Xdm.event.outcome bulk6 (#24668)

eepstain · web-flow · commit e7e142fedb8a · 2023-02-16T17:19:39.000+02:00
diff --git a/Packs/DuoAdminApi/ModelingRules/DuoModelingRule_1_3/DuoModelingRule_1_3.xif b/Packs/DuoAdminApi/ModelingRules/DuoModelingRule_1_3/DuoModelingRule_1_3.xif
@@ -12,10 +12,9 @@ filter
     xdm.intermediate.host.fqdn = HOST,
     xdm.source.user.username = username,
     xdm.event.outcome_reason = reason,
-    xdm.event.outcome = result,
+    xdm.event.outcome = if(result = "FAILURE", XDM_CONST.OUTCOME_FAILED, result = "SUCCESS", XDM_CONST.OUTCOME_SUCCESS, result = "ERROR", XDM_CONST.OUTCOME_UNKNOWN, result = null, null, to_string(result)),    
     xdm.source.application.name = integration,
     xdm.auth.auth_method = factor;
-
 filter
     eventtype = "administrator"
 | alter
diff --git a/Packs/DuoAdminApi/ReleaseNotes/3_2_5.md b/Packs/DuoAdminApi/ReleaseNotes/3_2_5.md
@@ -0,0 +1,4 @@
+
+#### Modeling Rules
+##### Duo Modeling Rule
+- Updated Modeling Rules
diff --git a/Packs/DuoAdminApi/pack_metadata.json b/Packs/DuoAdminApi/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "DUO Admin",
     "description": "DUO for admins.\nMust have access to the admin api in order to use this",
     "support": "xsoar",
-    "currentVersion": "3.2.4",
+    "currentVersion": "3.2.5",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
diff --git a/Packs/FireEyeNX/ModelingRules/FireEyeNX_1_3/FireEyeNX_1_3.xif b/Packs/FireEyeNX/ModelingRules/FireEyeNX_1_3/FireEyeNX_1_3.xif
@@ -1,7 +1,7 @@
 [MODEL: dataset=fireeye_mps_raw]
 alter xdm.target.port = to_number(dpt),
     xdm.source.port = to_number(spt),
-    xdm.event.outcome = act,
+    xdm.event.operation_sub_type = act,
     xdm.target.ipv4 = dst,
     xdm.source.ipv4 = src,
     xdm.target.host.mac_addresses = arraycreate(coalesce(dmac,"")) ,
diff --git a/Packs/FireEyeNX/ReleaseNotes/1_1_15.md b/Packs/FireEyeNX/ReleaseNotes/1_1_15.md
@@ -0,0 +1,4 @@
+
+#### Modeling Rules
+##### FireEye NX Modeling Rule
+- Updated Modeling Rules
diff --git a/Packs/FireEyeNX/pack_metadata.json b/Packs/FireEyeNX/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "FireEye Network Security (NX)",
     "description": "FireEye Network Security is an effective cyber threat protection solution that helps organizations minimize the risk of costly breaches by accurately detecting and immediately stopping advanced, targeted, and other evasive attacks hiding in Internet traffic.",
     "support": "xsoar",
-    "currentVersion": "1.1.14",
+    "currentVersion": "1.1.15",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
diff --git a/Packs/cisco-meraki/ModelingRules/CiscoMerakiModelingRules_1_3/CiscoMerakiModelingRules_1_3.xif b/Packs/cisco-meraki/ModelingRules/CiscoMerakiModelingRules_1_3/CiscoMerakiModelingRules_1_3.xif
@@ -29,14 +29,13 @@ filter
     xdm.target.host.ipv4_addresses = arraycreate(coalesce(source_ip, "")),
     xdm.source.host.ipv4_addresses = arraycreate(coalesce(destination_ip, "")),
     xdm.event.type = event_type,
-    xdm.event.outcome = action,
+    xdm.event.outcome = if(action ~= "block", XDM_CONST.OUTCOME_FAILED, action = "allow", XDM_CONST.OUTCOME_SUCCESS, action = null, null, to_string(action)),
     xdm.event.outcome_reason = message,
     xdm.source.process.executable.sha256 = sha_256,
     xdm.source.process.executable.filename = found_malisious,
     xdm.source.process.executable.path = url,
     xdm.alert.severity = priority,
     xdm.target.file.filename = file_name;
-
 filter
     _raw_log contains "urls src=" or (_raw_log contains "flows" and _raw_log contains "src=") or _raw_log contains "vpn_connectivity_change" or _raw_log contains "events dhcp" or _raw_log contains "Site-to-site VPN" or _raw_log contains "events"
 | alter appliance_name1 = arrayindex(regextract(_raw_log,"\.\d+\s(\w+)\s[events]"),0),
@@ -81,6 +80,7 @@ filter
     protocl = arrayindex(regextract(_raw_log,"protocol\=(\w+)"),0),
     protocl_type = arrayindex(regextract(_raw_log,"type\=(\d+)"),0)
 | alter
+    xdm.observer.name = appliance_name,
     xdm.source.ipv4 = source_ip,
     xdm.source.port = to_number(source_port),
     xdm.target.ipv4 = destination_ip,
@@ -89,7 +89,7 @@ filter
     xdm.target.interface = destination_mac,
     xdm.alert.description = Message,
     xdm.network.dhcp.dns_server = arraycreate(coalesce(Dns_server_ips, "")),
-    xdm.event.outcome = connectivity,
+    xdm.event.outcome = if(connectivity = "false", XDM_CONST.OUTCOME_FAILED, connectivity = "true", XDM_CONST.OUTCOME_SUCCESS, connectivity = null, null, to_string(connectivity)),    
     xdm.event.operation_sub_type = vpn_type,
     xdm.network.session_id = spi_unique_identifier,
     xdm.observer.unique_identifier = peer_unique_identifier,
diff --git a/Packs/cisco-meraki/ReleaseNotes/1_0_6.md b/Packs/cisco-meraki/ReleaseNotes/1_0_6.md
@@ -0,0 +1,4 @@
+
+#### Modeling Rules
+##### Cisco Meraki
+- Updated Modeling Rules
diff --git a/Packs/cisco-meraki/pack_metadata.json b/Packs/cisco-meraki/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cisco Meraki",
     "description": "Cloud controlled WiFi, routing, and security.",
     "support": "xsoar",
-    "currentVersion": "1.0.5",
+    "currentVersion": "1.0.6",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
