demisto · eepstain · Nov 28, 2023 · Nov 27, 2023 · Nov 27, 2023 · Nov 27, 2023
diff --git a/...ngRules/MicrosoftIISWebServerModelingRules_1_3/MicrosoftIISWebServerModelingRules_1_3.xif b/...ngRules/MicrosoftIISWebServerModelingRules_1_3/MicrosoftIISWebServerModelingRules_1_3.xif
@@ -1,35 +1,36 @@
 [MODEL: dataset="iis_iis_raw"]
-alter c_sitename = arrayindex(regextract(_raw_log,"\d+\:\d+\:\d+\s([A-Za-z0-9-_]{4,})"),0),
-    S_computername = arrayindex(regextract(_raw_log,"\d+\:\d+\:\d+\s\w+\s(\S+)"),0),
-    Cs_method = arrayindex(regextract(_raw_log,"([A-Z]+)\s\/\S*\s"),0),
-    Cs_uri_stem = arrayindex(regextract(_raw_log,"[A-Z]+\s(\/\S*)\s"),0),
-    S_port = arrayindex(regextract(_raw_log,"\s\w+\s\/[^\-]+[^\d+]+(\d+)"),0),
-    Cs_username = arrayindex(regextract(_raw_log,"\s\w+\s\/[^\-]+[^\d+]+\d+\s([^\s]+)"),0),
-    Cs_User_Agent = arrayindex(regextract(_raw_log,"HTTP\/\d+\.\d+\s([^\s]+)"),0),
-    Cs_Cookie = arrayindex(regextract(_raw_log,"HTTP\/\d+\.\d+\s[^\s]+\s([^\s]+)"),0),
-    CS_reffer = arrayindex(regextract(_raw_log,"\s(http\w?\:\/\/\S+)"),0),
-    Sc_status = arrayindex(regextract(_raw_log,"\w+\s(\d+)\s\d+\s\d+"),0),
+alter 
+    c_sitename = arrayindex(regextract(_raw_log,"\d+\:\d+\:\d+\s([A-Za-z0-9-_]{4,})"),0),
+    s_computername = arrayindex(regextract(_raw_log,"\d+\:\d+\:\d+\s\w+\s(\S+)"),0),
+    cs_method = arrayindex(regextract(_raw_log,"([A-Z]+)\s\/\S*\s"),0),
+    cs_uri_stem = arrayindex(regextract(_raw_log,"[A-Z]+\s(\/\S*)\s"),0),
+    s_port = arrayindex(regextract(_raw_log,"\s\w+\s\/[^\-]+[^\d+]+(\d+)"),0),
+    cs_username = arrayindex(regextract(_raw_log,"\s\w+\s\/[^\-]+[^\d+]+\d+\s([^\s]+)"),0),
+    cs_user_agent = arrayindex(regextract(_raw_log,"HTTP\/\d+\.\d+\s([^\s]+)"),0),
+    cs_cookie = arrayindex(regextract(_raw_log,"HTTP\/\d+\.\d+\s[^\s]+\s([^\s]+)"),0),
+    cs_reffer = arrayindex(regextract(_raw_log,"\s(http\w?\:\/\/\S+)"),0),
+    sc_status = arrayindex(regextract(_raw_log,"\w+\s(\d+)\s\d+\s\d+"),0),
     sc_bytes = arrayindex(regextract(_raw_log,"\w+\s\d+\s\d+\s\d+\s(\d+)"),0),
     cs_bytes = arrayindex(regextract(_raw_log,"\w+\s\d+\s\d+\s\d+\s\d+\s(\d+)"),0),
-    Time_taken = arrayindex(regextract(_raw_log,"\s\d+\s[^\s]+\s\d+\s[^\s]+\s[^\s]+\s([^\s]+)"),0),
-    C_ip = arrayindex(regextract(_raw_log,"\s\w+\s\/[^\-]+[^\d+]+\d+\s[^\s]+\s([^\s]+)"),0),
+    time_taken = arrayindex(regextract(_raw_log,"\s\d+\s[^\s]+\s\d+\s[^\s]+\s[^\s]+\s([^\s]+)"),0),
+    c_ip = arrayindex(regextract(_raw_log,"\s\w+\s\/[^\-]+[^\d+]+\d+\s[^\s]+\s([^\s]+)"),0),
     s_ip = arrayindex(regextract(_raw_log,"\d+\:\d+\:\d+\s[^\s]+\s[^\s]+\s([^\s]+)"),0)
 | alter
     xdm.source.ipv4 = c_ip,
     xdm.source.user.username = cs_username,
     xdm.observer.unique_identifier = c_sitename,
-    xdm.target.host.hostname = S_computername,
+    xdm.target.host.hostname = s_computername,
     xdm.network.http.url = cs_uri_stem,
     xdm.target.ipv4 = s_ip,
     xdm.source.port = to_integer(s_port),
     xdm.network.http.method = cs_method,
     xdm.network.http.response_code = if(sc_status = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, sc_status = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, sc_status = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, sc_status = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, sc_status = "200", XDM_CONST.HTTP_RSP_CODE_OK, sc_status = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, sc_status = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, sc_status = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, sc_status = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, sc_status = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, sc_status = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, sc_status = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, sc_status = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, sc_status = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, sc_status = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, sc_status = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, sc_status = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, sc_status = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, sc_status = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, sc_status = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, sc_status = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, sc_status = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, sc_status = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, sc_status = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, sc_status = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, sc_status = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, sc_status = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, sc_status = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, sc_status = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, sc_status = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, sc_status = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, sc_status = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, sc_status = "410", XDM_CONST.HTTP_RSP_CODE_GONE, sc_status = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, sc_status = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, sc_status = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, sc_status = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, sc_status = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, sc_status = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, sc_status = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, sc_status = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, sc_status = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, sc_status = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, sc_status = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, sc_status = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, sc_status = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, sc_status = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, sc_status = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, sc_status = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, sc_status = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, sc_status = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, sc_status = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, sc_status = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, sc_status = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, sc_status = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, sc_status = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, sc_status = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, sc_status = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, sc_status = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, sc_status = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, sc_status = null, null, to_string(sc_status)),
     xdm.event.duration = to_number(time_taken),
-    xdm.network.rule = cs_Cookie,
-    xdm.network.http.referrer = CS_reffer,
+    xdm.network.rule = cs_cookie,
+    xdm.network.http.referrer = cs_reffer,
     xdm.source.sent_bytes = to_number(sc_bytes),
     xdm.target.sent_bytes = to_number(cs_bytes),
-    xdm.source.user_agent = Cs_User_Agent;
+    xdm.source.user_agent = cs_user_agent;
 
 alter event_type = arrayindex(regextract(_raw_log, "(\S+\s\d+\s\S+\s\d+)"),0)
 | filter

diff --git a/Packs/MicrosoftIISWebServer/ReleaseNotes/1_0_7.md b/Packs/MicrosoftIISWebServer/ReleaseNotes/1_0_7.md
@@ -0,0 +1,6 @@
+
+#### Modeling Rules
+
+##### Microsoft IIS Web Server
+
+Updated the Modeling Rule logic, changing capital to lower letters.
diff --git a/Packs/MicrosoftIISWebServer/pack_metadata.json b/Packs/MicrosoftIISWebServer/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Microsoft IIS Web Server",
     "description": "Modeling rules for Microsoft IIS Web Server",
     "support": "xsoar",
-    "currentVersion": "1.0.6",
+    "currentVersion": "1.0.7",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",