{
  // SAP HANA Database SDL Parser
  // OCSF v1.3.0 — emits Detection Finding (2004) for risky events
  // so they appear in XDR / AI SIEM Findings UI

  attributes: {
    "metadata.version":             "1.3.0",
    "metadata.product.vendor_name": "SAP",
    "metadata.product.name":        "HANA Database",
    "metadata.log_provider":        "hana-audit",
    "Category":               "database",
    "dataSource.vendor":      "SAP",
    "dataSource.name":        "HANA Database",
    "dataSource.category":    "database",
    "category_uid":           4,
    "category_name":          "Network Activity",
    "class_uid":              4001,
    "class_name":             "Database Activity",
    "activity_id":            0,
    "activity_name":          "Unknown",
    "type_uid":               400100,
    "status_id":              1,
    "status":                 "Success",
    "severity_id":            1,
    "severity":               "Informational",
    "disposition_id":         0,
    "disposition":            "Unknown"
  },

  formats: [
    {
      format: "$=json{parse=json}$",
      halt:   true,
      rewrites: [
        // Field extraction
        { input: "user_name",        output: "actor.user.name",          match: ".*", replace: "$0" },
        { input: "user_name",        output: "user.name",                match: ".*", replace: "$0" },
        { input: "application_user", output: "actor.user.account.name",  match: ".*", replace: "$0" },
        { input: "application_name", output: "app_name",                 match: ".*", replace: "$0" },
        { input: "client_ip",        output: "src_endpoint.ip",          match: ".*", replace: "$0" },
        { input: "client_ip",        output: "src_ip",                   match: ".*", replace: "$0" },
        { input: "client_port",      output: "src_endpoint.port",        match: ".*", replace: "$0" },
        { input: "host",             output: "device.hostname",          match: ".*", replace: "$0" },
        { input: "component",        output: "device.type",              match: ".*", replace: "$0" },
        { input: "connection_id",    output: "actor.session.uid",        match: ".*", replace: "$0" },
        { input: "connection_id",    output: "session.uid",              match: ".*", replace: "$0" },
        { input: "transaction_id",   output: "transaction.uid",          match: ".*", replace: "$0" },
        { input: "statement_id",     output: "query_info.uid",           match: ".*", replace: "$0" },
        { input: "statement",        output: "query_info.query_string",  match: ".*", replace: "$0" },
        { input: "executed_statement", output: "query_info.executed_query", match: ".*", replace: "$0" },
        { input: "rows_affected",    output: "query_info.rows_affected", match: ".*", replace: "$0" },
        { input: "execution_time_ms", output: "query_info.duration",     match: ".*", replace: "$0" },
        { input: "audit_action",     output: "activity_name",            match: ".*", replace: "$0" },
        { input: "audit_action",     output: "query_info.query_type",    match: ".*", replace: "$0" },
        { input: "audit_policy_name", output: "policy.name",             match: ".*", replace: "$0" },
        { input: "comment",          output: "raw_data",                 match: ".*", replace: "$0" },

        // Status
        { input: "error_code",    output: "status_id",     match: "^0$",      replace: "1" },
        { input: "error_code",    output: "status",        match: "^0$",      replace: "Success" },
        { input: "error_code",    output: "status_id",     match: "^[1-9].*", replace: "2" },
        { input: "error_code",    output: "status",        match: "^[1-9].*", replace: "Failure" },
        { input: "error_code",    output: "status_code",   match: ".*",       replace: "$0" },
        { input: "error_message", output: "status_detail", match: ".*",       replace: "$0" },

        // OCSF class routing by audit_action — Authentication
        { input: "audit_action", output: "class_uid",     match: "^(CONNECT|DISCONNECT)$", replace: "3002" },
        { input: "audit_action", output: "class_name",    match: "^(CONNECT|DISCONNECT)$", replace: "Authentication" },
        { input: "audit_action", output: "category_uid",  match: "^(CONNECT|DISCONNECT)$", replace: "3" },
        { input: "audit_action", output: "category_name", match: "^(CONNECT|DISCONNECT)$", replace: "IAM" },
        { input: "audit_action", output: "activity_id",   match: "^CONNECT$",    replace: "1" },
        { input: "audit_action", output: "type_uid",      match: "^CONNECT$",    replace: "300201" },
        { input: "audit_action", output: "activity_id",   match: "^DISCONNECT$", replace: "2" },
        { input: "audit_action", output: "type_uid",      match: "^DISCONNECT$", replace: "300202" },

        // Authorization (GRANT / REVOKE)
        { input: "audit_action", output: "class_uid",     match: "^(GRANT|REVOKE)$", replace: "3003" },
        { input: "audit_action", output: "class_name",    match: "^(GRANT|REVOKE)$", replace: "Authorization" },
        { input: "audit_action", output: "category_uid",  match: "^(GRANT|REVOKE)$", replace: "3" },
        { input: "audit_action", output: "category_name", match: "^(GRANT|REVOKE)$", replace: "IAM" },
        { input: "audit_action", output: "activity_id",   match: "^GRANT$",  replace: "1" },
        { input: "audit_action", output: "type_uid",      match: "^GRANT$",  replace: "300301" },
        { input: "audit_action", output: "activity_id",   match: "^REVOKE$", replace: "2" },

        // Database Activity (DML / DDL / Backup)
        { input: "audit_action", output: "class_uid",     match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "4001" },
        { input: "audit_action", output: "class_name",    match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "Database Activity" },
        { input: "audit_action", output: "category_uid",  match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "4" },
        { input: "audit_action", output: "category_name", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "Network Activity" },
        { input: "audit_action", output: "activity_id",   match: "^SELECT$",      replace: "1" },
        { input: "audit_action", output: "activity_id",   match: "^INSERT$",      replace: "2" },
        { input: "audit_action", output: "activity_id",   match: "^UPDATE$",      replace: "3" },
        { input: "audit_action", output: "activity_id",   match: "^DELETE$",      replace: "4" },
        { input: "audit_action", output: "activity_id",   match: "^BACKUP DATA$", replace: "5" },

        // Severity from audit_level
        { input: "audit_level", output: "severity_id", match: "(?i)info",     replace: "1" },
        { input: "audit_level", output: "severity",    match: "(?i)info",     replace: "Informational" },
        { input: "audit_level", output: "severity_id", match: "(?i)warning",  replace: "3" },
        { input: "audit_level", output: "severity",    match: "(?i)warning",  replace: "Medium" },
        { input: "audit_level", output: "severity_id", match: "(?i)alert",    replace: "4" },
        { input: "audit_level", output: "severity",    match: "(?i)alert",    replace: "High" },
        { input: "audit_level", output: "severity_id", match: "(?i)critical", replace: "5" },
        { input: "audit_level", output: "severity",    match: "(?i)critical", replace: "Critical" },

        // Promote risky events to Detection Finding (2004) so they show in XDR

        // 1) Failed authentication
        { input: "error_code", output: "class_uid",          match: "^[1-9].*", replace: "2004" },
        { input: "error_code", output: "class_name",         match: "^[1-9].*", replace: "Detection Finding" },
        { input: "error_code", output: "category_uid",       match: "^[1-9].*", replace: "2" },
        { input: "error_code", output: "category_name",      match: "^[1-9].*", replace: "Findings" },
        { input: "error_code", output: "activity_id",        match: "^[1-9].*", replace: "1" },
        { input: "error_code", output: "type_uid",           match: "^[1-9].*", replace: "200401" },
        { input: "error_code", output: "finding_title",      match: "^[1-9].*", replace: "HANA Authentication Failure" },
        { input: "error_code", output: "finding_info.title", match: "^[1-9].*", replace: "HANA Authentication Failure" },
        { input: "error_code", output: "disposition_id",     match: "^[1-9].*", replace: "2" },
        { input: "error_code", output: "disposition",        match: "^[1-9].*", replace: "Blocked" },
        { input: "error_code", output: "severity_id",        match: "^[1-9].*", replace: "4" },
        { input: "error_code", output: "severity",           match: "^[1-9].*", replace: "High" },

        // 2) Mass data extraction (rows_affected >= 10000)
        { input: "rows_affected", output: "class_uid",     match: "^[1-9][0-9]{4,}$", replace: "2004" },
        { input: "rows_affected", output: "class_name",    match: "^[1-9][0-9]{4,}$", replace: "Detection Finding" },
        { input: "rows_affected", output: "category_uid",  match: "^[1-9][0-9]{4,}$", replace: "2" },
        { input: "rows_affected", output: "category_name", match: "^[1-9][0-9]{4,}$", replace: "Findings" },
        { input: "rows_affected", output: "type_uid",      match: "^[1-9][0-9]{4,}$", replace: "200401" },
        { input: "rows_affected", output: "finding_title",      match: "^[1-9][0-9]{4,}$", replace: "HANA Mass Data Extraction" },
        { input: "rows_affected", output: "finding_info.title", match: "^[1-9][0-9]{4,}$", replace: "HANA Mass Data Extraction" },
        { input: "rows_affected", output: "severity_id",   match: "^[1-9][0-9]{4,}$", replace: "5" },
        { input: "rows_affected", output: "severity",      match: "^[1-9][0-9]{4,}$", replace: "Critical" },

        // 3) SQL injection signature (more specific than mass extraction — wins on overlap)
        { input: "statement", output: "class_uid",          match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2004" },
        { input: "statement", output: "class_name",         match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Detection Finding" },
        { input: "statement", output: "category_uid",       match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2" },
        { input: "statement", output: "category_name",      match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Findings" },
        { input: "statement", output: "type_uid",           match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "200401" },
        { input: "statement", output: "finding_title",      match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "HANA SQL Injection Detected" },
        { input: "statement", output: "finding_info.title", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "HANA SQL Injection Detected" },
        { input: "statement", output: "severity_id",        match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "5" },
        { input: "statement", output: "severity",           match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Critical" },
        { input: "statement", output: "disposition_id",     match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2" },
        { input: "statement", output: "disposition",        match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Blocked" },

        // 4) GRANT ALL PRIVILEGES (anchor with ^...$)
        { input: "statement", output: "class_uid",     match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "2004" },
        { input: "statement", output: "class_name",    match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Detection Finding" },
        { input: "statement", output: "category_uid",  match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "2" },
        { input: "statement", output: "category_name", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Findings" },
        { input: "statement", output: "type_uid",      match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "200401" },
        { input: "statement", output: "finding_title",      match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "HANA Privilege Escalation" },
        { input: "statement", output: "finding_info.title", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "HANA Privilege Escalation" },
        { input: "statement", output: "severity_id",   match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "5" },
        { input: "statement", output: "severity",      match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Critical" },

        // 5) Backup to /tmp/ (anchor with ^...$)
        { input: "statement", output: "class_uid",     match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "2004" },
        { input: "statement", output: "class_name",    match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Detection Finding" },
        { input: "statement", output: "category_uid",  match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "2" },
        { input: "statement", output: "category_name", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Findings" },
        { input: "statement", output: "type_uid",      match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "200401" },
        { input: "statement", output: "finding_title",      match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "HANA Suspicious Backup Location" },
        { input: "statement", output: "finding_info.title", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "HANA Suspicious Backup Location" },
        { input: "statement", output: "severity_id",   match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "5" },
        { input: "statement", output: "severity",      match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Critical" }
      ]
    }
  ]
}
