Cisco catalyst addfield (#27102)

* update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules * update modeling rules
demisto · Jun 6, 2023 · 2ce8304 · 2ce8304
1 parent 949d177
commit 2ce8304
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/Packs/CiscoCatalyst/ModelingRules/CiscoCatalyst_1_3/CiscoCatalyst_1_3.xif b/Packs/CiscoCatalyst/ModelingRules/CiscoCatalyst_1_3/CiscoCatalyst_1_3.xif
@@ -25,7 +25,8 @@ alter seq_number = arrayindex(regextract(_raw_log , "(\d+)\:\s+\**[A-Za-z]+\s+\d
     processname2 = arrayindex(regextract(_raw_log ,"by\sprocess\s([A-Za-z\s]+)Policy\smanager"),0),
     vlan = arrayindex(regextract(_raw_log ,"address\s\d+\.\d+\.\d+\.\d+\son\sVlan(\d+)"),0),
     sourceipv6 = arrayindex(regextract(_raw_log ,"\,\ssourced\sby\s(\S+)"),0),
-    pid = arrayindex(regextract(_raw_log ,"\[PID\:([^\,]+)\,"),0)
+    pid = arrayindex(regextract(_raw_log ,"\[PID\:([^\,]+)\,"),0),
+    change_state = arrayindex(regextract(_raw_log, "\,\s(changed\sstate\sto[a-zA-Z\s]+)"),0)
 | alter seq_number = replex(seq_number, "^0+","")
 | alter xdm.network.session_id = seq_number,
     xdm.event.type = event_type,
@@ -40,4 +41,6 @@ alter seq_number = arrayindex(regextract(_raw_log , "(\d+)\:\s+\**[A-Za-z]+\s+\d
     xdm.source.process.name = coalesce(processname1 ,processname2 ),
     xdm.source.vlan = to_integer(vlan),
     xdm.source.ipv6 = sourceipv6,
-    xdm.source.process.identifier = pid;
+    xdm.source.process.identifier = pid,
+    xdm.observer.action = change_state,
+    xdm.event.outcome = if(event_type contains "SUCCESS", XDM_CONST.OUTCOME_SUCCESS, event_type contains "FAIL",XDM_CONST.OUTCOME_FAILED, null);
diff --git a/Packs/CiscoCatalyst/ReleaseNotes/1_0_2.md b/Packs/CiscoCatalyst/ReleaseNotes/1_0_2.md
@@ -0,0 +1,6 @@
+
+#### Modeling Rules
+
+##### Cisco Catalyst Modeling Rule
+
+Added a new field to the modeling rules.
diff --git a/Packs/CiscoCatalyst/pack_metadata.json b/Packs/CiscoCatalyst/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cisco Catalyst",
     "description": "Cisco Catalyst switch",
     "support": "xsoar",
-    "currentVersion": "1.0.1",
+    "currentVersion": "1.0.2",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",