diff --git a/watchguard_firebox/assets/logs/watchguard-firebox.yaml b/watchguard_firebox/assets/logs/watchguard-firebox.yaml
index 0e4e3341f47d7..36df58434ab3b 100644
--- a/watchguard_firebox/assets/logs/watchguard-firebox.yaml
+++ b/watchguard_firebox/assets/logs/watchguard-firebox.yaml
@@ -296,26 +296,25 @@ pipeline:
           enabled: true
           source: message
           samples:
-            - SYN flood attack against 10.10.10.10 from 10.10.10.10 detected.
-              500 SYN packets dropped since last alarm.
+            - UDP flood attack against 10.10.10.10 from 10.10.10.10 detected.
+              500 UDP flood packets dropped since last alarm. (udp_flood_dos)
             - IPv4 source route attack from 10.10.10.10 detected.
             - IP scan attack against 10.10.10.10 from 10.10.10.10 detected.
-            - "DDOS against server 10.10.10.10 detected. "
+            - DDOS against server 10.10.10.10 detected. (ddos_attack_dest_dos)
             - DDOS from client 10.10.10.10 detected.
           grok:
             supportRules: ""
-            matchRules: >
+            matchRules: >-
               parse_rule_30000152_to_30000159_30000162_to_30000166
               %{regex(".*(?= attack)"):attack_type} attack (against
               %{ip:network.destination.ip} )?from %{ip:network.client.ip}
               detected.( %{integer:drop_packet_count} %{regex(".*(?=
-              packets)"):drop_packet_type} packets dropped since last alarm.)?
-
-
-              parse_rule_30000161 %{regex(".*(?= from)"):attack_type} from client %{ip:network.client.ip} detected.
+              packets)"):drop_packet_type} packets dropped since last alarm.)?(
+              (%{notSpace}))?
 
+              parse_rule_30000161 %{regex(".*(?= from)"):attack_type} from client %{ip:network.client.ip} detected.( (%{notSpace}))?
 
-              parse_rule_30000160 %{regex(".*(?= against)"):attack_type} against server %{ip:network.destination.ip} detected.
+              parse_rule_30000160 %{regex(".*(?= against)"):attack_type} against server %{ip:network.destination.ip} detected.( (%{notSpace}))?
     - type: pipeline
       name: Processing of firewall alarm events
       enabled: true
diff --git a/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml b/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml
index f7e448ce1ea92..cc0c5d253da37 100644
--- a/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml
+++ b/watchguard_firebox/assets/logs/watchguard-firebox_tests.yaml
@@ -114,8 +114,8 @@ tests:
       tags:
       - "source:LOGS_SOURCE"
       timestamp: 1744104397000
-  - 
-    sample: "<142>Apr  2 18:47:10 WatchGuard-Firebox TEST (2025-04-08T09:26:37) test: msg_id=\"3000-0160\" DDOS against server 10.0.1.34 detected."
+  -
+    sample: "<142>Apr  2 18:47:10 WatchGuard-Firebox TEST (2025-04-08T09:26:37) test: msg_id=\"3000-0160\" DDOS against server 10.10.10.10 detected. (ddos_attack_dest_dos)"
     result:
       custom:
         attack_type: "DDOS"
@@ -125,12 +125,12 @@ tests:
         network:
           destination:
             geoip: {}
-            ip: "10.0.1.34"
+            ip: "10.10.10.10"
         syslog:
           hostname: "WatchGuard-Firebox"
           prival: 142
         timestamp: 1744104397000
-      message: "DDOS against server 10.0.1.34 detected."
+      message: "DDOS against server 10.10.10.10 detected. (ddos_attack_dest_dos)"
       service: "firewall"
       tags:
       - "source:LOGS_SOURCE"