From 5635a48692b2ca0fff49468cc4159b46caa89461 Mon Sep 17 00:00:00 2001
From: eepstain <eepstain@paloaltonetworks.com>
Date: Wed, 21 Dec 2022 10:12:42 +0200
Subject: [PATCH 1/8] Updated Parsing Rule

---
 .../ParsingRules/DuoParsingRules/DuoParsingRules.xif          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif b/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
index d921ffb7fd4a..a08037c68bb8 100644
--- a/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
+++ b/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
@@ -1,6 +1,6 @@
-[INGEST:vendor="duo", product="duo", target_dataset="duo_duo_raw", no_hit=drop]
+[INGEST:vendor="duo", product="duo", target_dataset="duo_duo_raw", no_hit=keep]
 alter tmp_time_part = to_string(TIMESTAMP),
-    tmp_mili_part = arraystring(regextract(ISOTIMESTAMP, "\:\d{2}\.(\d{3})"), "")
+    tmp_mili_part = arraystring(regextract(to_string(ISOTIMESTAMP), "\:\d{2}\.(\d{3})"), "")
 | alter tmp_con_time = to_integer(concat(tmp_time_part, tmp_mili_part))
 | alter _time = to_timestamp(tmp_con_time, "millis")
 | fields -tmp_time_part, tmp_mili_part, tmp_con_time;
\ No newline at end of file

From 14ab53fe7bf922f871a409f1356d57415e2cc322 Mon Sep 17 00:00:00 2001
From: eepstain <eepstain@paloaltonetworks.com>
Date: Wed, 21 Dec 2022 10:14:44 +0200
Subject: [PATCH 2/8] Updated ReleaseNotes

---
 Packs/DuoAdminApi/ReleaseNotes/3_1_8.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 Packs/DuoAdminApi/ReleaseNotes/3_1_8.md

diff --git a/Packs/DuoAdminApi/ReleaseNotes/3_1_8.md b/Packs/DuoAdminApi/ReleaseNotes/3_1_8.md
new file mode 100644
index 000000000000..677678f94ad7
--- /dev/null
+++ b/Packs/DuoAdminApi/ReleaseNotes/3_1_8.md
@@ -0,0 +1,4 @@
+
+#### Parsing Rules
+##### Duo Parsing Rule
+- %%UPDATE_RN%%

From f8129883c933ec5c5e78ec75cc7102503c68abbd Mon Sep 17 00:00:00 2001
From: eepstain <eepstain@paloaltonetworks.com>
Date: Wed, 21 Dec 2022 10:14:58 +0200
Subject: [PATCH 3/8] Updated ReleaseNotes

---
 Packs/DuoAdminApi/ReleaseNotes/3_1_8.md | 2 +-
 Packs/DuoAdminApi/pack_metadata.json    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Packs/DuoAdminApi/ReleaseNotes/3_1_8.md b/Packs/DuoAdminApi/ReleaseNotes/3_1_8.md
index 677678f94ad7..3ed0327cec51 100644
--- a/Packs/DuoAdminApi/ReleaseNotes/3_1_8.md
+++ b/Packs/DuoAdminApi/ReleaseNotes/3_1_8.md
@@ -1,4 +1,4 @@
 
 #### Parsing Rules
 ##### Duo Parsing Rule
-- %%UPDATE_RN%%
+- Updated Parsing Rule logic.
diff --git a/Packs/DuoAdminApi/pack_metadata.json b/Packs/DuoAdminApi/pack_metadata.json
index 17930a763726..107e9696181f 100644
--- a/Packs/DuoAdminApi/pack_metadata.json
+++ b/Packs/DuoAdminApi/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "DUO Admin",
     "description": "DUO for admins.\nMust have access to the admin api in order to use this",
     "support": "xsoar",
-    "currentVersion": "3.1.7",
+    "currentVersion": "3.1.8",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

From ea7fc958210af8cecccf2064f844363234ca46a7 Mon Sep 17 00:00:00 2001
From: eepstain <eepstain@paloaltonetworks.com>
Date: Wed, 21 Dec 2022 10:27:28 +0200
Subject: [PATCH 4/8] Update ParsingRules

---
 .../ParsingRules/DuoParsingRules/DuoParsingRules.xif  | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif b/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
index a08037c68bb8..d6a680118303 100644
--- a/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
+++ b/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
@@ -1,6 +1,9 @@
 [INGEST:vendor="duo", product="duo", target_dataset="duo_duo_raw", no_hit=keep]
-alter tmp_time_part = to_string(TIMESTAMP),
-    tmp_mili_part = arraystring(regextract(to_string(ISOTIMESTAMP), "\:\d{2}\.(\d{3})"), "")
-| alter tmp_con_time = to_integer(concat(tmp_time_part, tmp_mili_part))
-| alter _time = to_timestamp(tmp_con_time, "millis")
+alter 
+    tmp_time_part = to_string(timestamp),
+    tmp_mili_part = arraystring(regextract(to_string(isotimestamp), "\:\d{2}\.(\d{3})"), "")
+| alter
+    tmp_con_time = to_integer(concat(tmp_time_part, tmp_mili_part))
+| alter
+    _time = to_timestamp(tmp_con_time, "millis")
 | fields -tmp_time_part, tmp_mili_part, tmp_con_time;
\ No newline at end of file

From 27ecd068e2559975cfbddaf90833cd67142c5ad7 Mon Sep 17 00:00:00 2001
From: eepstain <116078117+eepstain@users.noreply.github.com>
Date: Wed, 21 Dec 2022 11:32:13 +0200
Subject: [PATCH 5/8] Update 3_1_8.md

---
 Packs/DuoAdminApi/ReleaseNotes/3_1_8.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Packs/DuoAdminApi/ReleaseNotes/3_1_8.md b/Packs/DuoAdminApi/ReleaseNotes/3_1_8.md
index 3ed0327cec51..7265a035d928 100644
--- a/Packs/DuoAdminApi/ReleaseNotes/3_1_8.md
+++ b/Packs/DuoAdminApi/ReleaseNotes/3_1_8.md
@@ -1,4 +1,4 @@
 
 #### Parsing Rules
 ##### Duo Parsing Rule
-- Updated Parsing Rule logic.
+- Fixed an issue with Parsing Rule.

From c1581b08ccfd91c1c12cd45756d8baeebd615700 Mon Sep 17 00:00:00 2001
From: eepstain <eepstain@paloaltonetworks.com>
Date: Wed, 21 Dec 2022 12:14:12 +0200
Subject: [PATCH 6/8] Updated DuoParsingRules

---
 .../ParsingRules/DuoParsingRules/DuoParsingRules.xif          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif b/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
index d6a680118303..ea73f3656aca 100644
--- a/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
+++ b/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
@@ -1,7 +1,7 @@
 [INGEST:vendor="duo", product="duo", target_dataset="duo_duo_raw", no_hit=keep]
 alter 
-    tmp_time_part = to_string(timestamp),
-    tmp_mili_part = arraystring(regextract(to_string(isotimestamp), "\:\d{2}\.(\d{3})"), "")
+    tmp_time_part = to_string(TIMESTAMP),
+    tmp_mili_part = arraystring(regextract(to_string(ISOTIMESTAMP), "\:\d{2}\.(\d{3})"), "")
 | alter
     tmp_con_time = to_integer(concat(tmp_time_part, tmp_mili_part))
 | alter

From c37eb16c66042902d5daa775be5be0c84131552e Mon Sep 17 00:00:00 2001
From: eepstain <eepstain@paloaltonetworks.com>
Date: Thu, 22 Dec 2022 12:35:50 +0200
Subject: [PATCH 7/8] Updated ParsingRules logic

---
 .../DuoParsingRules/DuoParsingRules.xif             | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif b/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
index ea73f3656aca..528485484e28 100644
--- a/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
+++ b/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
@@ -1,9 +1,12 @@
 [INGEST:vendor="duo", product="duo", target_dataset="duo_duo_raw", no_hit=keep]
 alter 
-    tmp_time_part = to_string(TIMESTAMP),
-    tmp_mili_part = arraystring(regextract(to_string(ISOTIMESTAMP), "\:\d{2}\.(\d{3})"), "")
+    tmp_time_part = to_string(coalesce(timestamp, TIMESTAMP)),
+    tmp_mili_part = arraystring(regextract(to_string(coalesce(isotimestamp, ISOTIMESTAMP)), "\:\d{2}\.(\d{3})"), "")
 | alter
-    tmp_con_time = to_integer(concat(tmp_time_part, tmp_mili_part))
+   tmp_con_time = concat(tmp_time_part, tmp_mili_part)
 | alter
-    _time = to_timestamp(tmp_con_time, "millis")
-| fields -tmp_time_part, tmp_mili_part, tmp_con_time;
\ No newline at end of file
+    tmp_num = len(tmp_con_time),
+    tmp_prepare = to_integer(tmp_con_time)
+|alter
+    _time = if(tmp_num > 10, to_timestamp(tmp_prepare , "millis"), to_timestamp(tmp_prepare , "seconds"))
+| fields tmp_time_part, tmp_mili_part, tmp_con_time, tmp_num, tmp_prepare;
\ No newline at end of file

From 0ce714b682e1a2e98afedf2011931ad3838c888e Mon Sep 17 00:00:00 2001
From: eepstain <eepstain@paloaltonetworks.com>
Date: Thu, 22 Dec 2022 12:37:26 +0200
Subject: [PATCH 8/8] Updated Parsing Rule logic

---
 .../ParsingRules/DuoParsingRules/DuoParsingRules.xif            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif b/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
index 528485484e28..f1da115c68bf 100644
--- a/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
+++ b/Packs/DuoAdminApi/ParsingRules/DuoParsingRules/DuoParsingRules.xif
@@ -9,4 +9,4 @@ alter
     tmp_prepare = to_integer(tmp_con_time)
 |alter
     _time = if(tmp_num > 10, to_timestamp(tmp_prepare , "millis"), to_timestamp(tmp_prepare , "seconds"))
-| fields tmp_time_part, tmp_mili_part, tmp_con_time, tmp_num, tmp_prepare;
\ No newline at end of file
+| fields -tmp_time_part, tmp_mili_part, tmp_con_time, tmp_num, tmp_prepare;
\ No newline at end of file