{
    attributes: {
      "dataSource.category": "security",
      "dataSource.name": "Netskope",
      "dataSource.vendor": "Netskope"
    },
    formats: [
      {
        format: ".*${parse=json}{attrWhitelist=(_id|action|activity|device|category|app_name|count|dst_country|dst_region|malware_severity|malware_type|request_id|severity|severity_id|src_country|src_location|src_region|type|_category_id|_category_tags|_correlation_id|_detection_name|_event_id|_nshostname|_resource_name|_service_identifier|account_name|alert_id|alert_name|alert_type|appcategory|breach_date|breach_description|breach_id|breach_score|connection_id|dlp_file|dlp_incident_id|dlp_rule|dlp_rule_count|dst_latitude|dst_longitude|dst_timezone|dst_zipcode|dstip|event_type|file_name|file_size|file_type|hostname|incident_id|instance_id|local_md5|malsite_country|malware_name|matched_username|md5|os|os10|os11|policy|policy_id|protocol|severity_level|severity_level_id|src_latitude|src_longitude|src_time|src_timezone|src_zipcode|srcip|timestamp|transaction_id|true_obj_type|url|user|user_id|userip|userkey|local_sha256)}$"
         rewrites: [ 
           {
             input:   "_category_id",
             output:  "security_finding.category_uid",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "_category_tags",
             output:  "security_finding.category_tags",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "_correlation_id",
             output:  "metadata.correlation_uid",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "_detection_name",
             output:  "detection.name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "_event_id",
             output:  "security_finding.activity_id",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "_id",
             output:  "security_finding.type_uid",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "_nshostname",
             output:  "network_endpoint.sender_hostname",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "_resource_name",
             output:  "resource.name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "_service_identifier",
             output:  "service.identifier",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "account_name",
             output:  "account.name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "action",
             output:  "security_finding.action",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "alert_id",
             output:  "alert.uid",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "alert_name",
             output:  "alert.name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "alert_type",
             output:  "event.type",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "appcategory",
             output:  "security_finding.app_category",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "breach_date",
             output:  "breach.date",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "breach_description",
             output:  "breach.desc",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "breach_id",
             output:  "breach.uid",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "breach_score",
             output:  "breach.score",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "category",
             output:  "security_finding.category_name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "connection_id",
             output:  "security_finding.connection_id",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "device",
             output:  "device.name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "dlp_file",
             output:  "dlp.file_name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "dlp_incident_id",
             output:  "dlp.incident_id",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "dlp_rule",
             output:  "dlp.rule",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "dlp_rule_count",
             output:  "dlp.rule_count",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "dst_latitude",
             output:  "geo_coordinates.dst_latitude",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "dst_longitude",
             output:  "geo_coordinates.dst_longitude",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "dst_timezone",
             output:  "location.dst_timezone",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "dst_zipcode",
             output:  "location.dst_zipcode",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "dstip",
             output:  "dst.ip.address",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "event_type",
             output:  "security_finding.ref_event_name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "file_name",
             output:  "file.name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "file_size",
             output:  "file.size",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "file_type",
             output:  "file.type",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "hostname",
             output:  "device.hostname",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "incident_id",
             output:  "security_finding.incident_id",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "instance_id",
             output:  "device.instance_uid",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "local_md5",
             output:  "file.local_md5",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "malsite_country",
             output:  "security_finding.malsite_country",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "malware_name",
             output:  "malware.name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "matched_username",
             output:  "security_finding.matched_username",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "md5",
             output:  "file.md5",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "os",
             output:  "os.name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "os10",
             output:  "device.os10",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "os11",
             output:  "device.os11",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "policy",
             output:  "policy.name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "policy_id ",
             output:  "policy.uid",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "protocol",
             output:  "network_connection_info.protocol_name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "severity_level",
             output:  "security_finding.severity",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "severity_level_id",
             output:  "security_finding.severity_level_id",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "src_latitude",
             output:  "geo_coordinates.src_latitude",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "src_longitude",
             output:  "geo_coordinates.src_longitude",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "src_time",
             output:  "security_finding.src_time",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "src_timezone",
             output:  "location.src_timezone",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "src_zipcode",
             output:  "location.src_zipcode",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "srcip",
             output:  "src.ip.address",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "timestamp",
             output:  "security_finding.time",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "transaction_id",
             output:  "security_finding.transaction_id",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "true_obj_type",
             output:  "file.type",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "url",
             output:  "url.text",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "user",
             output:  "user.name",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "user_id",
             output:  "user.uid",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "userip",
             output:  "user.ip",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "userkey",
             output:  "user.key",
             match:   ".*",
             replace: "$0"
           },
           {
             input:   "local_sha256",
             output:  "file.local_sha256",
             match:   ".*",
             replace: "$0"
           },
         ]
      }
    ]
  }