From 07b47231c535851e2d377da8c88e706bd98a8ef4 Mon Sep 17 00:00:00 2001
From: Shain <45466083+shainw@users.noreply.github.com>
Date: Wed, 11 Nov 2020 08:50:26 -0800
Subject: [PATCH] Update PulseConnectSecure.txt

Implementing suggestions from this PR - Thanks to FlyingBlueMonkey (Matt Egan) for the discussion and fix - https://github.com/Azure/Azure-Sentinel/pull/1137/files
---
 .../PulseConnectSecure/PulseConnectSecure.txt | 23 ++++++++++---------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/Parsers/PulseConnectSecure/PulseConnectSecure.txt b/Parsers/PulseConnectSecure/PulseConnectSecure.txt
index df1aac401d..468e95ce18 100644
--- a/Parsers/PulseConnectSecure/PulseConnectSecure.txt
+++ b/Parsers/PulseConnectSecure/PulseConnectSecure.txt
@@ -29,7 +29,7 @@
 //
 Syslog
 | where Computer in ("datasource") and Facility == "local7"
-//Version 8.0R7 and below
+// Version 8.0R7 and below using the Standard format
 | extend Parser = extract_all(@'^(\d{4}\-\d{2}-\d{2})\s(\d{2}\:\d{2}:\d{2})\s(\S+)\s(\S+)\s(\S+)\s\[(\S+)\]\s(\S+)\((.*)?\)\[(.*)\]\s\-\s(.*)',dynamic([1,2,3,4,5,6,7,8,9,10]),SyslogMessage)
 | mv-expand Parser
 | extend LogTime = todatetime(strcat(tostring(Parser[0]),'T',tostring(Parser[1]))), 
@@ -40,14 +40,15 @@ Syslog
     EventID = tostring(Parser[8]), 
     Messages = tostring(Parser[9])
 | project-away Parser
-//Version 8.0R7 and above
-| extend User = extract(@'user=(\S+)',1,SyslogMessage),
-    EventID = extract(@'id=(\S+)',1,SyslogMessage),
-    Pri = extract(@'pri=(\S+)',1,SyslogMessage),
-    Node = extract(@'vpn=\"(\S+)\"',1,SyslogMessage),
-    Realm = extract(@'realm=\"([\w\s\:\.]+)\"',1,SyslogMessage),
-    Roles = extract(@'roles=\"([\w\s\:\.]+)\"',1,SyslogMessage),
-    Type = extract(@'type=(\S+)',1,SyslogMessage),
-    Messages = extract(@'msg=\"([\w\s\:\.]+)\"',1,SyslogMessage),
-    Source_IP = extract(@'fw=([\d\.]+)',1,SyslogMessage),
+// The section below is for parsing WebTrends Enhanced Log Format (WELF) logs.  If you are NOT using WELF, then keep this section commented out otherwise uncomment each line to use
+// Version 8.0R7 and above using the WELF format
+//| extend User = extract(@'user=(\S+)',1,SyslogMessage),
+//    EventID = extract(@'id=(\S+)',1,SyslogMessage),
+//    Pri = extract(@'pri=(\S+)',1,SyslogMessage),
+//    Node = extract(@'vpn=\"(\S+)\"',1,SyslogMessage),
+//    Realm = extract(@'realm=\"([\w\s\:\.]+)\"',1,SyslogMessage),
+//    Roles = extract(@'roles=\"([\w\s\:\.]+)\"',1,SyslogMessage),
+//    Type = extract(@'type=(\S+)',1,SyslogMessage),
+//    Messages = extract(@'msg=\"([\w\s\:\.]+)\"',1,SyslogMessage),
+//    Source_IP = extract(@'fw=([\d\.]+)',1,SyslogMessage)