{
  attributes: {
    "metadata.version":    "2.0.0",
    "dataSource.vendor":   "Sophos",
    "dataSource.name":     "Sophos Firewall",
    "dataSource.category": "security",
    "metadata.product.vendor_name": "Sophos",
    "metadata.product.name":        "Sophos Firewall",
    "metadata.log_provider":        "syslog",
    "severity_id": 1,
    "severity": "Informational"
  },

  patterns: {
    tsval:     "[^\"]+",
    qval:      "[^\"]+",
    nqval:     "[^ ]+",
    ip:        "\\d+\\.\\d+\\.\\d+\\.\\d+",
    mac:       "[0-9A-Fa-f:]+",
    num:       "\\d+",
    rest:      ".*"
  },

  formats: [
    // FIREWALL ALLOWED - match log_type="Firewall" and log_subtype="Allowed"
    {
      id: "fw_allow",
      attributes: {
        class_uid: 4001, class_name: "Network Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 6, activity_name: "Traffic",
        type_uid: 400106,
        disposition_id: 1, disposition: "Allowed"
      },
      format: ".*log_type=\"Firewall\".*log_subtype=\"Allowed\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*protocol=\"$protocol=qval$\".*",
      rewrites: [
        { input: "message", output: "src_port", match: ".*src_port=$v=num$.*" },
        { input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" },
        { input: "message", output: "fw_rule", match: ".*fw_rule_name=\"$v=qval$\".*" },
        { input: "message", output: "src_zone", match: ".*src_zone=\"$v=qval$\".*" },
        { input: "message", output: "dst_zone", match: ".*dst_zone=\"$v=qval$\".*" },
        { input: "message", output: "src_mac", match: ".*src_mac=\"$v=mac$\".*" },
        { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" }
      ],
      halt: true
    },

    // FIREWALL DENIED
    {
      id: "fw_deny",
      attributes: {
        class_uid: 4001, class_name: "Network Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 6, activity_name: "Traffic",
        type_uid: 400106,
        disposition_id: 2, disposition: "Blocked",
        severity_id: 3, severity: "Medium"
      },
      format: ".*log_type=\"Firewall\".*log_subtype=\"Denied\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*protocol=\"$protocol=qval$\".*",
      rewrites: [
        { input: "message", output: "src_port", match: ".*src_port=$v=num$.*" },
        { input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" },
        { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" }
      ],
      halt: true
    },

    // IPS DETECT
    {
      id: "ips_detect",
      attributes: {
        class_uid: 4002, class_name: "Detection Finding",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 1, activity_name: "Create",
        type_uid: 400201,
        severity_id: 3, severity: "Medium"
      },
      format: ".*log_type=\"IDP\".*log_subtype=\"Detect\".*",
      rewrites: [
        { input: "message", output: "sig_id", match: ".*signature_id=$v=num$.*" },
        { input: "message", output: "sig_msg", match: ".*signature_msg=\"$v=qval$\".*" },
        { input: "message", output: "src_ip", match: ".*src_ip=$v=ip$.*" },
        { input: "message", output: "dst_ip", match: ".*dst_ip=$v=ip$.*" },
        { input: "message", output: "src_port", match: ".*src_port=$v=num$.*" },
        { input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" },
        { input: "message", output: "protocol", match: ".*protocol=\"$v=qval$\".*" },
        { input: "message", output: "classification", match: ".*classification=\"$v=qval$\".*" },
        { input: "message", output: "category", match: ".*category=\"$v=qval$\".*" },
        { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" }
      ],
      halt: true
    },

    // IPS DROP
    {
      id: "ips_drop",
      attributes: {
        class_uid: 4002, class_name: "Detection Finding",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 1, activity_name: "Create",
        type_uid: 400201,
        disposition_id: 2, disposition: "Blocked",
        severity_id: 4, severity: "High"
      },
      format: ".*log_type=\"IDP\".*log_subtype=\"Drop\".*",
      rewrites: [
        { input: "message", output: "sig_id", match: ".*signature_id=$v=num$.*" },
        { input: "message", output: "sig_msg", match: ".*signature_msg=\"$v=qval$\".*" },
        { input: "message", output: "src_ip", match: ".*src_ip=$v=ip$.*" },
        { input: "message", output: "dst_ip", match: ".*dst_ip=$v=ip$.*" },
        { input: "message", output: "src_port", match: ".*src_port=$v=num$.*" },
        { input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" },
        { input: "message", output: "protocol", match: ".*protocol=\"$v=qval$\".*" },
        { input: "message", output: "classification", match: ".*classification=\"$v=qval$\".*" },
        { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" }
      ],
      halt: true
    },

    // ATP THREAT
    {
      id: "atp",
      attributes: {
        class_uid: 4002, class_name: "Detection Finding",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 1, activity_name: "Create",
        type_uid: 400201,
        severity_id: 4, severity: "High"
      },
      format: ".*log_type=\"ATP\".*",
      rewrites: [
        { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
        { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
        { input: "message", output: "malware", match: ".*malware=\"$v=qval$\".*" },
        { input: "message", output: "threatfeed", match: ".*threatfeed=\"$v=qval$\".*" },
        { input: "message", output: "protocol", match: ".*protocol=\"$v=qval$\".*" },
        { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" }
      ],
      halt: true
    },

    // AUTH SUCCESS
    {
      id: "auth_ok",
      attributes: {
        class_uid: 3002, class_name: "Authentication",
        category_uid: 3, category_name: "Identity & Access Management",
        activity_id: 1, activity_name: "Logon",
        type_uid: 300201,
        status_id: 1, status: "Success"
      },
      format: ".*log_subtype=\"Authentication\".*status=\"Successful\".*",
      rewrites: [
        { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
        { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
        { input: "message", output: "auth_comp", match: ".*log_component=\"$v=qval$\".*" },
        { input: "message", output: "user_grp", match: ".*user_group=\"$v=qval$\".*" },
        { input: "message", output: "auth_mech", match: ".*auth_mechanism=\"$v=qval$\".*" },
        { input: "message", output: "client", match: ".*client_used=\"$v=qval$\".*" }
      ],
      halt: true
    },

    // AUTH FAILURE
    {
      id: "auth_fail",
      attributes: {
        class_uid: 3002, class_name: "Authentication",
        category_uid: 3, category_name: "Identity & Access Management",
        activity_id: 1, activity_name: "Logon",
        type_uid: 300201,
        status_id: 2, status: "Failure",
        severity_id: 3, severity: "Medium"
      },
      format: ".*log_subtype=\"Authentication\".*status=\"Failed\".*",
      rewrites: [
        { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
        { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
        { input: "message", output: "auth_comp", match: ".*log_component=\"$v=qval$\".*" },
        { input: "message", output: "reason", match: ".*reason=\"$v=qval$\".*" },
        { input: "message", output: "auth_mech", match: ".*auth_mechanism=\"$v=qval$\".*" }
      ],
      halt: true
    },

    // IPSEC ESTABLISHED
    {
      id: "ipsec_up",
      attributes: {
        class_uid: 4014, class_name: "Tunnel Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 1, activity_name: "Open",
        type_uid: 401401,
        status_id: 1, status: "Success"
      },
      format: ".*log_component=\"IPSec\".*status=\"Established\".*",
      rewrites: [
        { input: "message", output: "con_name", match: ".*con_name=\"$v=qval$\".*" },
        { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
        { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
        { input: "message", output: "local_net", match: ".*local_network=\"$v=qval$\".*" },
        { input: "message", output: "remote_net", match: ".*remote_network=\"$v=qval$\".*" }
      ],
      halt: true
    },

    // IPSEC TERMINATED
    {
      id: "ipsec_down",
      attributes: {
        class_uid: 4014, class_name: "Tunnel Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 2, activity_name: "Close",
        type_uid: 401402
      },
      format: ".*log_component=\"IPSec\".*status=\"Terminated\".*",
      rewrites: [
        { input: "message", output: "con_name", match: ".*con_name=\"$v=qval$\".*" },
        { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
        { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
        { input: "message", output: "local_net", match: ".*local_network=\"$v=qval$\".*" },
        { input: "message", output: "remote_net", match: ".*remote_network=\"$v=qval$\".*" }
      ],
      halt: true
    },

    // DHCP
    {
      id: "dhcp",
      attributes: {
        class_uid: 4004, class_name: "DHCP Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 1, activity_name: "Lease",
        type_uid: 400401
      },
      format: ".*log_component=\"DHCP Server\".*",
      rewrites: [
        { input: "message", output: "client_ip", match: ".*reported_ip=\"$v=ip$\".*" },
        { input: "message", output: "client_mac", match: ".*src_mac=\"$v=mac$\".*" },
        { input: "message", output: "hostname", match: ".*reported_host=\"$v=qval$\".*" },
        { input: "message", output: "lease_time", match: ".*lease_time=$v=num$.*" },
        { input: "message", output: "dhcp_status", match: ".*status=\"$v=qval$\".*" }
      ],
      halt: true
    },

    // ANTIVIRUS - full format with all fields
    {
      id: "av_full",
      attributes: {
        class_uid: 4002, class_name: "Detection Finding",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 1, activity_name: "Create",
        type_uid: 400201,
        severity_id: 4, severity: "High"
      },
      format: ".*log_type=\"Anti-Virus\".*virus=\"$malware=qval$\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*filename=\"$filename=qval$\".*url=\"$url=qval$\".*user=\"$user=qval$\".*",
      halt: true
    },
    // ANTIVIRUS - minimal (virus, src, dst only)
    {
      id: "av_min",
      attributes: {
        class_uid: 4002, class_name: "Detection Finding",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 1, activity_name: "Create",
        type_uid: 400201,
        severity_id: 4, severity: "High"
      },
      format: ".*log_type=\"Anti-Virus\".*virus=\"$malware=qval$\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*",
      halt: true
    },

    // WEB FILTER ALLOWED
    {
      id: "web_allow",
      attributes: {
        class_uid: 4007, class_name: "Web Resources Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 1, activity_name: "Access",
        type_uid: 400701,
        disposition_id: 1, disposition: "Allowed"
      },
      format: ".*log_type=\"Content Filtering\".*log_subtype=\"Allowed\".*",
      rewrites: [
        { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
        { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
        { input: "message", output: "url", match: ".*url=\"$v=qval$\".*" },
        { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
        { input: "message", output: "category", match: ".*category=\"$v=qval$\".*" }
      ],
      halt: true
    },

    // WEB FILTER DENIED
    {
      id: "web_deny",
      attributes: {
        class_uid: 4007, class_name: "Web Resources Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 1, activity_name: "Access",
        type_uid: 400701,
        disposition_id: 2, disposition: "Blocked",
        severity_id: 2, severity: "Low"
      },
      format: ".*log_type=\"Content Filtering\".*log_subtype=\"Denied\".*",
      rewrites: [
        { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
        { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
        { input: "message", output: "url", match: ".*url=\"$v=qval$\".*" },
        { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
        { input: "message", output: "category", match: ".*category=\"$v=qval$\".*" },
        { input: "message", output: "reason", match: ".*reason=\"$v=qval$\".*" }
      ],
      halt: true
    },

    // SSL VPN CONNECT
    {
      id: "sslvpn_up",
      attributes: {
        class_uid: 4014, class_name: "Tunnel Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 1, activity_name: "Open",
        type_uid: 401401
      },
      format: ".*log_component=\"SSL VPN\".*status=\"Connected\".*",
      rewrites: [
        { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
        { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
        { input: "message", output: "tunnel_ip", match: ".*tunnel_ip=\"$v=ip$\".*" }
      ],
      halt: true
    },

    // SSL VPN DISCONNECT
    {
      id: "sslvpn_down",
      attributes: {
        class_uid: 4014, class_name: "Tunnel Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 2, activity_name: "Close",
        type_uid: 401402
      },
      format: ".*log_component=\"SSL VPN\".*status=\"Disconnected\".*",
      rewrites: [
        { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
        { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
        { input: "message", output: "bytes_sent", match: ".*bytes_sent=$v=num$.*" },
        { input: "message", output: "bytes_recv", match: ".*bytes_received=$v=num$.*" }
      ],
      halt: true
    },

    // WAF
    {
      id: "waf",
      attributes: {
        class_uid: 4007, class_name: "Web Resources Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 1, activity_name: "Access",
        type_uid: 400701,
        severity_id: 3, severity: "Medium"
      },
      format: ".*log_type=\"WAF\".*",
      rewrites: [
        { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
        { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
        { input: "message", output: "url", match: ".*url=\"$v=qval$\".*" },
        { input: "message", output: "reason", match: ".*reason=\"$v=qval$\".*" }
      ],
      halt: true
    },

    // FALLBACK - extract common fields from any Sophos log
    {
      id: "fallback",
      attributes: {
        class_uid: 4001, class_name: "Network Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 0, activity_name: "Unknown",
        type_uid: 400100
      },
      format: "$body=rest$",
      rewrites: [
        { input: "message", output: "log_type", match: ".*log_type=\"$v=qval$\".*" },
        { input: "message", output: "log_comp", match: ".*log_component=\"$v=qval$\".*" },
        { input: "message", output: "subtype", match: ".*log_subtype=\"$v=qval$\".*" },
        { input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
        { input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
        { input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
        { input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" }
      ]
    }
  ],

  mappings: {
    version: 1,
    mappings: [
      {
        transformations: [
          { rename: { from: "src_ip", to: "src_endpoint.ip" } },
          { rename: { from: "dst_ip", to: "dst_endpoint.ip" } },
          { rename: { from: "src_port", to: "src_endpoint.port" } },
          { rename: { from: "dst_port", to: "dst_endpoint.port" } },
          { rename: { from: "src_mac", to: "src_endpoint.mac" } },
          { rename: { from: "protocol", to: "connection_info.protocol_name" } },
          { rename: { from: "bytes_sent", to: "traffic.bytes_out" } },
          { rename: { from: "bytes_recv", to: "traffic.bytes_in" } },
          { rename: { from: "user", to: "actor.user.name" } },
          { rename: { from: "user_grp", to: "actor.user.groups" } },
          { rename: { from: "auth_mech", to: "auth_protocol" } },
          { rename: { from: "fw_rule", to: "unmapped.fw_rule_name" } },
          { rename: { from: "src_zone", to: "src_endpoint.zone" } },
          { rename: { from: "dst_zone", to: "dst_endpoint.zone" } },
          { rename: { from: "in_iface", to: "src_endpoint.interface_name" } },
          { rename: { from: "out_iface", to: "dst_endpoint.interface_name" } },
          { rename: { from: "sig_id", to: "finding_info.uid" } },
          { rename: { from: "sig_msg", to: "finding_info.title" } },
          { rename: { from: "classification", to: "finding_info.types" } },
          { rename: { from: "category", to: "unmapped.category" } },
          { rename: { from: "malware", to: "malware.name" } },
          { rename: { from: "threatfeed", to: "unmapped.threatfeed" } },
          { rename: { from: "url", to: "http_request.url.original" } },
          { rename: { from: "filename", to: "file.name" } },
          { rename: { from: "con_name", to: "unmapped.connection_name" } },
          { rename: { from: "local_net", to: "unmapped.local_network" } },
          { rename: { from: "remote_net", to: "unmapped.remote_network" } },
          { rename: { from: "client_ip", to: "dst_endpoint.ip" } },
          { rename: { from: "client_mac", to: "dst_endpoint.mac" } },
          { rename: { from: "hostname", to: "dst_endpoint.hostname" } },
          { rename: { from: "tunnel_ip", to: "unmapped.tunnel_ip" } },
          { rename: { from: "auth_comp", to: "unmapped.auth_component" } },
          { rename: { from: "log_type", to: "unmapped.log_type" } },
          { rename: { from: "log_comp", to: "unmapped.log_component" } },
          { rename: { from: "subtype", to: "unmapped.log_subtype" } },
          { rename: { from: "reason", to: "unmapped.reason" } },
          { rename: { from: "client", to: "unmapped.client_used" } },
          { rename: { from: "dhcp_status", to: "unmapped.dhcp_status" } },
          { rename: { from: "lease_time", to: "unmapped.lease_time" } },
          { rename: { from: "dev", to: "device.name" } },
          { rename: { from: "body", to: "unmapped.raw_body" } }
        ]
      }
    ]
  }
}
