XSUP-39406-o365-parsing-update (demisto#35827)

* Updated ParsingRules, README

* Updated ReleaseNotes

* Updated ReleaseNotes

* Updated ParsingRules

* Updated README

* Update Packs/Office365/README.md

Co-authored-by: ShirleyDenkberg <[email protected]>

* Update Packs/Office365/ReleaseNotes/1_0_4.md

Co-authored-by: ShirleyDenkberg <[email protected]>

---------

Co-authored-by: ShirleyDenkberg <[email protected]>

Packs/Office365/ParsingRules/Office365/Office365.xif

@@ -1,19 +1,39 @@
 [INGEST:vendor="msft", product="o365_general", target_dataset="msft_o365_general_raw", no_hit=keep]
-filter to_string(CreationTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
+filter to_string(CreationTime) ~= "UTC|:\d{2}(?:[\.\d]+)?Z"
 | alter
-    _time = CreationTime;
+    tmp_string_CreationTime = to_string(CreationTime)
+| alter
+    tmp_check_format = if(tmp_string_CreationTime ~= "UTC", parse_timestamp("%Y-%m-%d %H:%M:%E*S %Z", tmp_string_CreationTime), tmp_string_CreationTime ~= ":\d{2}(?:[\.\d]+)?Z", parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", tmp_string_CreationTime))
+| alter
+    _time = tmp_check_format
+| fields -tmp*;
 
 [INGEST:vendor="msft", product="o365_exchange_online", target_dataset="msft_o365_exchange_online_raw", no_hit=keep]
-filter to_string(CreationTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
+filter to_string(CreationTime) ~= "UTC|:\d{2}(?:[\.\d]+)?Z"
+| alter
+    tmp_string_CreationTime = to_string(CreationTime)
+| alter
+    tmp_check_format = if(tmp_string_CreationTime ~= "UTC", parse_timestamp("%Y-%m-%d %H:%M:%E*S %Z", tmp_string_CreationTime), tmp_string_CreationTime ~= ":\d{2}(?:[\.\d]+)?Z", parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", tmp_string_CreationTime))
 | alter
-    _time = CreationTime;
+    _time = tmp_check_format
+| fields -tmp*;
 
 [INGEST:vendor="msft", product="o365_sharepoint_online", target_dataset="msft_o365_sharepoint_online_raw", no_hit=keep]
-filter to_string(CreationTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
+filter to_string(CreationTime) ~= "UTC|:\d{2}(?:[\.\d]+)?Z"
 | alter
-    _time = CreationTime;
+    tmp_string_CreationTime = to_string(CreationTime)
+| alter
+    tmp_check_format = if(tmp_string_CreationTime ~= "UTC", parse_timestamp("%Y-%m-%d %H:%M:%E*S %Z", tmp_string_CreationTime), tmp_string_CreationTime ~= ":\d{2}(?:[\.\d]+)?Z", parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", tmp_string_CreationTime))
+| alter
+    _time = tmp_check_format
+| fields -tmp*;
 
 [INGEST:vendor="msft", product="o365_dlp", target_dataset="msft_o365_dlp_raw", no_hit=keep]
-filter to_string(CreationTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
+filter to_string(CreationTime) ~= "UTC|:\d{2}(?:[\.\d]+)?Z"
+| alter
+    tmp_string_CreationTime = to_string(CreationTime)
+| alter
+    tmp_check_format = if(tmp_string_CreationTime ~= "UTC", parse_timestamp("%Y-%m-%d %H:%M:%E*S %Z", tmp_string_CreationTime), tmp_string_CreationTime ~= ":\d{2}(?:[\.\d]+)?Z", parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", tmp_string_CreationTime))
 | alter
-    _time = CreationTime;
+    _time = tmp_check_format
+| fields -tmp*;

Packs/Office365/README.md

@@ -19,4 +19,10 @@ Timestamp ingestion for Office 365 logs is currently available for the following
 * Exchange Online → `msft_o365_exchange_online_raw`
 * SharePoint Online → `msft_o365_sharepoint_online_raw`
 * DLP → `msft_o365_dlp_raw`
+
+The ingestion is made using the CreationTime field in the following formats:
+* yyyy-mm-ddThh:mm:ssZ
+* yyyy-mm-ddThh:mm:ss.msZ
+* yyyy-mm-dd hh:mm:ss UTC
+* yyyy-mm-dd hh:mm:ss.ms UTC
 </~XSIAM>

Packs/Office365/ReleaseNotes/1_0_4.md

@@ -0,0 +1,6 @@
+
+#### Parsing Rules
+
+##### Office 365 Parsing Rule
+
+Updated the Parsing Rule logic, ingesting specific UTC time formats from the CreationTime field.

Packs/Office365/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Office 365",
     "description": "The product family of productivity and collaboration cloud based softwares owned by Microsoft.",
     "support": "xsoar",
-    "currentVersion": "1.0.3",
+    "currentVersion": "1.0.4",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",