diff --git a/Packs/Cisco_Wireless_LAN_Controller/.pack-ignore b/Packs/Cisco_Wireless_LAN_Controller/.pack-ignore
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/Packs/Cisco_Wireless_LAN_Controller/.secrets-ignore b/Packs/Cisco_Wireless_LAN_Controller/.secrets-ignore
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/Packs/Cisco_Wireless_LAN_Controller/ModelingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller.xif b/Packs/Cisco_Wireless_LAN_Controller/ModelingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller.xif
new file mode 100644
index 000000000000..3a1331178ea8
--- /dev/null
+++ b/Packs/Cisco_Wireless_LAN_Controller/ModelingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller.xif
@@ -0,0 +1,439 @@
+[RULE: cisco_wlc_general_fields]
+alter
+	// General Extraction for all evennt types
+	get_msg_group = arraystring(regextract(_raw_log, "\%([^\-]+)\-\d+\-[^\:]+"), ""),
+	get_severity = arraystring(regextract(_raw_log, "\%[^\-]+\-(\d+)\-[^\:]+"), ""),
+	get_msg_code = arraystring(regextract(_raw_log, "\%[^\-]+\-\d+\-([^\:]+)"), ""),
+	get_description = arraystring(regextract(_raw_log, "\%[^\-]+\-\d+\-[^\:]+:\s+(.*)"), "")
+| alter
+	xdm.event.original_event_type = get_msg_group,
+	xdm.alert.severity = get_severity,
+	xdm.event.operation_sub_type = get_msg_code,
+	xdm.event.description = get_description,
+	xdm.event.log_level = if(get_severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, get_severity = "1", XDM_CONST.LOG_LEVEL_ALERT, get_severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, get_severity = "3", XDM_CONST.LOG_LEVEL_ERROR, get_severity = "4", XDM_CONST.LOG_LEVEL_WARNING, get_severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, get_severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, get_severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, get_severity = null, null, to_string(get_severity));
+
+
+[RULE: cisco_wlc_check_fields]
+alter
+	src_ip_v4 = if(get_source_ip !~= ":", get_source_ip, null),
+    src_ip_v6 = if(get_source_ip ~= ":", get_source_ip, null)
+| alter
+	xdm.source.ipv4 = src_ip_v4,
+	xdm.source.ipv6 = src_ip_v6;
+
+
+[MODEL: dataset = cisco_wlc_raw]
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "SESSION_MGR-5-FAIL"
+| call cisco_wlc_general_fields
+| alter
+	get_client = arraystring(regextract(_raw_log, "Authorization\s+failed\s+or\s+unapplied\s+for\s+client\s+\(([^\)]+)"), ""),
+	get_interface = arraystring(regextract(_raw_log, "on\s+Interface\s+([^\s]+)"), ""),
+	get_AuditSessionID = arraystring(regextract(_raw_log, "AuditSessionID\s+([^\s\.]+)"), ""),
+	get_failure_reason = arraystring(regextract(_raw_log, "Failure\s+reason:\s+([^\.]+)"), ""),
+	get_authc_failure_reason = arraystring(regextract(_raw_log, "Authc\s+failure\s+reason:\s+([^\.]+)"), ""),
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), "")
+| alter
+	check_source_mac_formatted = if(get_client ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_client, "[\da-fA-F]{2}"), ":"), null) 	// reformat the MAC from xxxx.xxxx.xxxx to 
+| alter
+	xdm.source.host.mac_addresses = arraycreate(check_source_mac_formatted),
+	xdm.target.interface = get_interface,
+	xdm.session_context_id = get_AuditSessionID,
+	xdm.event.outcome = if(get_failure_reason ~= "fail", XDM_CONST.OUTCOME_FAILED, get_msg_code ~= "FAIL", XDM_CONST.OUTCOME_FAILED, get_msg_code ~= "PASSED|SUCCESS", XDM_CONST.OUTCOME_SUCCESS, null),
+	xdm.event.outcome_reason = get_authc_failure_reason,
+	xdm.source.process.name = get_process_name;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "DOT1X-5-FAIL"
+| call cisco_wlc_general_fields
+| alter
+	get_mac = arraystring(regextract(_raw_log, "for\s+client\s\(([^\)]+)"), ""),
+	get_reason = arraystring(regextract(_raw_log, "with\s+reason\s+\(([^\)]+)"), ""),
+	get_interface = arraystring(regextract(_raw_log, "on\s+Interface\s+([^\s]+)"), ""),
+	get_AuditSessionID = arraystring(regextract(_raw_log, "AuditSessionID\s+([^\s\.]+)"), ""),
+	get_username = arraystring(regextract(_raw_log, "Username\:\s+([^\s]+)"), ""),
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), "")
+| alter
+	check_source_mac_formatted = if(get_mac ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac, "[\da-fA-F]{2}"), ":"), get_mac ~= "\-|\:", get_mac, null)
+| alter
+	xdm.source.host.mac_addresses = arraycreate(check_source_mac_formatted),
+	xdm.event.outcome = if(get_reason ~= "fail", XDM_CONST.OUTCOME_FAILED, get_msg_code ~= "FAIL", XDM_CONST.OUTCOME_FAILED, get_msg_code ~= "PASSED|SUCCESS", XDM_CONST.OUTCOME_SUCCESS, null),
+	xdm.event.outcome_reason = get_reason,
+	xdm.target.interface = get_interface,
+	xdm.session_context_id = get_AuditSessionID,
+	xdm.source.user.username = get_username,
+	xdm.source.process.name = get_process_name;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE"
+| call cisco_wlc_general_fields
+| alter
+	get_username = arraystring(regextract(_raw_log, "Username\s+entry\s+\(([^\)]+)"), ""),
+	get_ssid = arraystring(regextract(_raw_log, "with\s+ssid\s+\(([^\)]+)"), ""),
+	get_mac = arraystring(regextract(_raw_log, "device\s+with\s+MAC:\s+([^\s]+)"), ""),
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), "")
+| alter
+	source_mac_formatted = if(get_mac ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac, "[\da-fA-F]{2}"), ":"), get_mac ~= "\-|\:", get_mac, null)
+| alter
+	xdm.source.user.username = get_username,
+	xdm.target.agent.identifier = get_ssid,
+	xdm.source.host.mac_addresses = arraycreate(source_mac_formatted),
+	xdm.source.process.name = get_process_name;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "SEC_LOGIN-5-LOGIN_SUCCESS"
+| call cisco_wlc_general_fields
+| alter
+	get_username = arraystring(regextract(_raw_log, "\[user:\s+([^\]]+)"), ""),
+	get_source_ip = arraystring(regextract(_raw_log, "\[Source:\s+([^\]]+)"), ""),
+	get_source_port = to_integer(arraystring(regextract(_raw_log, "\[localport:\s+([^\]]+)"), ""))
+| call cisco_wlc_check_fields
+| alter
+	xdm.source.user.username = get_username,
+	xdm.source.port = to_integer(get_source_port);
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "DMI-5-AUTH_PASSED"
+| call cisco_wlc_general_fields
+| alter
+	get_username = arraystring(regextract(_raw_log, "User[\s\']+([^\'\s]+)"), ""),
+	get_source_ip = arraystring(regextract(_raw_log, "successfully\s+from\s+([^\:]+)\:\d+"), ""),
+	get_source_port = to_integer(arraystring(regextract(_raw_log, "successfully\s+from\s+[^\:]+\:(\d+)"), "")),
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), "")
+| call cisco_wlc_check_fields
+| alter
+	xdm.source.user.username = get_username,
+	xdm.source.port = to_integer(get_source_port),
+	xdm.source.process.name = get_process_name;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "SYS-6-LOGOUT"
+| call cisco_wlc_general_fields
+| alter
+	get_username = arraystring(regextract(_raw_log, "User[\s\']+([^\'\s]+)"), ""),
+	get_source_ip = arraystring(regextract(_raw_log, "exited\s+tty\s+session\s+\d+\(([^\)]+)"), "")
+| call cisco_wlc_check_fields
+| alter
+	xdm.source.user.username = get_username;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "APMGR_TRACE_MESSAGE-3-AP_NTP_SYNC"
+| call cisco_wlc_general_fields
+| alter
+	get_access_point = arraystring(regextract(_raw_log, "wncd\:\s+AP\s+(\S+)"), ""),
+	get_mac = arraystring(regextract(_raw_log, "wncd\:\s+AP\s+\S+\s+MAC\s+([^\s\,]+)"), ""),
+	get_reason = arraystring(regextract(_raw_log, "\s+[Rr]eason:\s+(.*)"), ""),
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), "")
+| alter
+	source_mac_formatted = if(get_mac ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac, "[\da-fA-F]{2}"), ":"), get_mac ~= "\-|\:", get_mac, null)
+| alter
+	xdm.target.host.hostname = get_access_point,
+	xdm.source.host.mac_addresses = arraycreate(source_mac_formatted),
+	xdm.event.outcome = if(get_reason ~= "fail|unreachable", XDM_CONST.OUTCOME_FAILED, get_msg_code ~= "FAIL", XDM_CONST.OUTCOME_FAILED, get_msg_code ~= "PASSED|SUCCESS", XDM_CONST.OUTCOME_SUCCESS, null),
+	xdm.event.outcome_reason = get_reason,
+	xdm.source.process.name = get_process_name;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "EPM_PLUGIN-5-IGNORED_VLAN_VALIDATION"
+| call cisco_wlc_general_fields
+| alter
+	get_interface = arraystring(regextract(_raw_log, "wncd:\s+Vlan\s+(\S+)"), ""),
+	get_vlan_number = arraystring(regextract(_raw_log, "choosing\s+Vlan\s+(\d+)"), ""),
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), "")
+| alter
+	xdm.target.interface = get_interface,
+	xdm.target.vlan = to_integer(get_vlan_number),
+	xdm.source.process.name = get_process_name;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "APMGR_AWIPS_SYSLOG-6-APMGR_AWIPS_MESSAGE"
+| call cisco_wlc_general_fields
+| alter
+	get_mac1 = arraystring(regextract(_raw_log, "AWIPS\s+alarm\:\([^\)]+\)\s+([^\s]+)\s+"), ""),
+	get_mac2 = arraystring(regextract(_raw_log, "AWIPS\s+alarm\:\([^\)]+\)\s+[^\s]+\s+Radio\s+MAC\s+(\S+)"), ""),
+	get_access_point = arraystring(regextract(_raw_log, "AWIPS\s+alarm\:\(([^\)]+)"), ""),
+	get_ap_detection = arraystring(regextract(_raw_log, "AWIPS\s+alarm\:\([^\)]+\)\s+[^\s]+\s+Radio\s+MAC\s+\S+\s+(detected\s+.*)"), ""),
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), "")
+| alter
+	target_mac_formatted1 = if(get_mac1 ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac1, "[\da-fA-F]{2}"), ":"), get_mac1 ~= "\-|\:", get_mac1, null),
+	target_mac_formatted2 = if(get_mac2 ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac2, "[\da-fA-F]{2}"), ":"), get_mac2 ~= "\-|\:", get_mac2, null)
+| alter
+	xdm.target.host.mac_addresses = arraycreate(target_mac_formatted1, target_mac_formatted2),
+	xdm.target.host.hostname = get_access_point,
+	xdm.alert.description = get_ap_detection,
+	xdm.source.process.name = get_process_name;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "CLIENT_ORCH_LOG-5-ADD_TO_EXCLUSIONLIST_REASON"
+| call cisco_wlc_general_fields
+| alter
+	get_mac = arraystring(regextract(_raw_log, "wncd:\s+Client\s+MAC:\s+([^\s\,]+)\s+with\s+IP:\s+\S+"), ""),
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), "")
+| alter
+	source_mac_formatted = if(get_mac ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac, "[\da-fA-F]{2}"), ":"), get_mac ~= "\-|\:", get_mac, null)
+| alter
+	xdm.source.host.mac_addresses = arraycreate(source_mac_formatted),
+	xdm.source.process.name = get_process_name;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "CLIENT_EXCLUSION_SERVER-5-ADD_TO_EXCLUSIONLIST_REASON_DYNAMIC"
+| call cisco_wlc_general_fields
+| alter
+	get_access_point = arraystring(regextract(_raw_log, "AP\s+Name:\s*([^\s\,]+)"), ""),
+	get_mac = arraystring(regextract(_raw_log, "BSSID:MAC:\s+([^\s\,]+)"), ""),
+	get_reason = arraystring(regextract(_raw_log, "\s+[Rr]eason:\s*(.*)"), ""),
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), "")
+| alter
+	source_mac_formatted = if(get_mac ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac, "[\da-fA-F]{2}"), ":"), get_mac ~= "\-|\:", get_mac, null)
+| alter
+	xdm.target.host.hostname = get_access_point,
+	xdm.source.host.mac_addresses = arraycreate(source_mac_formatted),
+	xdm.alert.description = get_reason,
+	xdm.source.process.name = get_process_name;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN"
+| call cisco_wlc_general_fields
+| alter
+	get_access_point = arraystring(regextract(_raw_log, "AP\s+Name:\s*([^\s\,]+)"), ""),
+	get_mac = arraystring(regextract(_raw_log, "AP\s+Name:\s*[^\s\,]+\s+Mac\:\s*(.*)\s+Session-IP:"), ""),
+	get_target_ip1 = arraystring(regextract(_raw_log, "Session\-IP\:\s*([^\[]+)\[\d+"), ""),
+	get_target_ip2 = arraystring(regextract(_raw_log, "Session\-IP\:\s*[^\[]+\[\d+\]\s+([^\[]+)"), ""),
+	get_target_port = to_integer(arraystring(regextract(_raw_log, "Session\-IP\:\s*[^\[]+\[(\d+)"), "")),
+	get_reason = arraystring(regextract(_raw_log, "Session\-IP\:\s*[^\[]+\[\d+\]\s+\S+\s+(.*)"), ""),
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), "")
+| alter
+	target_mac_formatted = if(get_mac ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac, "[\da-fA-F]{2}"), ":"), get_mac ~= "\-|\:", get_mac, null),
+	tar_ip_v4_1 = if(get_target_ip1 !~= ":", get_target_ip1, null),
+    tar_ip_v6_1 = if(get_target_ip1 ~= ":", get_target_ip1, null),
+    tar_ip_v4_2 = if(get_target_ip2 !~= ":", get_target_ip2, null),
+    tar_ip_v6_2 = if(get_target_ip2 ~= ":", get_target_ip2, null)
+| alter
+	xdm.target.host.hostname = get_access_point,
+	xdm.target.host.mac_addresses = arraycreate(target_mac_formatted),
+	xdm.target.port = to_integer(get_target_port),
+	xdm.target.host.ipv4_addresses = arraycreate(tar_ip_v4_1, tar_ip_v4_2),
+	xdm.target.host.ipv6_addresses = arraycreate(tar_ip_v6_1, tar_ip_v6_2),
+	xdm.alert.description = get_reason,
+	xdm.source.process.name = get_process_name;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "MM_LOG-4-RETRIES_FAILED"
+| call cisco_wlc_general_fields
+| alter
+	get_mac = arraystring(regextract(_raw_log, "MAC:\s+(\S+):"), ""),
+	get_target_ip = arraystring(regextract(_raw_log, "ipv4:\s+(\S+)"), ""),
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), "")
+| alter
+	source_mac_formatted = if(get_mac ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac, "[\da-fA-F]{2}"), ":"), get_mac ~= "\-|\:", get_mac, null)
+| alter
+	xdm.source.host.mac_addresses = arraycreate(source_mac_formatted),
+	xdm.target.ipv4 = get_target_ip,
+	xdm.source.process.name = get_process_name;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "SYS-5-CONFIG_P"
+| call cisco_wlc_general_fields
+| alter
+	get_process_name = arraystring(regextract(_raw_log, "by\s+process\s+(\S+)"), ""),
+	get_console = arraystring(regextract(_raw_log, "from\s+console\s+as\s+(\S+)"), ""),
+	get_line_interface = arraystring(regextract(_raw_log, "from\s+console\s+as\s+\S+\s+on\s+(\S+)"), "")
+| alter
+	xdm.source.process.name = get_process_name,
+	xdm.source.agent.identifier = get_console,
+	xdm.source.agent.type = get_line_interface;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "FMANFP-6-IPACCESSLOGP"
+| call cisco_wlc_general_fields
+| alter
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), ""),
+	get_acl = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+[^\:]+:\s+list\s+(\S+)"), ""),
+	get_protocol = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+[^\:]+:\s+list\s+\S+\s+permitted\s+(\S+)"), ""),
+	get_mac = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+[^\:]+:\s+list\s+\S+\s+permitted\s+\S+\s+(\S+)"), ""),
+	get_source_ip = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+[^\:]+:\s+list\s+\S+\s+permitted\s+\S+\s+\S+\s+([^\(]+)"), ""),
+	get_source_port = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+[^\:]+:\s+list\s+\S+\s+permitted\s+\S+\s+\S+\s+[^\(]+\((\d+)"), ""),
+	get_target_ip = arraystring(regextract(_raw_log, "->\s+([^\(]+)"), ""),
+	get_target_port = arraystring(regextract(_raw_log, "->\s+[^\(]+\((\d+)"), "")
+| alter
+	source_mac_formatted = if(get_mac ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac, "[\da-fA-F]{2}"), ":"), get_mac ~= "\-|\:", get_mac, null),
+	proto = uppercase(get_protocol),
+	tar_ip_v4 = if(get_target_ip !~= ":", get_target_ip, null),
+    tar_ip_v6 = if(get_target_ip ~= ":", get_target_ip, null)
+| call cisco_wlc_check_fields
+| alter
+	xdm.source.process.name = get_process_name,
+	xdm.network.rule = get_acl,
+	xdm.network.ip_protocol = if(proto="HOPOPT",XDM_CONST.IP_PROTOCOL_HOPOPT, proto="ICMP",XDM_CONST.IP_PROTOCOL_ICMP, proto="IGMP",XDM_CONST.IP_PROTOCOL_IGMP, proto="GGP",XDM_CONST.IP_PROTOCOL_GGP, proto="IP",XDM_CONST.IP_PROTOCOL_IP, proto="ST",XDM_CONST.IP_PROTOCOL_ST, proto="TCP",XDM_CONST.IP_PROTOCOL_TCP, proto="CBT",XDM_CONST.IP_PROTOCOL_CBT, proto="EGP",XDM_CONST.IP_PROTOCOL_EGP, proto="IGP",XDM_CONST.IP_PROTOCOL_IGP, proto="BBN_RCC_MON",XDM_CONST.IP_PROTOCOL_BBN_RCC_MON, proto="NVP_II",XDM_CONST.IP_PROTOCOL_NVP_II, proto="PUP",XDM_CONST.IP_PROTOCOL_PUP, proto="ARGUS",XDM_CONST.IP_PROTOCOL_ARGUS, proto="EMCON",XDM_CONST.IP_PROTOCOL_EMCON, proto="XNET",XDM_CONST.IP_PROTOCOL_XNET, proto="CHAOS",XDM_CONST.IP_PROTOCOL_CHAOS, proto="UDP",XDM_CONST.IP_PROTOCOL_UDP, proto="MUX",XDM_CONST.IP_PROTOCOL_MUX, proto="DCN_MEAS",XDM_CONST.IP_PROTOCOL_DCN_MEAS, proto="HMP",XDM_CONST.IP_PROTOCOL_HMP, proto="PRM",XDM_CONST.IP_PROTOCOL_PRM, proto="XNS_IDP",XDM_CONST.IP_PROTOCOL_XNS_IDP, proto="TRUNK_1",XDM_CONST.IP_PROTOCOL_TRUNK_1, proto="TRUNK_2",XDM_CONST.IP_PROTOCOL_TRUNK_2, proto="LEAF_1",XDM_CONST.IP_PROTOCOL_LEAF_1, proto="LEAF_2",XDM_CONST.IP_PROTOCOL_LEAF_2, proto="RDP",XDM_CONST.IP_PROTOCOL_RDP, proto="IRTP",XDM_CONST.IP_PROTOCOL_IRTP, proto="ISO_TP4",XDM_CONST.IP_PROTOCOL_ISO_TP4, proto="NETBLT",XDM_CONST.IP_PROTOCOL_NETBLT, proto="MFE_NSP",XDM_CONST.IP_PROTOCOL_MFE_NSP, proto="MERIT_INP",XDM_CONST.IP_PROTOCOL_MERIT_INP, proto="DCCP",XDM_CONST.IP_PROTOCOL_DCCP, proto="3PC",XDM_CONST.IP_PROTOCOL_3PC, proto="IDPR",XDM_CONST.IP_PROTOCOL_IDPR, proto="XTP",XDM_CONST.IP_PROTOCOL_XTP, proto="DDP",XDM_CONST.IP_PROTOCOL_DDP, proto="IDPR_CMTP",XDM_CONST.IP_PROTOCOL_IDPR_CMTP, proto="TP",XDM_CONST.IP_PROTOCOL_TP, proto="IL",XDM_CONST.IP_PROTOCOL_IL, proto="IPV6",XDM_CONST.IP_PROTOCOL_IPV6, proto="SDRP",XDM_CONST.IP_PROTOCOL_SDRP, proto="IPV6_ROUTE",XDM_CONST.IP_PROTOCOL_IPV6_ROUTE, proto="IPV6_FRAG",XDM_CONST.IP_PROTOCOL_IPV6_FRAG, proto="IDRP",XDM_CONST.IP_PROTOCOL_IDRP, proto="RSVP",XDM_CONST.IP_PROTOCOL_RSVP, proto="GRE",XDM_CONST.IP_PROTOCOL_GRE, proto="DSR",XDM_CONST.IP_PROTOCOL_DSR, proto="BNA",XDM_CONST.IP_PROTOCOL_BNA, proto="ESP",XDM_CONST.IP_PROTOCOL_ESP, proto="AH",XDM_CONST.IP_PROTOCOL_AH, proto="I_NLSP",XDM_CONST.IP_PROTOCOL_I_NLSP, proto="SWIPE",XDM_CONST.IP_PROTOCOL_SWIPE, proto="NARP",XDM_CONST.IP_PROTOCOL_NARP, proto="MOBILE",XDM_CONST.IP_PROTOCOL_MOBILE, proto="TLSP",XDM_CONST.IP_PROTOCOL_TLSP, proto="SKIP",XDM_CONST.IP_PROTOCOL_SKIP, proto="IPV6_ICMP",XDM_CONST.IP_PROTOCOL_IPV6_ICMP, proto="IPV6_NONXT",XDM_CONST.IP_PROTOCOL_IPV6_NONXT, proto="IPV6_OPTS",XDM_CONST.IP_PROTOCOL_IPV6_OPTS, proto="CFTP",XDM_CONST.IP_PROTOCOL_CFTP, proto="SAT_EXPAK",XDM_CONST.IP_PROTOCOL_SAT_EXPAK, proto="KRYPTOLAN",XDM_CONST.IP_PROTOCOL_KRYPTOLAN, proto="RVD",XDM_CONST.IP_PROTOCOL_RVD, proto="IPPC",XDM_CONST.IP_PROTOCOL_IPPC, proto="SAT_MON",XDM_CONST.IP_PROTOCOL_SAT_MON, proto="VISA",XDM_CONST.IP_PROTOCOL_VISA, proto="IPCV",XDM_CONST.IP_PROTOCOL_IPCV, proto="CPNX",XDM_CONST.IP_PROTOCOL_CPNX, proto="CPHB",XDM_CONST.IP_PROTOCOL_CPHB, proto="WSN",XDM_CONST.IP_PROTOCOL_WSN, proto="PVP",XDM_CONST.IP_PROTOCOL_PVP, proto="BR_SAT_MON",XDM_CONST.IP_PROTOCOL_BR_SAT_MON, proto="SUN_ND",XDM_CONST.IP_PROTOCOL_SUN_ND, proto="WB_MON",XDM_CONST.IP_PROTOCOL_WB_MON, proto="WB_EXPAK",XDM_CONST.IP_PROTOCOL_WB_EXPAK, proto="ISO_IP",XDM_CONST.IP_PROTOCOL_ISO_IP, proto="VMTP",XDM_CONST.IP_PROTOCOL_VMTP, proto="SECURE_VMTP",XDM_CONST.IP_PROTOCOL_SECURE_VMTP, proto="VINES",XDM_CONST.IP_PROTOCOL_VINES, proto="TTP",XDM_CONST.IP_PROTOCOL_TTP, proto="NSFNET_IGP",XDM_CONST.IP_PROTOCOL_NSFNET_IGP, proto="DGP",XDM_CONST.IP_PROTOCOL_DGP, proto="TCF",XDM_CONST.IP_PROTOCOL_TCF, proto="EIGRP",XDM_CONST.IP_PROTOCOL_EIGRP, proto="OSPFIGP",XDM_CONST.IP_PROTOCOL_OSPFIGP, proto="SPRITE_RPC",XDM_CONST.IP_PROTOCOL_SPRITE_RPC, proto="LARP",XDM_CONST.IP_PROTOCOL_LARP, proto="MTP",XDM_CONST.IP_PROTOCOL_MTP, proto="AX25",XDM_CONST.IP_PROTOCOL_AX25, proto="IPIP",XDM_CONST.IP_PROTOCOL_IPIP, proto="MICP",XDM_CONST.IP_PROTOCOL_MICP, proto="SCC_SP",XDM_CONST.IP_PROTOCOL_SCC_SP, proto="ETHERIP",XDM_CONST.IP_PROTOCOL_ETHERIP, proto="ENCAP",XDM_CONST.IP_PROTOCOL_ENCAP, proto="GMTP",XDM_CONST.IP_PROTOCOL_GMTP, proto="IFMP",XDM_CONST.IP_PROTOCOL_IFMP, proto="PNNI",XDM_CONST.IP_PROTOCOL_PNNI, proto="PIM",XDM_CONST.IP_PROTOCOL_PIM, proto="ARIS",XDM_CONST.IP_PROTOCOL_ARIS, proto="SCPS",XDM_CONST.IP_PROTOCOL_SCPS, proto="QNX",XDM_CONST.IP_PROTOCOL_QNX, proto="AN",XDM_CONST.IP_PROTOCOL_AN, proto="IPCOMP",XDM_CONST.IP_PROTOCOL_IPCOMP, proto="COMPAQ_PEER",XDM_CONST.IP_PROTOCOL_COMPAQ_PEER, proto="IPX_IN_IP",XDM_CONST.IP_PROTOCOL_IPX_IN_IP, proto="VRRP",XDM_CONST.IP_PROTOCOL_VRRP, proto="PGM",XDM_CONST.IP_PROTOCOL_PGM, proto="L2TP",XDM_CONST.IP_PROTOCOL_L2TP, proto="DDX",XDM_CONST.IP_PROTOCOL_DDX, proto="IATP",XDM_CONST.IP_PROTOCOL_IATP, proto="STP",XDM_CONST.IP_PROTOCOL_STP, proto="SRP",XDM_CONST.IP_PROTOCOL_SRP, proto="UTI",XDM_CONST.IP_PROTOCOL_UTI, proto="SMP",XDM_CONST.IP_PROTOCOL_SMP, proto="SM",XDM_CONST.IP_PROTOCOL_SM, proto="PTP",XDM_CONST.IP_PROTOCOL_PTP, proto="ISIS",XDM_CONST.IP_PROTOCOL_ISIS, proto="FIRE",XDM_CONST.IP_PROTOCOL_FIRE, proto="CRTP",XDM_CONST.IP_PROTOCOL_CRTP, proto="CRUDP",XDM_CONST.IP_PROTOCOL_CRUDP, proto="SSCOPMCE",XDM_CONST.IP_PROTOCOL_SSCOPMCE, proto="IPLT",XDM_CONST.IP_PROTOCOL_IPLT, proto="SPS",XDM_CONST.IP_PROTOCOL_SPS, proto="PIPE",XDM_CONST.IP_PROTOCOL_PIPE, proto="SCTP",XDM_CONST.IP_PROTOCOL_SCTP, proto="FC",XDM_CONST.IP_PROTOCOL_FC, proto="RSVP_E2E_IGNORE",XDM_CONST.IP_PROTOCOL_RSVP_E2E_IGNORE, proto="MOBILITY",XDM_CONST.IP_PROTOCOL_MOBILITY, proto="UDPLITE",XDM_CONST.IP_PROTOCOL_UDPLITE, proto="MPLS_IN_IP",XDM_CONST.IP_PROTOCOL_MPLS_IN_IP, proto = null, null, to_string(proto)),
+	xdm.source.host.mac_addresses = arraycreate(source_mac_formatted),
+	xdm.source.port = to_integer(get_source_port),
+	xdm.target.ipv4 = tar_ip_v4,
+	xdm.target.ipv6 = tar_ip_v6,
+	xdm.target.port = to_integer(get_target_port);
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "MAB-5-FAIL"
+| call cisco_wlc_general_fields
+| alter
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), ""),
+	get_mac = arraystring(regextract(_raw_log, "for\s+client\s\(([^\)]+)"), ""),
+	get_reason = arraystring(regextract(_raw_log, "with\s+reason\s+\(([^\)]+)"), ""),
+	get_interface = arraystring(regextract(_raw_log, "on\s+Interface\s+([^\s]+)"), ""),
+	get_AuditSessionID = arraystring(regextract(_raw_log, "AuditSessionID\s+([^\s\.]+)"), "")
+| alter
+	check_source_mac_formatted = if(get_mac ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac, "[\da-fA-F]{2}"), ":"), get_mac ~= "\-|\:", get_mac, null)
+| alter
+	xdm.source.host.mac_addresses = arraycreate(check_source_mac_formatted),
+	xdm.event.outcome = if(get_reason ~= "[Ff]ail", XDM_CONST.OUTCOME_FAILED, get_msg_code ~= "FAIL", XDM_CONST.OUTCOME_FAILED, get_msg_code ~= "PASSED|SUCCESS", XDM_CONST.OUTCOME_SUCCESS, null),
+	xdm.event.outcome_reason = get_reason,
+	xdm.target.interface = get_interface,
+	xdm.session_context_id = get_AuditSessionID,
+	xdm.source.process.name = get_process_name;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "APMGR_TRACE_MESSAGE-6-WLC_APMGR_INFO"
+| call cisco_wlc_general_fields
+| alter
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), ""),
+	get_access_point = arraystring(regextract(_raw_log, "from\s+AP\s+\<([^\s\>]+)"), "")
+| alter
+	xdm.source.process.name = get_process_name,
+	xdm.target.host.hostname = get_access_point;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "MM_INFRA_LOG-3-MSG_PROC_FAILED"
+| call cisco_wlc_general_fields
+| alter
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), ""),
+	get_mac1 = arraystring(regextract(_raw_log, "Pkt\s+MAC\:\s+(\S+)"), ""),
+	get_mac2 = arraystring(regextract(_raw_log, "Pkt\s+MAC\:\s+[^\s]+\s+Peer\s+MAC:\s+(\S+)"), ""),
+	get_reason = arraystring(regextract(_raw_log, "reason:\s+(.*)"), "")
+| alter
+	check_source_mac_formatted_1 = if(get_mac1 ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac1, "[\da-fA-F]{2}"), ":"), get_mac1 ~= "\-|\:", get_mac1, null),
+	check_source_mac_formatted_2 = if(get_mac2 ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac2, "[\da-fA-F]{2}"), ":"), get_mac2 ~= "\-|\:", get_mac2, null)
+| alter
+	xdm.source.process.name = get_process_name,
+	xdm.source.host.mac_addresses = arraycreate(check_source_mac_formatted_1),
+	xdm.target.host.mac_addresses = arraycreate(check_source_mac_formatted_2),
+	xdm.event.outcome = if(get_reason ~= "[Ff]ail", XDM_CONST.OUTCOME_FAILED, get_msg_code ~= "FAIL", XDM_CONST.OUTCOME_FAILED, get_msg_code ~= "PASSED|SUCCESS", XDM_CONST.OUTCOME_SUCCESS, null),
+	xdm.event.outcome_reason = get_reason;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "MM_NODE_LOG-5-KEEP_ALIVE"
+| call cisco_wlc_general_fields
+| alter
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), ""),
+	get_target_ip = arraystring(regextract(_raw_log, "peer\s+IP:\s+(\S+)"), "")
+| alter
+	tar_ip_v4 = if(get_target_ip !~= ":", get_target_ip, null),
+    tar_ip_v6 = if(get_target_ip ~= ":", get_target_ip, null)
+| alter
+	xdm.source.process.name = get_process_name,
+	xdm.target.ipv4 = tar_ip_v4,
+	xdm.target.ipv6 = tar_ip_v6;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "MM_INFRA_LOG-3-RECV_FAILED"
+| call cisco_wlc_general_fields
+| alter
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), ""),
+	get_source_ip = arraystring(regextract(_raw_log, "ipv4\:\s+(\S+)"), ""),
+	get_reason = arraystring(regextract(_raw_log, "reason:\s+(.*)"), "")
+| alter
+	xdm.source.process.name = get_process_name,
+	xdm.source.ipv4 = get_source_ip,
+	xdm.event.outcome = if(get_reason ~= "[Ff]ail", XDM_CONST.OUTCOME_FAILED, get_msg_code ~= "FAIL", XDM_CONST.OUTCOME_FAILED, get_msg_code ~= "PASSED|SUCCESS", XDM_CONST.OUTCOME_SUCCESS, null),
+	xdm.event.outcome_reason = get_reason;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "WEBSERVER-5-LOGIN_PASSED"
+| call cisco_wlc_general_fields
+| alter
+	get_source_ip = arraystring(regextract(_raw_log, "from\s+host\s+(\S+)"), ""),
+	get_username = arraystring(regextract(_raw_log, "user[\s\']*([^\s\']+)"), ""),
+	get_cipher = arraystring(regextract(_raw_log, "cipher[\s\']*([^\s\']+)"), "")
+| call cisco_wlc_check_fields
+| alter
+	xdm.source.user.username = get_username,
+	xdm.network.tls.cipher = get_cipher;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "SEC_LOGIN-5-WEBLOGIN_SUCCESS"
+| call cisco_wlc_general_fields
+| alter
+	get_username = arraystring(regextract(_raw_log, "\[user\:\s+([^\]]+)"), ""),
+	get_source_ip = arraystring(regextract(_raw_log, "\[Source\:\s+([^\]]+)"), "")
+| call cisco_wlc_check_fields		
+| alter
+	xdm.source.user.username = get_username;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type ~= "APMGR_TRACE_MESSAGE-4-WLC_APMGR_WARNING_MSG"
+| call cisco_wlc_general_fields
+| alter
+	get_process_name = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+([^\:]+)"), ""),
+	get_mac = arraystring(regextract(_raw_log, "%\S+\s+\S+\s+\d+\s+\S+\s+[^\:]+\:\s+[^\s\,]+\,\s+(\S+)"), ""),
+	get_access_point = arraystring(regextract(_raw_log, "Name\s+\:\s+(\S+)"), ""),
+	get_change_type =  arraystring(regextract(_raw_log, "Name\s+\:\s+\S+\s+(\S+)\s+changed"), ""),
+	get_change_b_value =  arraystring(regextract(_raw_log, "Name\s+\:\s+\S+\s+\S+\s+changed\s+from\s(\S*)"), ""),
+	get_change_value =  arraystring(regextract(_raw_log, "Name\s+\:\s+\S+\s+\S+\s+changed\s+from\s\S*\s+to\s+(\S+)"), "")
+| alter
+	check_target_mac_formatted = if(get_mac ~= "[\da-fA-F]{4}\.[\da-fA-F]{4}\.[\da-fA-F]{4}", arraystring(regextract(get_mac, "[\da-fA-F]{2}"), ":"), get_mac ~= "\-|\:", get_mac, null)
+| alter
+	xdm.source.process.name = get_process_name,
+	xdm.target.host.mac_addresses = arraycreate(check_target_mac_formatted),
+	xdm.target.host.hostname = get_access_point,
+	xdm.target.resource.type = get_change_type,
+	xdm.target.resource_before.value = get_change_b_value,
+	xdm.target.resource.value = get_change_value;
+
+
+alter
+	get_event_type = arraystring(regextract(_raw_log, "\%([^\s\:]+)"), "")
+| filter get_event_type !~= "SESSION_MGR-5-FAIL|DOT1X-5-FAIL|CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE|SEC_LOGIN-5-LOGIN_SUCCESS|DMI-5-AUTH_PASSED|SYS-6-LOGOUT|APMGR_TRACE_MESSAGE-3-AP_NTP_SYNC|EPM_PLUGIN-5-IGNORED_VLAN_VALIDATION|APMGR_AWIPS_SYSLOG-6-APMGR_AWIPS_MESSAGE|CLIENT_ORCH_LOG-5-ADD_TO_EXCLUSIONLIST_REASON|CLIENT_EXCLUSION_SERVER-5-ADD_TO_EXCLUSIONLIST_REASON_DYNAMIC|CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN|MM_LOG-4-RETRIES_FAILED|SYS-5-CONFIG_P|FMANFP-6-IPACCESSLOGP|MAB-5-FAIL|APMGR_TRACE_MESSAGE-6-WLC_APMGR_INFO|MM_INFRA_LOG-3-MSG_PROC_FAILED|MM_NODE_LOG-5-KEEP_ALIVE|MM_INFRA_LOG-3-RECV_FAILED|WEBSERVER-5-LOGIN_PASSED|SEC_LOGIN-5-WEBLOGIN_SUCCESS|APMGR_TRACE_MESSAGE-4-WLC_APMGR_WARNING_MSG"
+| call cisco_wlc_general_fields;
\ No newline at end of file
diff --git a/Packs/Cisco_Wireless_LAN_Controller/ModelingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller.yml b/Packs/Cisco_Wireless_LAN_Controller/ModelingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller.yml
new file mode 100644
index 000000000000..278c9108020c
--- /dev/null
+++ b/Packs/Cisco_Wireless_LAN_Controller/ModelingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller.yml
@@ -0,0 +1,6 @@
+fromversion: 8.3.0
+id: Cisco_WLC_ModelingRule
+name: Cisco WLC Modeling Rule
+rules: ''
+schema: ''
+tags: ''
\ No newline at end of file
diff --git a/Packs/Cisco_Wireless_LAN_Controller/ModelingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller_schema.json b/Packs/Cisco_Wireless_LAN_Controller/ModelingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller_schema.json
new file mode 100644
index 000000000000..ef078bad6b28
--- /dev/null
+++ b/Packs/Cisco_Wireless_LAN_Controller/ModelingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller_schema.json
@@ -0,0 +1,8 @@
+{
+  "cisco_wlc_raw": {
+    "_raw_log": {
+      "type": "string",
+      "is_array": false
+    }
+  }
+}
\ No newline at end of file
diff --git a/Packs/Cisco_Wireless_LAN_Controller/ParsingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller.xif b/Packs/Cisco_Wireless_LAN_Controller/ParsingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller.xif
new file mode 100644
index 000000000000..a8260a6d0ff5
--- /dev/null
+++ b/Packs/Cisco_Wireless_LAN_Controller/ParsingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller.xif
@@ -0,0 +1,19 @@
+[INGEST:vendor="cisco", product="wlc", target_dataset="cisco_wlc_raw", no_hit=keep]
+// Supported date time formats: 
+// - MMM dd hh:mm:ss.nnn
+// - MMM dd hh:mm:ss.nnn TZ
+// - yyyy MMM dd hh:mm:ss.nnn
+// - yyyy MMM dd hh:mm:ss.nnn TZ
+// For example: "2021 Jan 01 10:00:00.123 UTC".
+filter _raw_log ~= "\d*\s*\S+\s+\d+\s+\S+\s*\S*\:\s+\%"
+| alter
+    tmp_get_log_datetime = arraystring(regextract(_raw_log, "(\d*\s*\S+\s+\d+\s+\S+)\s*\S*\:\s+\%"), "")
+| alter
+    tmp_get_year = if(tmp_get_log_datetime ~= "\d{4}", arraystring(regextract(tmp_get_log_datetime, "\d{4}"), ""), "1970"),
+    tmp_get_time_milli = arraystring(regextract(tmp_get_log_datetime, "\d{2}:\d{2}:\d{2}\.\d{3}"), ""),
+    tmp_get_month_day = arraystring(regextract(tmp_get_log_datetime, "(\S+\s\d+)\s"), "")
+| alter
+    tmp_full_timestamp = arraystring(arraycreate(tmp_get_year, tmp_get_month_day, tmp_get_time_milli), " ")
+| alter
+    _time = if(tmp_full_timestamp ~= "1970", _insert_time, parse_timestamp("%Y %h %e %H:%M:%E3S", tmp_full_timestamp))
+| fields -tmp_get_log_datetime, tmp_get_year, tmp_get_time_milli, tmp_get_month_day, tmp_full_timestamp;
\ No newline at end of file
diff --git a/Packs/Cisco_Wireless_LAN_Controller/ParsingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller.yml b/Packs/Cisco_Wireless_LAN_Controller/ParsingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller.yml
new file mode 100644
index 000000000000..d15b7a05d5bc
--- /dev/null
+++ b/Packs/Cisco_Wireless_LAN_Controller/ParsingRules/Cisco_Wireless_LAN_Controller/Cisco_Wireless_LAN_Controller.yml
@@ -0,0 +1,6 @@
+name: Cisco WLC Parsing Rule
+id: Cisco_WLC_ParsingRule
+fromversion: 8.3.0
+tags: []
+rules: ''
+samples: ''
\ No newline at end of file
diff --git a/Packs/Cisco_Wireless_LAN_Controller/README.md b/Packs/Cisco_Wireless_LAN_Controller/README.md
new file mode 100644
index 000000000000..90c13f9bff76
--- /dev/null
+++ b/Packs/Cisco_Wireless_LAN_Controller/README.md
@@ -0,0 +1,72 @@
+# Cisco Wireless LAN Controller (WLC)
+ 
+<~XSIAM>
+ 
+This pack includes Cortex XSIAM content.
+ 
+
+## Message Logging Configuration
+You need to configure Cisco WLC to forward Syslog messages.
+
+* Product documentation for configuring message logging either from the GUI and CLI - [Link](https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/configuring_system_and_message_logging.html#sys-msg-logging).
+
+Open your Cisco WLC GUI, and follow these instructions:
+1. Go to Management &rarr; Logs &rarr; Config. The Syslog Configuration page appears.
+2. In the **Syslog Server IP Address** field, enter the IPv4/IPv6 address of the server to which to send the syslog messages and click Add.
+3. Optional, to set the severity level for filtering syslog messages to the syslog servers, choose one of the options under **Syslog Level**.
+4. Optional, to set the facility for outgoing syslog messages to the syslog servers, choose one of the options under **Syslog Facility**.
+5. Click **Apply**.
+6. Optional, to set the severity level for logging messages to the controller buffer and console, choose one of the options from either the **Buffered Log Level** and **Console Log Level** dropdown lists.
+7. Select the **File Info** checkbox if you want the message logs to include information about the source file. The default value is enabled.
+8. Select the **Trace Info** checkbox if you want the message logs to include traceback information. The default is disabled.
+9. Click **Apply**.
+10. Click **Save Configuration**.
+
+
+## Timestamp Ingestion
+
+The following timestamp formats are currently supported for ingestion from Cisco WLC Syslog Messages in UTC time:
+* MMM dd hh:mm:ss.nnn
+* MMM dd hh:mm:ss.nnn TZ
+* yyyy MMM dd hh:mm:ss.nnn
+* yyyy MMM dd hh:mm:ss.nnn TZ
+
+In order to configure one of the above formats, follow these instructions:
+1. Open your Cisco WLC CLI terminal, and type **enable** to enter Privileged EXEC mode.
+2. Enter Global Configuration Mode by either typing **configure terminal** or **conf t**.
+3. To configure the timezone in UTC format, type:
+```bash
+config time timezone enable 0 0
+```
+4. For adding a **year** and **milliseconds** to your syslog messages, type:
+```bash
+config service timestamps log datetime year msec
+```
+5. Revert back to Privileged EXEC mode by typing **end**. 
+6. Save your changes by either typing 
+```bash
+write memory
+OR
+copy running-config startup-config 
+```
+And wait for system confirmation.
+
+
+## Collect Events from Vendor
+In order to use the collector, use the [Broker VM](#broker-vm) option.
+ 
+### Broker VM
+To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).
+ 
+You can configure the specific vendor and product for this instance.
+ 
+1. Navigate to **Settings** &rarr; **Configuration** &rarr; **Data Broker** &rarr; **Broker VMs**.
+2. Go to the **Apps** column under the **Brokers** tab and add the **Syslog Collector** app for the relevant broker instance. If the app already exists, hover over it and click **Configure**.
+3. Click **Add New** for adding a new syslog data source.
+4. When configuring the new syslog data source, set the following values:
+   | Parameter     | Value   
+   | :---          | :---        
+   | `Vendor`      | Enter **cisco**.
+   | `Product`     | Enter **wlc**.
+ 
+</~XSIAM>
\ No newline at end of file
diff --git a/Packs/Cisco_Wireless_LAN_Controller/pack_metadata.json b/Packs/Cisco_Wireless_LAN_Controller/pack_metadata.json
new file mode 100644
index 000000000000..17e9d5579f25
--- /dev/null
+++ b/Packs/Cisco_Wireless_LAN_Controller/pack_metadata.json
@@ -0,0 +1,18 @@
+{
+    "name": "Cisco Wireless LAN Controller",
+    "description": "Cisco Wireless LAN Controller (WLC) is used to manage and ensure seamless and secure wireless communication within organizations.",
+    "support": "xsoar",
+    "currentVersion": "1.0.0",
+    "author": "Cortex XSOAR",
+    "url": "https://www.paloaltonetworks.com/cortex",
+    "email": "",
+    "categories": [
+        "Analytics & SIEM"
+    ],
+    "tags": [],
+    "useCases": [],
+    "keywords": [],
+    "marketplaces": [
+        "marketplacev2"
+    ]
+}
\ No newline at end of file