for the timestamp extraction is in UTC (**+00:00**) time. 
+Any requirement for another time zone, demands altering the time zone used in the default Parsing Rule by changing it in the User Defined section according to your needs.
+
 </~XSIAM>
diff --git a/Packs/SymantecEndpointProtection/ReleaseNotes/1_1_15.md b/Packs/SymantecEndpointProtection/ReleaseNotes/1_1_15.md
@@ -0,0 +1,6 @@
+
+#### Parsing Rules
+
+##### Symantec Endpoint Protection Parsing Rule
+
+Updated the Parsing Rule logic, adding a default UTC (00:00) time zone consideration that can be altered.
diff --git a/Packs/SymantecEndpointProtection/pack_metadata.json b/Packs/SymantecEndpointProtection/pack_metadata.json
@@ -2,19 +2,26 @@
     "name": "Symantec Endpoint Protection",
     "description": "Query the Symantec Endpoint Protection Manager using the official REST API.",
     "support": "xsoar",
-    "currentVersion": "1.1.14",
+    "currentVersion": "1.1.15",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
     "created": "2020-04-14T00:00:00Z",
     "categories": [
         "Endpoint"
     ],
-    "tags": [],
+    "tags": [
+        "Security",
+        "Network"
+    ],
     "useCases": [],
-    "keywords": [],
+    "keywords": [
+        "Symantec",
+        "Endpoint Protection",
+        "EP"
+    ],
     "marketplaces": [
         "xsoar",
         "marketplacev2"
     ]
-}
+}