From 5645b6103be8ed125c47af02bf8fa2327c02d482 Mon Sep 17 00:00:00 2001 From: lvultao-nbps Date: Fri, 20 Feb 2026 15:48:22 -0500 Subject: [PATCH] Add files via upload added 11.1.x --- 11.1.json | 16880 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 16880 insertions(+) create mode 100644 11.1.json diff --git a/11.1.json b/11.1.json new file mode 100644 index 0000000..ae3fe16 --- /dev/null +++ b/11.1.json @@ -0,0 +1,16880 @@ +{ + "version": "7.0.4", + "extractors": [ + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "Traffic_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "Traffic_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ThreatContentType", + "target_field": "ThreatContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "Traffic_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "Traffic_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceAddress", + "target_field": "SourceAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationAddress", + "target_field": "DestinationAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "Traffic_NATSource_IP", + "target_field": "NATSource_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "Traffic_NATDestination_IP", + "target_field": "NATDestination_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "Traffic_RuleName", + "target_field": "RuleName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceUser", + "target_field": "SourceUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationUser", + "target_field": "DestinationUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "Traffic_Application", + "target_field": "Application", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "Traffic_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceZone", + "target_field": "SourceZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationZone", + "target_field": "DestinationZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "Traffic_InboundInterface", + "target_field": "InboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "Traffic_OutboundInterface", + "target_field": "OutboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "Traffic_LogAction", + "target_field": "LogAction", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "Traffic_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SessionID", + "target_field": "SessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "Traffic_RepeatCount", + "target_field": "RepeatCount", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourcePort", + "target_field": "SourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationPort", + "target_field": "DestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "Traffic_NATSourcePort", + "target_field": "NATSourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 28, + "split_by": "," + }, + "converters": [], + "title": "Traffic_NATDestinationPort", + "target_field": "NATDestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 29, + "split_by": "," + }, + "converters": [], + "title": "Traffic_Flags", + "target_field": "Flags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 30, + "split_by": "," + }, + "converters": [], + "title": "Traffic_Protocol", + "target_field": "Protocol", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 31, + "split_by": "," + }, + "converters": [], + "title": "Traffic_Action", + "target_field": "Action", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 32, + "split_by": "," + }, + "converters": [], + "title": "Traffic_Bytes", + "target_field": "Bytes", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 33, + "split_by": "," + }, + "converters": [], + "title": "Traffic_BytesSent", + "target_field": "BytesSent", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 34, + "split_by": "," + }, + "converters": [], + "title": "Traffic_BytesReceived", + "target_field": "BytesReceived", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 35, + "split_by": "," + }, + "converters": [], + "title": "Traffic_Packets", + "target_field": "Packets", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 36, + "split_by": "," + }, + "converters": [], + "title": "Traffic_StartTime", + "target_field": "StartTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 37, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ElapsedTime", + "target_field": "ElapsedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 38, + "split_by": "," + }, + "converters": [], + "title": "Traffic_Category", + "target_field": "Category", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 39, + "split_by": "," + }, + "converters": [], + "title": "Traffic_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 40, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 41, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ActionFlags", + "target_field": "ActionFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 42, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceCountry", + "target_field": "SourceCountry", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 43, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationCountry", + "target_field": "DestinationCountry", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 44, + "split_by": "," + }, + "converters": [], + "title": "Traffic_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 45, + "split_by": "," + }, + "converters": [], + "title": "Traffic_PacketsSent", + "target_field": "PacketsSent", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 46, + "split_by": "," + }, + "converters": [], + "title": "Traffic_PacketsReceived", + "target_field": "PacketsReceived", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 47, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SessionEndReason", + "target_field": "SessionEndReason", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 48, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DeviceGroupHierarchyLevel1", + "target_field": "DeviceGroupHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 49, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DeviceGroupHierarchyLevel2", + "target_field": "DeviceGroupHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 50, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DeviceGroupHierarchyLevel3", + "target_field": "DeviceGroupHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 51, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DeviceGroupHierarchyLevel4", + "target_field": "DeviceGroupHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 52, + "split_by": "," + }, + "converters": [], + "title": "Traffic_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 53, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 54, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ActionSource", + "target_field": "ActionSource", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 55, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceVMUUID", + "target_field": "SourceVMUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 56, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationVMUUID", + "target_field": "DestinationVMUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 57, + "split_by": "," + }, + "converters": [], + "title": "Traffic_TunnelIDIMSI", + "target_field": "TunnelIDIMSI", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 58, + "split_by": "," + }, + "converters": [], + "title": "Traffic_MonitorTagIMEI", + "target_field": "MonitorTagIMEI", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 59, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ParentSessionID", + "target_field": "ParentSessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 60, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ParentStartTime", + "target_field": "ParentStartTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 61, + "split_by": "," + }, + "converters": [], + "title": "Traffic_TunnelType", + "target_field": "TunnelType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 62, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SCTPAssociationID", + "target_field": "SCTPAssociationID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 63, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SCTPChunks", + "target_field": "SCTPChunks", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 64, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SCTPChunksSent", + "target_field": "SCTPChunksSent", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 65, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SCTPChunksReceived", + "target_field": "SCTPChunksReceived", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 66, + "split_by": "," + }, + "converters": [], + "title": "Traffic_RuleUUID", + "target_field": "RuleUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 67, + "split_by": "," + }, + "converters": [], + "title": "Traffic_HTTP2Connection", + "target_field": "HTTP2Connection", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 68, + "split_by": "," + }, + "converters": [], + "title": "Traffic_AppFlapCount", + "target_field": "AppFlapCount", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 69, + "split_by": "," + }, + "converters": [], + "title": "Traffic_PolicyID", + "target_field": "PolicyID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 70, + "split_by": "," + }, + "converters": [], + "title": "Traffic_LinkSwitches", + "target_field": "LinkSwitches", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 71, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SD-WANCluster", + "target_field": "SD-WANCluster", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 72, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SD-WANDeviceType", + "target_field": "SD-WANDeviceType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 73, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SD-WANClusterType", + "target_field": "SD-WANClusterType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 74, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SD-WANSite", + "target_field": "SD-WANSite", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 75, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DynamicUserGroupName", + "target_field": "DynamicUserGroupName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 76, + "split_by": "," + }, + "converters": [], + "title": "Traffic_XFFAddress", + "target_field": "XFFAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 77, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceDeviceCategory", + "target_field": "SourceDeviceCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 78, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceDeviceProfile", + "target_field": "SourceDeviceProfile", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 79, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceDeviceModel", + "target_field": "SourceDeviceModel", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 80, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceDeviceVendor", + "target_field": "SourceDeviceVendor", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 81, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceDeviceOSFamily", + "target_field": "SourceDeviceOSFamily", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 82, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceDeviceOSVersion", + "target_field": "SourceDeviceOSVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 83, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceHostname", + "target_field": "SourceHostname", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 84, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceMacAddress", + "target_field": "SourceMacAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 85, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationDeviceCategory", + "target_field": "DestinationDeviceCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 86, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationDeviceProfile", + "target_field": "DestinationDeviceProfile", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 87, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationDeviceModel", + "target_field": "DestinationDeviceModel", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 88, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationDeviceVendor", + "target_field": "DestinationDeviceVendor", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 89, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationDeviceOSFamily", + "target_field": "DestinationDeviceOSFamily", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 90, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationDeviceOSVersion", + "target_field": "DestinationDeviceOSVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 91, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationHostname", + "target_field": "DestinationHostname", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 92, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationMacAddress", + "target_field": "DestinationMacAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 93, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ContainerID", + "target_field": "ContainerID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 94, + "split_by": "," + }, + "converters": [], + "title": "Traffic_PODNamespace", + "target_field": "PODNamespace", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 95, + "split_by": "," + }, + "converters": [], + "title": "Traffic_PODName", + "target_field": "PODName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 96, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceExternalDynamicList", + "target_field": "SourceExternalDynamicList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 97, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationExternalDynamicList", + "target_field": "DestinationExternalDynamicList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 98, + "split_by": "," + }, + "converters": [], + "title": "Traffic_HostID", + "target_field": "HostID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 99, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 100, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceDynamicAddressGroup", + "target_field": "SourceDynamicAddressGroup", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 101, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationDynamicAddressGroup", + "target_field": "DestinationDynamicAddressGroup", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 102, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SessionOwner", + "target_field": "SessionOwner", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 103, + "split_by": "," + }, + "converters": [], + "title": "Traffic_HighResolutionTimestamp", + "target_field": "HighResolutionTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 104, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ASliceServiceType", + "target_field": "ASliceServiceType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 105, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ASliceDifferentiator", + "target_field": "ASliceDifferentiator", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 106, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ApplicationSubcategory", + "target_field": "ApplicationSubcategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 107, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ApplicationCategory", + "target_field": "ApplicationCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 108, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ApplicationTechnology", + "target_field": "ApplicationTechnology", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 109, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ApplicationRisk", + "target_field": "ApplicationRisk", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 110, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ApplicationCharacteristic", + "target_field": "ApplicationCharacteristic", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 111, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ApplicationContainer", + "target_field": "ApplicationContainer", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 112, + "split_by": "," + }, + "converters": [], + "title": "Traffic_TunneledApplication", + "target_field": "TunneledApplication", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 113, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ApplicationSaaS", + "target_field": "ApplicationSaaS", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 114, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ApplicationSanctionedState", + "target_field": "ApplicationSanctionedState", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 115, + "split_by": "," + }, + "converters": [], + "title": "Traffic_Offloaded", + "target_field": "Offloaded", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 116, + "split_by": "," + }, + "converters": [], + "title": "Traffic_FlowType", + "target_field": "FlowType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 117, + "split_by": "," + }, + "converters": [], + "title": "Traffic_ClusterName", + "target_field": "ClusterName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 118, + "split_by": "," + }, + "converters": [], + "title": "Traffic_AITraffic", + "target_field": "AITraffic", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 119, + "split_by": "," + }, + "converters": [], + "title": "Traffic_AIForwardError", + "target_field": "AIForwardError", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 120, + "split_by": "," + }, + "converters": [], + "title": "Traffic_K8SClusterID", + "target_field": "K8SClusterID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 121, + "split_by": "," + }, + "converters": [], + "title": "Traffic_tcprttc2s", + "target_field": "tcprttc2s", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 122, + "split_by": "," + }, + "converters": [], + "title": "Traffic_tcprtts2c", + "target_field": "tcprtts2c", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 123, + "split_by": "," + }, + "converters": [], + "title": "Traffic_totalnooseqc2s", + "target_field": "totalnooseqc2s", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 124, + "split_by": "," + }, + "converters": [], + "title": "Traffic_totalnooseqs2c", + "target_field": "totalnooseqs2c", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 125, + "split_by": "," + }, + "converters": [], + "title": "Traffic_tcpretransitcntc2s", + "target_field": "tcpretransitcntc2s", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 126, + "split_by": "," + }, + "converters": [], + "title": "Traffic_tcpretransitcnts2c", + "target_field": "tcpretransitcnts2c", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 127, + "split_by": "," + }, + "converters": [], + "title": "Traffic_tcpzerowindowcntc2s", + "target_field": "tcpzerowindowcntc2s", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 128, + "split_by": "," + }, + "converters": [], + "title": "Traffic_tcpzerowindowcnts2c", + "target_field": "tcpzerowindowcnts2c", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 129, + "split_by": "," + }, + "converters": [], + "title": "Traffic_SourceAdvDevID", + "target_field": "SourceAdvDevID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",TRAFFIC,", + "condition_type": "string", + "extractor_config": { + "index": 130, + "split_by": "," + }, + "converters": [], + "title": "Traffic_DestinationAdvDevID", + "target_field": "DestinationAdvDevID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "Threat_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "Threat_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "Threat_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "Threat_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "Threat_ThreatContentType", + "target_field": "ThreatContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "Threat_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "Threat_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceAddress", + "target_field": "SourceAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationAddress", + "target_field": "DestinationAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "Threat_NATSource_IP", + "target_field": "NATSource_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "Threat_NATDestination_IP", + "target_field": "NATDestination_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "Threat_RuleName", + "target_field": "RuleName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceUser", + "target_field": "SourceUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationUser", + "target_field": "DestinationUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "Threat_Application", + "target_field": "Application", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "Threat_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceZone", + "target_field": "SourceZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationZone", + "target_field": "DestinationZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "Threat_InboundInterface", + "target_field": "InboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "Threat_OutboundInterface", + "target_field": "OutboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "Threat_LogAction", + "target_field": "LogAction", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "Threat_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "Threat_SessionID", + "target_field": "SessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "Threat_RepeatCount", + "target_field": "RepeatCount", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourcePort", + "target_field": "SourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationPort", + "target_field": "DestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "Threat_NATSourcePort", + "target_field": "NATSourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 28, + "split_by": "," + }, + "converters": [], + "title": "Threat_NATDestinationPort", + "target_field": "NATDestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 29, + "split_by": "," + }, + "converters": [], + "title": "Threat_Flags", + "target_field": "Flags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 30, + "split_by": "," + }, + "converters": [], + "title": "Threat__IPProtocol", + "target_field": "_IPProtocol", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 31, + "split_by": "," + }, + "converters": [], + "title": "Threat_Action", + "target_field": "Action", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 32, + "split_by": "," + }, + "converters": [], + "title": "Threat_URLFilename", + "target_field": "URLFilename", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 33, + "split_by": "," + }, + "converters": [], + "title": "Threat_ThreatID", + "target_field": "ThreatID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 34, + "split_by": "," + }, + "converters": [], + "title": "Threat_Category", + "target_field": "Category", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 35, + "split_by": "," + }, + "converters": [], + "title": "Threat_Severity", + "target_field": "Severity", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 36, + "split_by": "," + }, + "converters": [], + "title": "Threat_Direction", + "target_field": "Direction", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 37, + "split_by": "," + }, + "converters": [], + "title": "Threat_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 38, + "split_by": "," + }, + "converters": [], + "title": "Threat_ActionFlags", + "target_field": "ActionFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 39, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceLocation", + "target_field": "SourceLocation", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 40, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationLocation", + "target_field": "DestinationLocation", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 41, + "split_by": "," + }, + "converters": [], + "title": "Threat_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 42, + "split_by": "," + }, + "converters": [], + "title": "Threat_ContentType", + "target_field": "ContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 43, + "split_by": "," + }, + "converters": [], + "title": "Threat_PCAPID", + "target_field": "PCAPID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 44, + "split_by": "," + }, + "converters": [], + "title": "Threat_FileDigest", + "target_field": "FileDigest", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 45, + "split_by": "," + }, + "converters": [], + "title": "Threat_Cloud", + "target_field": "Cloud", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 46, + "split_by": "," + }, + "converters": [], + "title": "Threat_URLIndex", + "target_field": "URLIndex", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 47, + "split_by": "," + }, + "converters": [], + "title": "Threat_UserAgent", + "target_field": "UserAgent", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 48, + "split_by": "," + }, + "converters": [], + "title": "Threat_FileType", + "target_field": "FileType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 49, + "split_by": "," + }, + "converters": [], + "title": "Threat_X-Forwarded-For", + "target_field": "X-Forwarded-For", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 50, + "split_by": "," + }, + "converters": [], + "title": "Threat_Referer", + "target_field": "Referer", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 51, + "split_by": "," + }, + "converters": [], + "title": "Threat_Sender", + "target_field": "Sender", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 52, + "split_by": "," + }, + "converters": [], + "title": "Threat_Subject", + "target_field": "Subject", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 53, + "split_by": "," + }, + "converters": [], + "title": "Threat_Recipient", + "target_field": "Recipient", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 54, + "split_by": "," + }, + "converters": [], + "title": "Threat_ReportID", + "target_field": "ReportID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 55, + "split_by": "," + }, + "converters": [], + "title": "Threat_DeviceGroupHierarchyLevel1", + "target_field": "DeviceGroupHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 56, + "split_by": "," + }, + "converters": [], + "title": "Threat_DeviceGroupHierarchyLevel2", + "target_field": "DeviceGroupHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 57, + "split_by": "," + }, + "converters": [], + "title": "Threat_DeviceGroupHierarchyLevel3", + "target_field": "DeviceGroupHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 58, + "split_by": "," + }, + "converters": [], + "title": "Threat_DeviceGroupHierarchyLevel4", + "target_field": "DeviceGroupHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 59, + "split_by": "," + }, + "converters": [], + "title": "Threat_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 60, + "split_by": "," + }, + "converters": [], + "title": "Threat_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 61, + "split_by": "," + }, + "converters": [], + "title": "Threat_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 62, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceVMUUID", + "target_field": "SourceVMUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 63, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationVMUUID", + "target_field": "DestinationVMUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 64, + "split_by": "," + }, + "converters": [], + "title": "Threat_HTTPMethod", + "target_field": "HTTPMethod", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 65, + "split_by": "," + }, + "converters": [], + "title": "Threat_TunnelIDIMSI", + "target_field": "TunnelIDIMSI", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 66, + "split_by": "," + }, + "converters": [], + "title": "Threat_MonitorTagIMEI", + "target_field": "MonitorTagIMEI", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 67, + "split_by": "," + }, + "converters": [], + "title": "Threat_ParentSessionID", + "target_field": "ParentSessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 68, + "split_by": "," + }, + "converters": [], + "title": "Threat_ParentStartTime", + "target_field": "ParentStartTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 69, + "split_by": "," + }, + "converters": [], + "title": "Threat_TunnelType", + "target_field": "TunnelType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 70, + "split_by": "," + }, + "converters": [], + "title": "Threat_ThreatCategory", + "target_field": "ThreatCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 71, + "split_by": "," + }, + "converters": [], + "title": "Threat_ContentVersion", + "target_field": "ContentVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 72, + "split_by": "," + }, + "converters": [], + "title": "Threat_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 73, + "split_by": "," + }, + "converters": [], + "title": "Threat_SCTPAssociationID", + "target_field": "SCTPAssociationID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 74, + "split_by": "," + }, + "converters": [], + "title": "Threat_PayloadProtocolID", + "target_field": "PayloadProtocolID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 75, + "split_by": "," + }, + "converters": [], + "title": "Threat_HTTPHeaders", + "target_field": "HTTPHeaders", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 76, + "split_by": "," + }, + "converters": [], + "title": "Threat_URLCategoryList", + "target_field": "URLCategoryList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 77, + "split_by": "," + }, + "converters": [], + "title": "Threat_RuleUUID", + "target_field": "RuleUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 78, + "split_by": "," + }, + "converters": [], + "title": "Threat_HTTP2Connection", + "target_field": "HTTP2Connection", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 79, + "split_by": "," + }, + "converters": [], + "title": "Threat_DynamicUserGroupName", + "target_field": "DynamicUserGroupName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 80, + "split_by": "," + }, + "converters": [], + "title": "Threat_XFFAddress", + "target_field": "XFFAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 81, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceDeviceCategory", + "target_field": "SourceDeviceCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 82, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceDeviceProfile", + "target_field": "SourceDeviceProfile", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 83, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceDeviceModel", + "target_field": "SourceDeviceModel", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 84, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceDeviceVendor", + "target_field": "SourceDeviceVendor", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 85, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceDeviceOSFamily", + "target_field": "SourceDeviceOSFamily", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 86, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceDeviceOSVersion", + "target_field": "SourceDeviceOSVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 87, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceHostname", + "target_field": "SourceHostname", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 88, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceMACAddress", + "target_field": "SourceMACAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 89, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationDeviceCategory", + "target_field": "DestinationDeviceCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 90, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationDeviceProfile", + "target_field": "DestinationDeviceProfile", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 91, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationDeviceModel", + "target_field": "DestinationDeviceModel", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 92, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationDeviceVendor", + "target_field": "DestinationDeviceVendor", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 93, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationDeviceOSFamily", + "target_field": "DestinationDeviceOSFamily", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 94, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationDeviceOSVersion", + "target_field": "DestinationDeviceOSVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 95, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationHostname", + "target_field": "DestinationHostname", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 96, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationMACAddress", + "target_field": "DestinationMACAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 97, + "split_by": "," + }, + "converters": [], + "title": "Threat_ContainerID", + "target_field": "ContainerID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 98, + "split_by": "," + }, + "converters": [], + "title": "Threat_PODNamespace", + "target_field": "PODNamespace", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 99, + "split_by": "," + }, + "converters": [], + "title": "Threat_PODName", + "target_field": "PODName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 100, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceExternalDynamicList", + "target_field": "SourceExternalDynamicList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 101, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationExternalDynamicList", + "target_field": "DestinationExternalDynamicList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 102, + "split_by": "," + }, + "converters": [], + "title": "Threat_HostID", + "target_field": "HostID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 103, + "split_by": "," + }, + "converters": [], + "title": "Threat_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 104, + "split_by": "," + }, + "converters": [], + "title": "Threat_DomainEDL", + "target_field": "DomainEDL", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 105, + "split_by": "," + }, + "converters": [], + "title": "Threat_SourceDynamicAddressGroup", + "target_field": "SourceDynamicAddressGroup", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 106, + "split_by": "," + }, + "converters": [], + "title": "Threat_DestinationDynamicAddressGroup", + "target_field": "DestinationDynamicAddressGroup", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 107, + "split_by": "," + }, + "converters": [], + "title": "Threat_PartialHash", + "target_field": "PartialHash", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 108, + "split_by": "," + }, + "converters": [], + "title": "Threat_HighResolutionTimestamp", + "target_field": "HighResolutionTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 109, + "split_by": "," + }, + "converters": [], + "title": "Threat_Reason", + "target_field": "Reason", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 110, + "split_by": "," + }, + "converters": [], + "title": "Threat_Justification", + "target_field": "Justification", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 111, + "split_by": "," + }, + "converters": [], + "title": "Threat_ASliceServiceType", + "target_field": "ASliceServiceType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 112, + "split_by": "," + }, + "converters": [], + "title": "Threat_ApplicationSubcategory", + "target_field": "ApplicationSubcategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 113, + "split_by": "," + }, + "converters": [], + "title": "Threat_ApplicationCategory", + "target_field": "ApplicationCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 114, + "split_by": "," + }, + "converters": [], + "title": "Threat_ApplicationTechnology", + "target_field": "ApplicationTechnology", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 115, + "split_by": "," + }, + "converters": [], + "title": "Threat_ApplicationRisk", + "target_field": "ApplicationRisk", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 116, + "split_by": "," + }, + "converters": [], + "title": "Threat_ApplicationCharacteristic", + "target_field": "ApplicationCharacteristic", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 117, + "split_by": "," + }, + "converters": [], + "title": "Threat_ApplicationContainer", + "target_field": "ApplicationContainer", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 118, + "split_by": "," + }, + "converters": [], + "title": "Threat_TunneledApplication", + "target_field": "TunneledApplication", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 119, + "split_by": "," + }, + "converters": [], + "title": "Threat_ApplicationSaaS", + "target_field": "ApplicationSaaS", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 120, + "split_by": "," + }, + "converters": [], + "title": "Threat_ApplicationSanctionedState", + "target_field": "ApplicationSanctionedState", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 121, + "split_by": "," + }, + "converters": [], + "title": "Threat_CloudReportID", + "target_field": "CloudReportID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 122, + "split_by": "," + }, + "converters": [], + "title": "Threat_FlowType", + "target_field": "FlowType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(?!url|data|dlp|file)[^,]*,", + "condition_type": "string", + "extractor_config": { + "index": 123, + "split_by": "," + }, + "converters": [], + "title": "Threat_ClusterName", + "target_field": "ClusterName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ThreatContentType", + "target_field": "ThreatContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceAddress", + "target_field": "SourceAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationAddress", + "target_field": "DestinationAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_NATSource_IP", + "target_field": "NATSource_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_NATDestination_IP", + "target_field": "NATDestination_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_RuleName", + "target_field": "RuleName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceUser", + "target_field": "SourceUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationUser", + "target_field": "DestinationUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Application", + "target_field": "Application", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceZone", + "target_field": "SourceZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationZone", + "target_field": "DestinationZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_InboundInterface", + "target_field": "InboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_OutboundInterface", + "target_field": "OutboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_LogAction", + "target_field": "LogAction", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SessionID", + "target_field": "SessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_RepeatCount", + "target_field": "RepeatCount", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourcePort", + "target_field": "SourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationPort", + "target_field": "DestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_NATSourcePort", + "target_field": "NATSourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 28, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_NATDestinationPort", + "target_field": "NATDestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 29, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Flags", + "target_field": "Flags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 30, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering__IPProtocol", + "target_field": "_IPProtocol", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 31, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Action", + "target_field": "Action", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 32, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_URLFilename", + "target_field": "URLFilename", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 33, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ThreatID", + "target_field": "ThreatID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 34, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Category", + "target_field": "Category", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 35, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Severity", + "target_field": "Severity", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 36, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Direction", + "target_field": "Direction", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 37, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 38, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ActionFlags", + "target_field": "ActionFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 39, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceCountry", + "target_field": "SourceCountry", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 40, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationCountry", + "target_field": "DestinationCountry", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 41, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 42, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ContentType", + "target_field": "ContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 43, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_PCAPID", + "target_field": "PCAPID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 44, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_FileDigest", + "target_field": "FileDigest", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 45, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Cloud", + "target_field": "Cloud", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 46, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_URLIndex", + "target_field": "URLIndex", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 47, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_UserAgent", + "target_field": "UserAgent", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 48, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_FileType", + "target_field": "FileType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 49, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_X-Forwarded-For", + "target_field": "X-Forwarded-For", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 50, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Referer", + "target_field": "Referer", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 51, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Sender", + "target_field": "Sender", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 52, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Subject", + "target_field": "Subject", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 53, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Recipient", + "target_field": "Recipient", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 54, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ReportID", + "target_field": "ReportID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 55, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DeviceGroupHierarchyLevel1", + "target_field": "DeviceGroupHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 56, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DeviceGroupHierarchyLevel2", + "target_field": "DeviceGroupHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 57, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DeviceGroupHierarchyLevel3", + "target_field": "DeviceGroupHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 58, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DeviceGroupHierarchyLevel4", + "target_field": "DeviceGroupHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 59, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 60, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 61, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 62, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceVMUUID", + "target_field": "SourceVMUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 63, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationVMUUID", + "target_field": "DestinationVMUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 64, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_HTTPMethod", + "target_field": "HTTPMethod", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 65, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_TunnelIDIMSI", + "target_field": "TunnelIDIMSI", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 66, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_MonitorTagIMEI", + "target_field": "MonitorTagIMEI", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 67, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ParentSessionID", + "target_field": "ParentSessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 68, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ParentStartTime", + "target_field": "ParentStartTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 69, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_TunnelType", + "target_field": "TunnelType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 70, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ThreatCategory", + "target_field": "ThreatCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 71, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ContentVersion", + "target_field": "ContentVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 72, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 73, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SCTPAssociationID", + "target_field": "SCTPAssociationID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 74, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_PayloadProtocolID", + "target_field": "PayloadProtocolID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 75, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_HTTPHeaders", + "target_field": "HTTPHeaders", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 76, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_URLCategoryList", + "target_field": "URLCategoryList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 77, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_RuleUUID", + "target_field": "RuleUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 78, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_HTTP2Connection", + "target_field": "HTTP2Connection", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 79, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DynamicUserGroupName", + "target_field": "DynamicUserGroupName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 80, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_XFFAddress", + "target_field": "XFFAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 81, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceDeviceCategory", + "target_field": "SourceDeviceCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 82, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceDeviceProfile", + "target_field": "SourceDeviceProfile", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 83, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceDeviceModel", + "target_field": "SourceDeviceModel", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 84, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceDeviceVendor", + "target_field": "SourceDeviceVendor", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 85, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceDeviceOSFamily", + "target_field": "SourceDeviceOSFamily", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 86, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceDeviceOSVersion", + "target_field": "SourceDeviceOSVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 87, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceHostname", + "target_field": "SourceHostname", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 88, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceMACAddress", + "target_field": "SourceMACAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 89, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationDeviceCategory", + "target_field": "DestinationDeviceCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 90, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationDeviceProfile", + "target_field": "DestinationDeviceProfile", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 91, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationDeviceModel", + "target_field": "DestinationDeviceModel", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 92, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationDeviceVendor", + "target_field": "DestinationDeviceVendor", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 93, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationDeviceOSFamily", + "target_field": "DestinationDeviceOSFamily", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 94, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationDeviceOSVersion", + "target_field": "DestinationDeviceOSVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 95, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationHostname", + "target_field": "DestinationHostname", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 96, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationMACAddress", + "target_field": "DestinationMACAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 97, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ContainerID", + "target_field": "ContainerID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 98, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_PODNamespace", + "target_field": "PODNamespace", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 99, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_PODName", + "target_field": "PODName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 100, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceExternalDynamicList", + "target_field": "SourceExternalDynamicList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 101, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationExternalDynamicList", + "target_field": "DestinationExternalDynamicList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 102, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_HostID", + "target_field": "HostID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 103, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 104, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DomainEDL", + "target_field": "DomainEDL", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 105, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_SourceDynamicAddressGroup", + "target_field": "SourceDynamicAddressGroup", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 106, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_DestinationDynamicAddressGroup", + "target_field": "DestinationDynamicAddressGroup", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 107, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_PartialHash", + "target_field": "PartialHash", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 108, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_HighResolutionTimestamp", + "target_field": "HighResolutionTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 109, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Reason", + "target_field": "Reason", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 110, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_Justification", + "target_field": "Justification", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 111, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ASliceServiceType", + "target_field": "ASliceServiceType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 112, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ApplicationSubcategory", + "target_field": "ApplicationSubcategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 113, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ApplicationCategory", + "target_field": "ApplicationCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 114, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ApplicationTechnology", + "target_field": "ApplicationTechnology", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 115, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ApplicationRisk", + "target_field": "ApplicationRisk", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 116, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ApplicationCharacteristic", + "target_field": "ApplicationCharacteristic", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 117, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ApplicationContainer", + "target_field": "ApplicationContainer", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 118, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_TunneledApplication", + "target_field": "TunneledApplication", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 119, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ApplicationSaaS", + "target_field": "ApplicationSaaS", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 120, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ApplicationSanctionedState", + "target_field": "ApplicationSanctionedState", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 121, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_CloudReportID", + "target_field": "CloudReportID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 122, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_ClusterName", + "target_field": "ClusterName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,url,", + "condition_type": "string", + "extractor_config": { + "index": 123, + "split_by": "," + }, + "converters": [], + "title": "URLFiltering_FlowType", + "target_field": "FlowType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ThreatContentType", + "target_field": "ThreatContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceAddress", + "target_field": "SourceAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationAddress", + "target_field": "DestinationAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_NATSource_IP", + "target_field": "NATSource_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_NATDestination_IP", + "target_field": "NATDestination_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_RuleName", + "target_field": "RuleName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceUser", + "target_field": "SourceUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationUser", + "target_field": "DestinationUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Application", + "target_field": "Application", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceZone", + "target_field": "SourceZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationZone", + "target_field": "DestinationZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_InboundInterface", + "target_field": "InboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_OutboundInterface", + "target_field": "OutboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_LogAction", + "target_field": "LogAction", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SessionID", + "target_field": "SessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_RepeatCount", + "target_field": "RepeatCount", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourcePort", + "target_field": "SourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationPort", + "target_field": "DestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_NATSourcePort", + "target_field": "NATSourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 28, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_NATDestinationPort", + "target_field": "NATDestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 29, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Flags", + "target_field": "Flags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 30, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering__IPProtocol", + "target_field": "_IPProtocol", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 31, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Action", + "target_field": "Action", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 32, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_URLFilename", + "target_field": "URLFilename", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 33, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ThreatID", + "target_field": "ThreatID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 34, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Category", + "target_field": "Category", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 35, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Severity", + "target_field": "Severity", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 36, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Direction", + "target_field": "Direction", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 37, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 38, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ActionFlags", + "target_field": "ActionFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 39, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceCountry", + "target_field": "SourceCountry", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 40, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationCountry", + "target_field": "DestinationCountry", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 41, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 42, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ContentType", + "target_field": "ContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 43, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_PCAPID", + "target_field": "PCAPID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 44, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_FileDigest", + "target_field": "FileDigest", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 45, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Cloud", + "target_field": "Cloud", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 46, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_URLIndex", + "target_field": "URLIndex", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 47, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_UserAgent", + "target_field": "UserAgent", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 48, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_FileType", + "target_field": "FileType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 49, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_X-Forwarded-For", + "target_field": "X-Forwarded-For", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 50, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Referer", + "target_field": "Referer", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 51, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Sender", + "target_field": "Sender", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 52, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Subject", + "target_field": "Subject", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 53, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Recipient", + "target_field": "Recipient", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 54, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ReportID", + "target_field": "ReportID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 55, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DeviceGroupHierarchyLevel1", + "target_field": "DeviceGroupHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 56, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DeviceGroupHierarchyLevel2", + "target_field": "DeviceGroupHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 57, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DeviceGroupHierarchyLevel3", + "target_field": "DeviceGroupHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 58, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DeviceGroupHierarchyLevel4", + "target_field": "DeviceGroupHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 59, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 60, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 61, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 62, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceVMUUID", + "target_field": "SourceVMUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 63, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationVMUUID", + "target_field": "DestinationVMUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 64, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_HTTPMethod", + "target_field": "HTTPMethod", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 65, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_TunnelIDIMSI", + "target_field": "TunnelIDIMSI", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 66, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_MonitorTagIMEI", + "target_field": "MonitorTagIMEI", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 67, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ParentSessionID", + "target_field": "ParentSessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 68, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ParentStartTime", + "target_field": "ParentStartTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 69, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_TunnelType", + "target_field": "TunnelType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 70, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ThreatCategory", + "target_field": "ThreatCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 71, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ContentVersion", + "target_field": "ContentVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 72, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 73, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SCTPAssociationID", + "target_field": "SCTPAssociationID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 74, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_PayloadProtocolID", + "target_field": "PayloadProtocolID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 75, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_HTTPHeaders", + "target_field": "HTTPHeaders", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 76, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_URLCategoryList", + "target_field": "URLCategoryList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 77, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_RuleUUID", + "target_field": "RuleUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 78, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_HTTP2Connection", + "target_field": "HTTP2Connection", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 79, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DynamicUserGroupName", + "target_field": "DynamicUserGroupName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 80, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_XFFAddress", + "target_field": "XFFAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 81, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceDeviceCategory", + "target_field": "SourceDeviceCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 82, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceDeviceProfile", + "target_field": "SourceDeviceProfile", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 83, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceDeviceModel", + "target_field": "SourceDeviceModel", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 84, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceDeviceVendor", + "target_field": "SourceDeviceVendor", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 85, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceDeviceOSFamily", + "target_field": "SourceDeviceOSFamily", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 86, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceDeviceOSVersion", + "target_field": "SourceDeviceOSVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 87, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceHostname", + "target_field": "SourceHostname", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 88, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceMACAddress", + "target_field": "SourceMACAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 89, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationDeviceCategory", + "target_field": "DestinationDeviceCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 90, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationDeviceProfile", + "target_field": "DestinationDeviceProfile", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 91, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationDeviceModel", + "target_field": "DestinationDeviceModel", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 92, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationDeviceVendor", + "target_field": "DestinationDeviceVendor", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 93, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationDeviceOSFamily", + "target_field": "DestinationDeviceOSFamily", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 94, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationDeviceOSVersion", + "target_field": "DestinationDeviceOSVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 95, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationHostname", + "target_field": "DestinationHostname", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 96, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationMACAddress", + "target_field": "DestinationMACAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 97, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ContainerID", + "target_field": "ContainerID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 98, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_PODNamespace", + "target_field": "PODNamespace", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 99, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_PODName", + "target_field": "PODName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 100, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceExternalDynamicList", + "target_field": "SourceExternalDynamicList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 101, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationExternalDynamicList", + "target_field": "DestinationExternalDynamicList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 102, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_HostID", + "target_field": "HostID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 103, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 104, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DomainEDL", + "target_field": "DomainEDL", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 105, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_SourceDynamicAddressGroup", + "target_field": "SourceDynamicAddressGroup", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 106, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_DestinationDynamicAddressGroup", + "target_field": "DestinationDynamicAddressGroup", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 107, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_PartialHash", + "target_field": "PartialHash", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 108, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_HighResolutionTimestamp", + "target_field": "HighResolutionTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 109, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Reason", + "target_field": "Reason", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 110, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_Justification", + "target_field": "Justification", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 111, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ASliceServiceType", + "target_field": "ASliceServiceType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 112, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ApplicationSubcategory", + "target_field": "ApplicationSubcategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 113, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ApplicationCategory", + "target_field": "ApplicationCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 114, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ApplicationTechnology", + "target_field": "ApplicationTechnology", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 115, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ApplicationRisk", + "target_field": "ApplicationRisk", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 116, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ApplicationCharacteristic", + "target_field": "ApplicationCharacteristic", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 117, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ApplicationContainer", + "target_field": "ApplicationContainer", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 118, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_TunneledApplication", + "target_field": "TunneledApplication", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 119, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ApplicationSaaS", + "target_field": "ApplicationSaaS", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 120, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ApplicationSanctionedState", + "target_field": "ApplicationSanctionedState", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 121, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_CloudReportID", + "target_field": "CloudReportID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 122, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_ClusterName", + "target_field": "ClusterName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",THREAT,(data|dlp|dlp-non-file|file),", + "condition_type": "string", + "extractor_config": { + "index": 123, + "split_by": "," + }, + "converters": [], + "title": "DataFiltering_FlowType", + "target_field": "FlowType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_ThreatContentType", + "target_field": "ThreatContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_SourceUser", + "target_field": "SourceUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_MachineName", + "target_field": "MachineName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_OperatingSystem", + "target_field": "OperatingSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_SourceAddress", + "target_field": "SourceAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_H_IP", + "target_field": "H_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_RepeatCount", + "target_field": "RepeatCount", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_H_IPType", + "target_field": "H_IPType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_ActionFlags", + "target_field": "ActionFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_DeviceGroupHierarchyLevel1", + "target_field": "DeviceGroupHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_DeviceGroupHierarchyLevel2", + "target_field": "DeviceGroupHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_DeviceGroupHierarchyLevel3", + "target_field": "DeviceGroupHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_DeviceGroupHierarchyLevel4", + "target_field": "DeviceGroupHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_VirtualSystemID", + "target_field": "VirtualSystemID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch__IPv6SourceAddress", + "target_field": "_IPv6SourceAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 28, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_HostID", + "target_field": "HostID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 29, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_UserDeviceSerialNumber", + "target_field": "UserDeviceSerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 30, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_DeviceMACAddress", + "target_field": "DeviceMACAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 31, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_HighResolutionTimestamp", + "target_field": "HighResolutionTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",HIP-MATCH,", + "condition_type": "string", + "extractor_config": { + "index": 32, + "split_by": "," + }, + "converters": [], + "title": "HIPMatch_ClusterName", + "target_field": "ClusterName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_ThreatContentType", + "target_field": "ThreatContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_EventID", + "target_field": "EventID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Stage", + "target_field": "Stage", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_AuthenticationMethod", + "target_field": "AuthenticationMethod", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_TunnelType", + "target_field": "TunnelType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_SourceUser", + "target_field": "SourceUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_SourceRegion", + "target_field": "SourceRegion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_MachineName", + "target_field": "MachineName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Public_IP", + "target_field": "Public_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Public_IPv6", + "target_field": "Public_IPv6", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Private_IP", + "target_field": "Private_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Private_IPv6", + "target_field": "Private_IPv6", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_HostID", + "target_field": "HostID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_ClientVersion", + "target_field": "ClientVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_ClientOS", + "target_field": "ClientOS", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_ClientOSVersion", + "target_field": "ClientOSVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_RepeatCount", + "target_field": "RepeatCount", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Reason", + "target_field": "Reason", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Error", + "target_field": "Error", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 28, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Description", + "target_field": "Description", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 29, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Status", + "target_field": "Status", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 30, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Location", + "target_field": "Location", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 31, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_LoginDuration", + "target_field": "LoginDuration", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 32, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_ConnectMethod", + "target_field": "ConnectMethod", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 33, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_ErrorCode", + "target_field": "ErrorCode", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 34, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Portal", + "target_field": "Portal", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 35, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 36, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_ActionFlags", + "target_field": "ActionFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 37, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_HighResTimestamp", + "target_field": "HighResTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 38, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_SelectionType", + "target_field": "SelectionType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 39, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_ResponseTime", + "target_field": "ResponseTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 40, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Priority", + "target_field": "Priority", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 41, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_AttemptedGateways", + "target_field": "AttemptedGateways", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 42, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_Gateway", + "target_field": "Gateway", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 43, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_DeviceGroupHierarchyLevel1", + "target_field": "DeviceGroupHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 44, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_DeviceGroupHierarchyLevel2", + "target_field": "DeviceGroupHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 45, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_DeviceGroupHierarchyLevel3", + "target_field": "DeviceGroupHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 46, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_DeviceGroupHierarchyLevel4", + "target_field": "DeviceGroupHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 47, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 48, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 49, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_VirtualSystemID", + "target_field": "VirtualSystemID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GLOBALPROTECT,", + "condition_type": "string", + "extractor_config": { + "index": 50, + "split_by": "," + }, + "converters": [], + "title": "GlobalProtect_ClusterName", + "target_field": "ClusterName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "IPTag_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "IPTag_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "IPTag_Serial", + "target_field": "Serial", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "IPTag_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "IPTag_ThreatContentType", + "target_field": "ThreatContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "IPTag_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "IPTag_GenerateTime", + "target_field": "GenerateTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "IPTag_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "IPTag_Source_IP", + "target_field": "Source_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "IPTag_TagName", + "target_field": "TagName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "IPTag_EventID", + "target_field": "EventID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "IPTag_RepeatCount", + "target_field": "RepeatCount", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "IPTag_Timeout", + "target_field": "Timeout", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "IPTag_DataSourceName", + "target_field": "DataSourceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "IPTag_DataSourceType", + "target_field": "DataSourceType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "IPTag_DataSourceSubtype", + "target_field": "DataSourceSubtype", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "IPTag_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "IPTag_ActionFlags", + "target_field": "ActionFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "IPTag_DGHierarchyLevel1", + "target_field": "DGHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "IPTag_DGHierarchyLevel2", + "target_field": "DGHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "IPTag_DGHierarchyLevel3", + "target_field": "DGHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "IPTag_DGHierarchyLevel4", + "target_field": "DGHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "IPTag_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "IPTag_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "IPTag_VirtualSystemID", + "target_field": "VirtualSystemID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "IPTag_HighResolutionTimestamp", + "target_field": "HighResolutionTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",IPTAG,", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "IPTag_ClusterName", + "target_field": "ClusterName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "UserID_FUTUREUSER", + "target_field": "FUTUREUSER", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "UserID_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "UserID_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "UserID_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "UserID_ThreatContentType", + "target_field": "ThreatContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "UserID_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "UserID_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "UserID_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "UserID_Source_IP", + "target_field": "Source_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "UserID_User", + "target_field": "User", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "UserID_DataSourceName", + "target_field": "DataSourceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "UserID_EventID", + "target_field": "EventID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "UserID_RepeatCount", + "target_field": "RepeatCount", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "UserID_TimeOutThreshold", + "target_field": "TimeOutThreshold", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "UserID_SourcePort", + "target_field": "SourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "UserID_DestinationPort", + "target_field": "DestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "UserID_DataSource", + "target_field": "DataSource", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "UserID_DataSourceType", + "target_field": "DataSourceType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "UserID_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "UserID_ActionFlags", + "target_field": "ActionFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "UserID_DeviceGroupHierarchyLevel1", + "target_field": "DeviceGroupHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "UserID_DeviceGroupHierarchyLevel2", + "target_field": "DeviceGroupHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "UserID_DeviceGroupHierarchyLevel3", + "target_field": "DeviceGroupHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "UserID_DeviceGroupHierarchyLevel4", + "target_field": "DeviceGroupHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "UserID_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "UserID_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "UserID_VirtualSystemID", + "target_field": "VirtualSystemID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 28, + "split_by": "," + }, + "converters": [], + "title": "UserID_FactorType", + "target_field": "FactorType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 29, + "split_by": "," + }, + "converters": [], + "title": "UserID_FactorCompletionTime", + "target_field": "FactorCompletionTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 30, + "split_by": "," + }, + "converters": [], + "title": "UserID_FactorNumber", + "target_field": "FactorNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 31, + "split_by": "," + }, + "converters": [], + "title": "UserID_UserGroupFlags", + "target_field": "UserGroupFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 32, + "split_by": "," + }, + "converters": [], + "title": "UserID_UserbySource", + "target_field": "UserbySource", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 33, + "split_by": "," + }, + "converters": [], + "title": "UserID_TagName", + "target_field": "TagName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 34, + "split_by": "," + }, + "converters": [], + "title": "UserID_HighResolutionTimestamp", + "target_field": "HighResolutionTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 35, + "split_by": "," + }, + "converters": [], + "title": "UserID_OriginDataSource", + "target_field": "OriginDataSource", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 36, + "split_by": "," + }, + "converters": [], + "title": "UserID_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",USERID,", + "condition_type": "string", + "extractor_config": { + "index": 37, + "split_by": "," + }, + "converters": [], + "title": "UserID_ClusterName", + "target_field": "ClusterName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "Decryption_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "Decryption_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ThreatContentType", + "target_field": "ThreatContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ConfigVersion", + "target_field": "ConfigVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "Decryption_GenerateTime", + "target_field": "GenerateTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceAddress", + "target_field": "SourceAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationAddress", + "target_field": "DestinationAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "Decryption_NATSource_IP", + "target_field": "NATSource_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "Decryption_NATDestination_IP", + "target_field": "NATDestination_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "Decryption_Rule", + "target_field": "Rule", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceUser", + "target_field": "SourceUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationUser", + "target_field": "DestinationUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "Decryption_Application", + "target_field": "Application", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "Decryption_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceZone", + "target_field": "SourceZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationZone", + "target_field": "DestinationZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "Decryption_InboundInterface", + "target_field": "InboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "Decryption_OutboundInterface", + "target_field": "OutboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "Decryption_LogAction", + "target_field": "LogAction", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "Decryption_TimeLogged", + "target_field": "TimeLogged", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SessionID", + "target_field": "SessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "Decryption_RepeatCount", + "target_field": "RepeatCount", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourcePort", + "target_field": "SourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationPort", + "target_field": "DestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "Decryption_NATSourcePort", + "target_field": "NATSourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 28, + "split_by": "," + }, + "converters": [], + "title": "Decryption_NATDestinationPort", + "target_field": "NATDestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 29, + "split_by": "," + }, + "converters": [], + "title": "Decryption_Flags", + "target_field": "Flags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 30, + "split_by": "," + }, + "converters": [], + "title": "Decryption__IPProtocol", + "target_field": "_IPProtocol", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 31, + "split_by": "," + }, + "converters": [], + "title": "Decryption_Action", + "target_field": "Action", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 32, + "split_by": "," + }, + "converters": [], + "title": "Decryption_Tunnel", + "target_field": "Tunnel", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 33, + "split_by": "," + }, + "converters": [], + "title": "Decryption_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 34, + "split_by": "," + }, + "converters": [], + "title": "Decryption_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 35, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceVMUUID", + "target_field": "SourceVMUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 36, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationVMUUID", + "target_field": "DestinationVMUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 37, + "split_by": "," + }, + "converters": [], + "title": "Decryption_UUIDforrule", + "target_field": "UUIDforrule", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 38, + "split_by": "," + }, + "converters": [], + "title": "Decryption_StageforClienttoFirewall", + "target_field": "StageforClienttoFirewall", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 39, + "split_by": "," + }, + "converters": [], + "title": "Decryption_StageforFirewalltoServer", + "target_field": "StageforFirewalltoServer", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 40, + "split_by": "," + }, + "converters": [], + "title": "Decryption_TLSVersion", + "target_field": "TLSVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 41, + "split_by": "," + }, + "converters": [], + "title": "Decryption_KeyExchangeAlgorithm", + "target_field": "KeyExchangeAlgorithm", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 42, + "split_by": "," + }, + "converters": [], + "title": "Decryption_EncryptionAlgorithm", + "target_field": "EncryptionAlgorithm", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 43, + "split_by": "," + }, + "converters": [], + "title": "Decryption_HashAlgorithm", + "target_field": "HashAlgorithm", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 44, + "split_by": "," + }, + "converters": [], + "title": "Decryption_PolicyName", + "target_field": "PolicyName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 45, + "split_by": "," + }, + "converters": [], + "title": "Decryption_EllipticCurve", + "target_field": "EllipticCurve", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 46, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ErrorIndex", + "target_field": "ErrorIndex", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 47, + "split_by": "," + }, + "converters": [], + "title": "Decryption_RootStatus", + "target_field": "RootStatus", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 48, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ChainStatus", + "target_field": "ChainStatus", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 49, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ProxyType", + "target_field": "ProxyType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 50, + "split_by": "," + }, + "converters": [], + "title": "Decryption_CertificateSerialNumber", + "target_field": "CertificateSerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 51, + "split_by": "," + }, + "converters": [], + "title": "Decryption_Fingerprint", + "target_field": "Fingerprint", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 52, + "split_by": "," + }, + "converters": [], + "title": "Decryption_CertificateStartDate", + "target_field": "CertificateStartDate", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 53, + "split_by": "," + }, + "converters": [], + "title": "Decryption_CertificateEndDate", + "target_field": "CertificateEndDate", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 54, + "split_by": "," + }, + "converters": [], + "title": "Decryption_CertificateVersion", + "target_field": "CertificateVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 55, + "split_by": "," + }, + "converters": [], + "title": "Decryption_CertificateSize", + "target_field": "CertificateSize", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 56, + "split_by": "," + }, + "converters": [], + "title": "Decryption_CommonNameLength", + "target_field": "CommonNameLength", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 57, + "split_by": "," + }, + "converters": [], + "title": "Decryption_IssuerCommonNameLength", + "target_field": "IssuerCommonNameLength", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 58, + "split_by": "," + }, + "converters": [], + "title": "Decryption_RootCommonNameLength", + "target_field": "RootCommonNameLength", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 59, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SNILength", + "target_field": "SNILength", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 60, + "split_by": "," + }, + "converters": [], + "title": "Decryption_CertificateFlags", + "target_field": "CertificateFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 61, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SubjectCommonName", + "target_field": "SubjectCommonName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 62, + "split_by": "," + }, + "converters": [], + "title": "Decryption_IssuerSubjectCommonName", + "target_field": "IssuerSubjectCommonName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 63, + "split_by": "," + }, + "converters": [], + "title": "Decryption_RootSubjectCommonName", + "target_field": "RootSubjectCommonName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 64, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ServerNameIndication", + "target_field": "ServerNameIndication", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 65, + "split_by": "," + }, + "converters": [], + "title": "Decryption_Error", + "target_field": "Error", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 66, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ContainerID", + "target_field": "ContainerID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 67, + "split_by": "," + }, + "converters": [], + "title": "Decryption_PODNamespace", + "target_field": "PODNamespace", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 68, + "split_by": "," + }, + "converters": [], + "title": "Decryption_PODName", + "target_field": "PODName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 69, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceExternalDynamicList", + "target_field": "SourceExternalDynamicList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 70, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationExternalDynamicList", + "target_field": "DestinationExternalDynamicList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 71, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceDynamicAddressGroup", + "target_field": "SourceDynamicAddressGroup", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 72, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationDynamicAddressGroup", + "target_field": "DestinationDynamicAddressGroup", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 73, + "split_by": "," + }, + "converters": [], + "title": "Decryption_HighResTimestamp", + "target_field": "HighResTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 74, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceDeviceCategory", + "target_field": "SourceDeviceCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 75, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceDeviceProfile", + "target_field": "SourceDeviceProfile", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 76, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceDeviceModel", + "target_field": "SourceDeviceModel", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 77, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceDeviceVendor", + "target_field": "SourceDeviceVendor", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 78, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceDeviceOSFamily", + "target_field": "SourceDeviceOSFamily", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 79, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceDeviceOSVersion", + "target_field": "SourceDeviceOSVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 80, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceHostname", + "target_field": "SourceHostname", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 81, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SourceMacAddress", + "target_field": "SourceMacAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 82, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationDeviceCategory", + "target_field": "DestinationDeviceCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 83, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationDeviceProfile", + "target_field": "DestinationDeviceProfile", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 84, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationDeviceModel", + "target_field": "DestinationDeviceModel", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 85, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationDeviceVendor", + "target_field": "DestinationDeviceVendor", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 86, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationDeviceOSFamily", + "target_field": "DestinationDeviceOSFamily", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 87, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationDeviceOSVersion", + "target_field": "DestinationDeviceOSVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 88, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationHostname", + "target_field": "DestinationHostname", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 89, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DestinationMacAddress", + "target_field": "DestinationMacAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 90, + "split_by": "," + }, + "converters": [], + "title": "Decryption_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 91, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ActionFlags", + "target_field": "ActionFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 92, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DeviceGroupHierarchyLevel1", + "target_field": "DeviceGroupHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 93, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DeviceGroupHierarchyLevel2", + "target_field": "DeviceGroupHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 94, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DeviceGroupHierarchyLevel3", + "target_field": "DeviceGroupHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 95, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DeviceGroupHierarchyLevel4", + "target_field": "DeviceGroupHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 96, + "split_by": "," + }, + "converters": [], + "title": "Decryption_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 97, + "split_by": "," + }, + "converters": [], + "title": "Decryption_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 98, + "split_by": "," + }, + "converters": [], + "title": "Decryption_VirtualSystemID", + "target_field": "VirtualSystemID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 99, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ApplicationSubcategory", + "target_field": "ApplicationSubcategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 100, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ApplicationCategory", + "target_field": "ApplicationCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 101, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ApplicationTechnology", + "target_field": "ApplicationTechnology", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 102, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ApplicationRisk", + "target_field": "ApplicationRisk", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 103, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ApplicationCharacteristic", + "target_field": "ApplicationCharacteristic", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 104, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ApplicationContainer", + "target_field": "ApplicationContainer", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 105, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ApplicationSaaS", + "target_field": "ApplicationSaaS", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 106, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ApplicationSanctionedState", + "target_field": "ApplicationSanctionedState", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",DECRYPTION,", + "condition_type": "string", + "extractor_config": { + "index": 107, + "split_by": "," + }, + "converters": [], + "title": "Decryption_ClusterName", + "target_field": "ClusterName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_Subtype", + "target_field": "Subtype", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_SourceAddress", + "target_field": "SourceAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_DestinationAddress", + "target_field": "DestinationAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_NATSource_IP", + "target_field": "NATSource_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_NATDestination_IP", + "target_field": "NATDestination_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_RuleName", + "target_field": "RuleName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_SourceUser", + "target_field": "SourceUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_DestinationUser", + "target_field": "DestinationUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_Application", + "target_field": "Application", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_SourceZone", + "target_field": "SourceZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_DestinationZone", + "target_field": "DestinationZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_InboundInterface", + "target_field": "InboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_OutboundInterface", + "target_field": "OutboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_LogAction", + "target_field": "LogAction", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_SessionID", + "target_field": "SessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_RepeatCount", + "target_field": "RepeatCount", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_SourcePort", + "target_field": "SourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_DestinationPort", + "target_field": "DestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_NATSourcePort", + "target_field": "NATSourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 28, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_NATDestinationPort", + "target_field": "NATDestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 29, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_Flags", + "target_field": "Flags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 30, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_Protocol", + "target_field": "Protocol", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 31, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_Action", + "target_field": "Action", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 32, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_Severity", + "target_field": "Severity", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 33, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 34, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ActionFlags", + "target_field": "ActionFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 35, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_SourceLocation", + "target_field": "SourceLocation", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 36, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_DestinationLocation", + "target_field": "DestinationLocation", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 37, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_DeviceGroupHierarchyLevel1", + "target_field": "DeviceGroupHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 38, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_DeviceGroupHierarchyLevel2", + "target_field": "DeviceGroupHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 39, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_DeviceGroupHierarchyLevel3", + "target_field": "DeviceGroupHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 40, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_DeviceGroupHierarchyLevel4", + "target_field": "DeviceGroupHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 41, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 42, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 43, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_TunnelIDIMSI", + "target_field": "TunnelIDIMSI", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 44, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_MonitorTagIMEI", + "target_field": "MonitorTagIMEI", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 45, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ParentSessionID", + "target_field": "ParentSessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 46, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ParentStartTime", + "target_field": "ParentStartTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 47, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_Tunnel", + "target_field": "Tunnel", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 48, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_Bytes", + "target_field": "Bytes", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 49, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_BytesSent", + "target_field": "BytesSent", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 50, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_BytesReceived", + "target_field": "BytesReceived", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 51, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_Packets", + "target_field": "Packets", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 52, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_PacketsSent", + "target_field": "PacketsSent", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 53, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_PacketsReceived", + "target_field": "PacketsReceived", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 54, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_MaximumEncapsulation", + "target_field": "MaximumEncapsulation", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 55, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_UnknownProtocol", + "target_field": "UnknownProtocol", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 56, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_StrictCheck", + "target_field": "StrictCheck", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 57, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_TunnelFragment", + "target_field": "TunnelFragment", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 58, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_SessionsCreated", + "target_field": "SessionsCreated", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 59, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_SessionsClosed", + "target_field": "SessionsClosed", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 60, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_SessionEndReason", + "target_field": "SessionEndReason", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 61, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ActionSource", + "target_field": "ActionSource", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 62, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_StartTime", + "target_field": "StartTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 63, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ElapsedTime", + "target_field": "ElapsedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 64, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_TunnelInspectionRule", + "target_field": "TunnelInspectionRule", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 65, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_RemoteUser_IP", + "target_field": "RemoteUser_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 66, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_RemoteUserID", + "target_field": "RemoteUserID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 67, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_RuleUUID", + "target_field": "RuleUUID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 68, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_PCAPID", + "target_field": "PCAPID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 69, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_DynamicUserGroup", + "target_field": "DynamicUserGroup", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 70, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_SourceExternalDynamicList", + "target_field": "SourceExternalDynamicList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 71, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_DestinationExternalDynamicList", + "target_field": "DestinationExternalDynamicList", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 72, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_HighResolutionTimestamp", + "target_field": "HighResolutionTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 73, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ASliceDifferentiator", + "target_field": "ASliceDifferentiator", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 74, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ASliceServiceType", + "target_field": "ASliceServiceType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 75, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_PDUSessionID", + "target_field": "PDUSessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 76, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ApplicationSubcategory", + "target_field": "ApplicationSubcategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 77, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ApplicationCategory", + "target_field": "ApplicationCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 78, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ApplicationTechnology", + "target_field": "ApplicationTechnology", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 79, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ApplicationRisk", + "target_field": "ApplicationRisk", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 80, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ApplicationCharacteristic", + "target_field": "ApplicationCharacteristic", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 81, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ApplicationContainer", + "target_field": "ApplicationContainer", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 82, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ApplicationSaaS", + "target_field": "ApplicationSaaS", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 83, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ApplicationSanctionedState", + "target_field": "ApplicationSanctionedState", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",(START|END),(Start|End|Drop|Deny),", + "condition_type": "string", + "extractor_config": { + "index": 84, + "split_by": "," + }, + "converters": [], + "title": "TunnelInspection_ClusterName", + "target_field": "ClusterName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "SCTP_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "SCTP_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "SCTP_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SourceAddress", + "target_field": "SourceAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "SCTP_DestinationAddress", + "target_field": "DestinationAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "SCTP_RuleName", + "target_field": "RuleName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "SCTP_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SourceZone", + "target_field": "SourceZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "SCTP_DestinationZone", + "target_field": "DestinationZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "SCTP_InboundInterface", + "target_field": "InboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "SCTP_OutboundInterface", + "target_field": "OutboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "SCTP_LogAction", + "target_field": "LogAction", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SessionID", + "target_field": "SessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "SCTP_RepeatCount", + "target_field": "RepeatCount", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SourcePort", + "target_field": "SourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "SCTP_DestinationPort", + "target_field": "DestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 28, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 29, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 30, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 31, + "split_by": "," + }, + "converters": [], + "title": "SCTP__IPProtocol", + "target_field": "_IPProtocol", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 32, + "split_by": "," + }, + "converters": [], + "title": "SCTP_Action", + "target_field": "Action", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 33, + "split_by": "," + }, + "converters": [], + "title": "SCTP_DeviceGroupHierarchyLevel1", + "target_field": "DeviceGroupHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 34, + "split_by": "," + }, + "converters": [], + "title": "SCTP_DeviceGroupHierarchyLevel2", + "target_field": "DeviceGroupHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 35, + "split_by": "," + }, + "converters": [], + "title": "SCTP_DeviceGroupHierarchyLevel3", + "target_field": "DeviceGroupHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 36, + "split_by": "," + }, + "converters": [], + "title": "SCTP_DeviceGroupHierarchyLevel4", + "target_field": "DeviceGroupHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 37, + "split_by": "," + }, + "converters": [], + "title": "SCTP_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 38, + "split_by": "," + }, + "converters": [], + "title": "SCTP_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 39, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 40, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 41, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SCTPAssociationID", + "target_field": "SCTPAssociationID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 42, + "split_by": "," + }, + "converters": [], + "title": "SCTP_PayloadProtocolID", + "target_field": "PayloadProtocolID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 43, + "split_by": "," + }, + "converters": [], + "title": "SCTP_Severity", + "target_field": "Severity", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 44, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SCTPChunkType", + "target_field": "SCTPChunkType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 45, + "split_by": "," + }, + "converters": [], + "title": "SCTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 46, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SCTPVerificationTag1", + "target_field": "SCTPVerificationTag1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 47, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SCTPVerificationTag2", + "target_field": "SCTPVerificationTag2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 48, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SCTPCauseCode", + "target_field": "SCTPCauseCode", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 49, + "split_by": "," + }, + "converters": [], + "title": "SCTP_DiameterAppID", + "target_field": "DiameterAppID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 50, + "split_by": "," + }, + "converters": [], + "title": "SCTP_DiameterCommandCode", + "target_field": "DiameterCommandCode", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 51, + "split_by": "," + }, + "converters": [], + "title": "SCTP_DiameterAVPCode", + "target_field": "DiameterAVPCode", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 52, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SCTPStreamID", + "target_field": "SCTPStreamID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 53, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SCTPAssociationEndReason", + "target_field": "SCTPAssociationEndReason", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 54, + "split_by": "," + }, + "converters": [], + "title": "SCTP_OpCode", + "target_field": "OpCode", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 55, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SCCPCallingPartySSN", + "target_field": "SCCPCallingPartySSN", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 56, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SCCPCallingPartyGlobalTitle", + "target_field": "SCCPCallingPartyGlobalTitle", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 57, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SCTPFilter", + "target_field": "SCTPFilter", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 58, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SCTPChunks", + "target_field": "SCTPChunks", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 59, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SCTPChunksSent", + "target_field": "SCTPChunksSent", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 60, + "split_by": "," + }, + "converters": [], + "title": "SCTP_SCTPChunksReceived", + "target_field": "SCTPChunksReceived", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 61, + "split_by": "," + }, + "converters": [], + "title": "SCTP_Packets", + "target_field": "Packets", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 62, + "split_by": "," + }, + "converters": [], + "title": "SCTP_PacketsSent", + "target_field": "PacketsSent", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 63, + "split_by": "," + }, + "converters": [], + "title": "SCTP_PacketsReceived", + "target_field": "PacketsReceived", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 64, + "split_by": "," + }, + "converters": [], + "title": "SCTP_UUIDforrule", + "target_field": "UUIDforrule", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SCTP,", + "condition_type": "string", + "extractor_config": { + "index": 65, + "split_by": "," + }, + "converters": [], + "title": "SCTP_HighResolutionTimestamp", + "target_field": "HighResolutionTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "Authentication_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "Authentication_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "Authentication_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "Authentication_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "Authentication_ThreatContentType", + "target_field": "ThreatContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "Authentication_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "Authentication_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "Authentication_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "Authentication_Source_IP", + "target_field": "Source_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "Authentication_User", + "target_field": "User", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "Authentication_NormalizeUser", + "target_field": "NormalizeUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "Authentication_Object", + "target_field": "Object", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "Authentication_AuthenticationPolicy", + "target_field": "AuthenticationPolicy", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "Authentication_RepeatCount", + "target_field": "RepeatCount", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "Authentication_AuthenticationID", + "target_field": "AuthenticationID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "Authentication_Vendor", + "target_field": "Vendor", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "Authentication_LogAction", + "target_field": "LogAction", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "Authentication_ServerProfile", + "target_field": "ServerProfile", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "Authentication_Description", + "target_field": "Description", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "Authentication_ClientType", + "target_field": "ClientType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "Authentication_EventType", + "target_field": "EventType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "Authentication_FactorNumber", + "target_field": "FactorNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "Authentication_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "Authentication_ActionFlags", + "target_field": "ActionFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "Authentication_DeviceGroupHierarchy1", + "target_field": "DeviceGroupHierarchy1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "Authentication_DeviceGroupHierarchy2", + "target_field": "DeviceGroupHierarchy2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "Authentication_DeviceGroupHierarchy3", + "target_field": "DeviceGroupHierarchy3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 28, + "split_by": "," + }, + "converters": [], + "title": "Authentication_DeviceGroupHierarchy4", + "target_field": "DeviceGroupHierarchy4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 29, + "split_by": "," + }, + "converters": [], + "title": "Authentication_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 30, + "split_by": "," + }, + "converters": [], + "title": "Authentication_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 31, + "split_by": "," + }, + "converters": [], + "title": "Authentication_VirtualSystemID", + "target_field": "VirtualSystemID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 32, + "split_by": "," + }, + "converters": [], + "title": "Authentication_AuthenticationProtocol", + "target_field": "AuthenticationProtocol", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 33, + "split_by": "," + }, + "converters": [], + "title": "Authentication_UUIDforrule", + "target_field": "UUIDforrule", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 34, + "split_by": "," + }, + "converters": [], + "title": "Authentication_HighResolutionTimestamp", + "target_field": "HighResolutionTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 35, + "split_by": "," + }, + "converters": [], + "title": "Authentication_SourceDeviceCategory", + "target_field": "SourceDeviceCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 36, + "split_by": "," + }, + "converters": [], + "title": "Authentication_SourceDeviceProfile", + "target_field": "SourceDeviceProfile", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 37, + "split_by": "," + }, + "converters": [], + "title": "Authentication_SourceDeviceModel", + "target_field": "SourceDeviceModel", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 38, + "split_by": "," + }, + "converters": [], + "title": "Authentication_SourceDeviceVendor", + "target_field": "SourceDeviceVendor", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 39, + "split_by": "," + }, + "converters": [], + "title": "Authentication_SourceDeviceOSFamily", + "target_field": "SourceDeviceOSFamily", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 40, + "split_by": "," + }, + "converters": [], + "title": "Authentication_SourceDeviceOSVersion", + "target_field": "SourceDeviceOSVersion", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 41, + "split_by": "," + }, + "converters": [], + "title": "Authentication_SourceHostname", + "target_field": "SourceHostname", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 42, + "split_by": "," + }, + "converters": [], + "title": "Authentication_SourceMacAddress", + "target_field": "SourceMacAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 43, + "split_by": "," + }, + "converters": [], + "title": "Authentication_Region", + "target_field": "Region", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 44, + "split_by": "," + }, + "converters": [], + "title": "Authentication_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 45, + "split_by": "," + }, + "converters": [], + "title": "Authentication_UserAgent", + "target_field": "UserAgent", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 46, + "split_by": "," + }, + "converters": [], + "title": "Authentication_SessionID", + "target_field": "SessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUTHENTICATION,", + "condition_type": "string", + "extractor_config": { + "index": 47, + "split_by": "," + }, + "converters": [], + "title": "Authentication_ClusterName", + "target_field": "ClusterName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "Config_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "Config_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "Config_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "Config_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "Config_Subtype", + "target_field": "Subtype", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "Config_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "Config_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "Config_Host", + "target_field": "Host", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "Config_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "Config_Command", + "target_field": "Command", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "Config_Admin", + "target_field": "Admin", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "Config_Client", + "target_field": "Client", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "Config_Result", + "target_field": "Result", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "Config_ConfigurationPath", + "target_field": "ConfigurationPath", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "Config_BeforeChangeDetail", + "target_field": "BeforeChangeDetail", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "Config_AfterChangeDetail", + "target_field": "AfterChangeDetail", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "Config_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "Config_ActionFlags", + "target_field": "ActionFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "Config_DeviceGroupHierarchyLevel1", + "target_field": "DeviceGroupHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "Config_DeviceGroupHierarchyLevel2", + "target_field": "DeviceGroupHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "Config_DeviceGroupHierarchyLevel3", + "target_field": "DeviceGroupHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "Config_DeviceGroupHierarchyLevel4", + "target_field": "DeviceGroupHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "Config_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "Config_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "Config_DeviceGroup", + "target_field": "DeviceGroup", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "Config_AuditComment", + "target_field": "AuditComment", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "Config_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CONFIG,", + "condition_type": "string", + "extractor_config": { + "index": 28, + "split_by": "," + }, + "converters": [], + "title": "Config_HighResolutionTimestamp", + "target_field": "HighResolutionTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "System_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "System_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "System_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "System_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "System_ContentThreatType", + "target_field": "ContentThreatType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "System_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "System_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "System_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "System_EventID", + "target_field": "EventID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "System_Object", + "target_field": "Object", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "System_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "System_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "System_Module", + "target_field": "Module", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "System_Severity", + "target_field": "Severity", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "System_Description", + "target_field": "Description", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "System_SequenceNumber", + "target_field": "SequenceNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "System_ActionFlags", + "target_field": "ActionFlags", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "System_DeviceGroupHierarchyLevel1", + "target_field": "DeviceGroupHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "System_DeviceGroupHierarchyLevel2", + "target_field": "DeviceGroupHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "System_DeviceGroupHierarchyLevel3", + "target_field": "DeviceGroupHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "System_DeviceGroupHierarchyLevel4", + "target_field": "DeviceGroupHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "System_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "System_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "System_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "System_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",SYSTEM,", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "System_HighResolutionTimestamp", + "target_field": "HighResolutionTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_ContentThreatType", + "target_field": "ContentThreatType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_SourceAddress.SourceUser", + "target_field": "SourceAddress.SourceUser", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_Category", + "target_field": "Category", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_Severity", + "target_field": "Severity", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_DeviceGroupHierarchyLevel1", + "target_field": "DeviceGroupHierarchyLevel1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_DeviceGroupHierarchyLevel2", + "target_field": "DeviceGroupHierarchyLevel2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_DeviceGroupHierarchyLevel3", + "target_field": "DeviceGroupHierarchyLevel3", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_DeviceGroupHierarchyLevel4", + "target_field": "DeviceGroupHierarchyLevel4", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_VirtualSystemName", + "target_field": "VirtualSystemName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_DeviceName", + "target_field": "DeviceName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_VirtualSystemID", + "target_field": "VirtualSystemID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_ObjectName", + "target_field": "ObjectName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_ObjectID", + "target_field": "ObjectID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",CORRELATION,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "CorrelatedEvents_Evidence", + "target_field": "Evidence", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "GTP_ReceiveTime", + "target_field": "ReceiveTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "GTP_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "GTP_Type", + "target_field": "Type", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "GTP_ThreatContentType", + "target_field": "ThreatContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "GTP_GeneratedTime", + "target_field": "GeneratedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "GTP_SourceAddress", + "target_field": "SourceAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 9, + "split_by": "," + }, + "converters": [], + "title": "GTP_DestinationAddress", + "target_field": "DestinationAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 10, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 11, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 12, + "split_by": "," + }, + "converters": [], + "title": "GTP_RuleName", + "target_field": "RuleName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 13, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 14, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 15, + "split_by": "," + }, + "converters": [], + "title": "GTP_Application", + "target_field": "Application", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 16, + "split_by": "," + }, + "converters": [], + "title": "GTP_VirtualSystem", + "target_field": "VirtualSystem", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 17, + "split_by": "," + }, + "converters": [], + "title": "GTP_SourceZone", + "target_field": "SourceZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 18, + "split_by": "," + }, + "converters": [], + "title": "GTP_DestinationZone", + "target_field": "DestinationZone", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 19, + "split_by": "," + }, + "converters": [], + "title": "GTP_InboundInterface", + "target_field": "InboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 20, + "split_by": "," + }, + "converters": [], + "title": "GTP_OutboundInterface", + "target_field": "OutboundInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 21, + "split_by": "," + }, + "converters": [], + "title": "GTP_LogAction", + "target_field": "LogAction", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 22, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 23, + "split_by": "," + }, + "converters": [], + "title": "GTP_SessionID", + "target_field": "SessionID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 24, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 25, + "split_by": "," + }, + "converters": [], + "title": "GTP_SourcePort", + "target_field": "SourcePort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 26, + "split_by": "," + }, + "converters": [], + "title": "GTP_DestinationPort", + "target_field": "DestinationPort", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 27, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 28, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 29, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 30, + "split_by": "," + }, + "converters": [], + "title": "GTP_Protocol", + "target_field": "Protocol", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 31, + "split_by": "," + }, + "converters": [], + "title": "GTP_Action", + "target_field": "Action", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 32, + "split_by": "," + }, + "converters": [], + "title": "GTP_GTPEventType", + "target_field": "GTPEventType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 33, + "split_by": "," + }, + "converters": [], + "title": "GTP_MSISDN", + "target_field": "MSISDN", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 34, + "split_by": "," + }, + "converters": [], + "title": "GTP_AccessPointName", + "target_field": "AccessPointName", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 35, + "split_by": "," + }, + "converters": [], + "title": "GTP_RadioAccessTechnology", + "target_field": "RadioAccessTechnology", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 36, + "split_by": "," + }, + "converters": [], + "title": "GTP_GTPMessageType", + "target_field": "GTPMessageType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 37, + "split_by": "," + }, + "converters": [], + "title": "GTP_EndUser_IPAddress", + "target_field": "EndUser_IPAddress", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 38, + "split_by": "," + }, + "converters": [], + "title": "GTP_TunnelEndpointIdentifier1", + "target_field": "TunnelEndpointIdentifier1", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 39, + "split_by": "," + }, + "converters": [], + "title": "GTP_TunnelEndpointIdentifier2", + "target_field": "TunnelEndpointIdentifier2", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 40, + "split_by": "," + }, + "converters": [], + "title": "GTP_GTPInterface", + "target_field": "GTPInterface", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 41, + "split_by": "," + }, + "converters": [], + "title": "GTP_GTPCause", + "target_field": "GTPCause", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 42, + "split_by": "," + }, + "converters": [], + "title": "GTP_Severity", + "target_field": "Severity", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 43, + "split_by": "," + }, + "converters": [], + "title": "GTP_ServingCountryMCC", + "target_field": "ServingCountryMCC", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 44, + "split_by": "," + }, + "converters": [], + "title": "GTP_ServingNetworkMNC", + "target_field": "ServingNetworkMNC", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 45, + "split_by": "," + }, + "converters": [], + "title": "GTP_AreaCode", + "target_field": "AreaCode", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 46, + "split_by": "," + }, + "converters": [], + "title": "GTP_CellID", + "target_field": "CellID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 47, + "split_by": "," + }, + "converters": [], + "title": "GTP_GTPEventCode", + "target_field": "GTPEventCode", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 48, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 49, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 50, + "split_by": "," + }, + "converters": [], + "title": "GTP_SourceLocation", + "target_field": "SourceLocation", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 51, + "split_by": "," + }, + "converters": [], + "title": "GTP_DestinationLocation", + "target_field": "DestinationLocation", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 52, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 53, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 54, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 55, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 56, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 57, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 58, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 59, + "split_by": "," + }, + "converters": [], + "title": "GTP_TunnelIDIMSI", + "target_field": "TunnelIDIMSI", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 60, + "split_by": "," + }, + "converters": [], + "title": "GTP_MonitorTagIMEI", + "target_field": "MonitorTagIMEI", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 61, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 62, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 63, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 64, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 65, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 66, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 67, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 68, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 69, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 70, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 71, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 72, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 73, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 74, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 75, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 76, + "split_by": "," + }, + "converters": [], + "title": "GTP_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 77, + "split_by": "," + }, + "converters": [], + "title": "GTP_StartTime", + "target_field": "StartTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 78, + "split_by": "," + }, + "converters": [], + "title": "GTP_ElapsedTime", + "target_field": "ElapsedTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 79, + "split_by": "," + }, + "converters": [], + "title": "GTP_TunnelInspectionRule", + "target_field": "TunnelInspectionRule", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 80, + "split_by": "," + }, + "converters": [], + "title": "GTP_RemoteUser_IP", + "target_field": "RemoteUser_IP", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 81, + "split_by": "," + }, + "converters": [], + "title": "GTP_RemoteUserID", + "target_field": "RemoteUserID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 82, + "split_by": "," + }, + "converters": [], + "title": "GTP_UUIDforrule", + "target_field": "UUIDforrule", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 83, + "split_by": "," + }, + "converters": [], + "title": "GTP_PCAPID", + "target_field": "PCAPID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 84, + "split_by": "," + }, + "converters": [], + "title": "GTP_HighResolutionTimestamp", + "target_field": "HighResolutionTimestamp", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 85, + "split_by": "," + }, + "converters": [], + "title": "GTP_ASliceServiceType", + "target_field": "ASliceServiceType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 86, + "split_by": "," + }, + "converters": [], + "title": "GTP_ASliceDifferentiator", + "target_field": "ASliceDifferentiator", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 87, + "split_by": "," + }, + "converters": [], + "title": "GTP_ApplicationSubcategory", + "target_field": "ApplicationSubcategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 88, + "split_by": "," + }, + "converters": [], + "title": "GTP_ApplicationCategory", + "target_field": "ApplicationCategory", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 89, + "split_by": "," + }, + "converters": [], + "title": "GTP_ApplicationTechnology", + "target_field": "ApplicationTechnology", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 90, + "split_by": "," + }, + "converters": [], + "title": "GTP_ApplicationRisk", + "target_field": "ApplicationRisk", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 91, + "split_by": "," + }, + "converters": [], + "title": "GTP_ApplicationCharacteristic", + "target_field": "ApplicationCharacteristic", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 92, + "split_by": "," + }, + "converters": [], + "title": "GTP_ApplicationContainer", + "target_field": "ApplicationContainer", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 93, + "split_by": "," + }, + "converters": [], + "title": "GTP_ApplicationSaaS", + "target_field": "ApplicationSaaS", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",GTP,", + "condition_type": "string", + "extractor_config": { + "index": 94, + "split_by": "," + }, + "converters": [], + "title": "GTP_ApplicationSanctionedState", + "target_field": "ApplicationSanctionedState", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUDIT,", + "condition_type": "string", + "extractor_config": { + "index": 1, + "split_by": "," + }, + "converters": [], + "title": "Audit_SerialNumber", + "target_field": "SerialNumber", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUDIT,", + "condition_type": "string", + "extractor_config": { + "index": 2, + "split_by": "," + }, + "converters": [], + "title": "Audit_GenerateTime", + "target_field": "GenerateTime", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUDIT,", + "condition_type": "string", + "extractor_config": { + "index": 3, + "split_by": "," + }, + "converters": [], + "title": "Audit_ThreatContentType", + "target_field": "ThreatContentType", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUDIT,", + "condition_type": "string", + "extractor_config": { + "index": 4, + "split_by": "," + }, + "converters": [], + "title": "Audit_FUTUREUSE", + "target_field": "FUTUREUSE", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUDIT,", + "condition_type": "string", + "extractor_config": { + "index": 5, + "split_by": "," + }, + "converters": [], + "title": "Audit_EventID", + "target_field": "EventID", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUDIT,", + "condition_type": "string", + "extractor_config": { + "index": 6, + "split_by": "," + }, + "converters": [], + "title": "Audit_Object", + "target_field": "Object", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUDIT,", + "condition_type": "string", + "extractor_config": { + "index": 7, + "split_by": "," + }, + "converters": [], + "title": "Audit_CLICommand", + "target_field": "CLICommand", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + }, + { + "condition_value": ",AUDIT,", + "condition_type": "string", + "extractor_config": { + "index": 8, + "split_by": "," + }, + "converters": [], + "title": "Audit_Severity", + "target_field": "Severity", + "source_field": "message", + "order": 0, + "extractor_type": "split_and_index", + "cursor_strategy": "copy" + } + ] +}