{
    // specify a time zone if the timestamps in your log are not in GMT
    timezone: "Europe/Paris",
    attributes: {
        "dataSource.category": "security",
        "dataSource.name": "Stormshield",
        "dataSource.vendor": "Stormshield",
        "class_name": "Network Activity",
        "class_id": 4001
    },
    patterns: {
      tsPattern: "\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}"
    },
    formats: [
        {
        format: ".*time=\"$timestamp=tsPattern$\""
        },
        {
        format: ".*$_$=$unmapped._$ ",
        repeat: true
        },
        {
        format: "^.*",
        rewrites: [
                {
                    "input": "unmapped.src",
                    "output": "src_endpoint.ip",
                    "match": ".*",
                    "replace": "$0"
                },
                {
                    "input": "unmapped.srcport",
                    "output": "src_endpoint.port",
                    "match": ".*",
                    "replace": "$0"
                },
                {
                    "input": "unmapped.dst",
                    "output": "dst_endpoint.ip",
                    "match": ".*",
                    "replace": "$0"
                },
                {
                    "input": "unmapped.dstport",
                    "output": "dst_endpoint.port",
                    "match": ".*",
                    "replace": "$0"
                },
                {
                    "input": "unmapped.user",
                    "output": "actor.user.name",
                    "match": ".*",
                    "replace": "$0"
                },
            ]
        }
    ]
}