{
  // Omniconnect TI Gateway OCSF Parser  -  OCSF v1.3.0
  // Secures HIS <-> German Telematics Infrastructure (TI) traffic
  // BSI / NIS2 / gematik compliance events
  attributes: {
    "metadata.version":             "1.3.0",
    "metadata.product.vendor_name": "Omniconnect",
    "metadata.product.name":        "Omniconnect TI Gateway",
    "metadata.log_provider":        "hec",
    "Category":                     "healthcare",
    "dataSource.vendor":            "Omniconnect",
    "dataSource.name":              "Omniconnect",
    "dataSource.category":          "Healthcare"
  },

  formats: [
    {
      format: "$=json{parse=json}$",
      halt: true,
      rewrites: [
        // ─── OCSF classification by event_category ──────────────────────
        { input: "event_category", output: "category_uid",  match: "ti_connection",   replace: "4" },
        { input: "event_category", output: "category_name", match: "ti_connection",   replace: "Network Activity" },
        { input: "event_category", output: "class_uid",     match: "ti_connection",   replace: "4001" },
        { input: "event_category", output: "class_name",    match: "ti_connection",   replace: "Network Activity" },

        { input: "event_category", output: "category_uid",  match: "card_operations", replace: "3" },
        { input: "event_category", output: "category_name", match: "card_operations", replace: "Identity & Access Management" },
        { input: "event_category", output: "class_uid",     match: "card_operations", replace: "3002" },
        { input: "event_category", output: "class_name",    match: "card_operations", replace: "Authentication" },

        { input: "event_category", output: "category_uid",  match: "vsdm",            replace: "6" },
        { input: "event_category", output: "category_name", match: "vsdm",            replace: "Application Activity" },
        { input: "event_category", output: "class_uid",     match: "vsdm",            replace: "6001" },
        { input: "event_category", output: "class_name",    match: "vsdm",            replace: "Web Resources Activity" },

        { input: "event_category", output: "category_uid",  match: "erezept",         replace: "6" },
        { input: "event_category", output: "category_name", match: "erezept",         replace: "Application Activity" },
        { input: "event_category", output: "class_uid",     match: "erezept",         replace: "6001" },
        { input: "event_category", output: "class_name",    match: "erezept",         replace: "Web Resources Activity" },

        { input: "event_category", output: "category_uid",  match: "epa",             replace: "6" },
        { input: "event_category", output: "category_name", match: "epa",             replace: "Application Activity" },
        { input: "event_category", output: "class_uid",     match: "epa",             replace: "6001" },
        { input: "event_category", output: "class_name",    match: "epa",             replace: "Web Resources Activity" },

        { input: "event_category", output: "category_uid",  match: "kim",             replace: "4" },
        { input: "event_category", output: "category_name", match: "kim",             replace: "Network Activity" },
        { input: "event_category", output: "class_uid",     match: "kim",             replace: "4009" },
        { input: "event_category", output: "class_name",    match: "kim",             replace: "Email Activity" },

        { input: "event_category", output: "category_uid",  match: "security",        replace: "2" },
        { input: "event_category", output: "category_name", match: "security",        replace: "Findings" },
        { input: "event_category", output: "class_uid",     match: "security",        replace: "2001" },
        { input: "event_category", output: "class_name",    match: "security",        replace: "Security Finding" },

        { input: "event_category", output: "category_uid",  match: "system",          replace: "6" },
        { input: "event_category", output: "category_name", match: "system",          replace: "Application Activity" },
        { input: "event_category", output: "class_uid",     match: "system",          replace: "6007" },
        { input: "event_category", output: "class_name",    match: "system",          replace: "Application Lifecycle" },

        // ─── Severity ───────────────────────────────────────────────────
        { input: "severity", output: "severity_id",  match: "(?i)critical", replace: "6" },
        { input: "severity", output: "severity_id",  match: "(?i)high",     replace: "5" },
        { input: "severity", output: "severity_id",  match: "(?i)medium",   replace: "4" },
        { input: "severity", output: "severity_id",  match: "(?i)low",      replace: "2" },
        { input: "severity", output: "severity_id",  match: "(?i)info",     replace: "1" },
        { input: "severity", output: "severity_str", match: ".*",           replace: "$0" },

        // ─── Status ─────────────────────────────────────────────────────
        { input: "outcome",  output: "status_id", match: "success",  replace: "1" },
        { input: "outcome",  output: "status_id", match: "failure",  replace: "2" },
        { input: "outcome",  output: "status_id", match: "detected", replace: "2" },
        { input: "outcome",  output: "status_id", match: "revoked",  replace: "3" },
        { input: "outcome",  output: "status",    match: ".*",       replace: "$0" },

        // ─── Activity / finding ─────────────────────────────────────────
        { input: "event_type", output: "activity_name",      match: ".*", replace: "$0" },
        { input: "event_type", output: "finding_info.title", match: ".*", replace: "$0" },
        { input: "event_id",   output: "finding_info.uid",   match: ".*", replace: "$0" },
        { input: "timestamp",  output: "finding_info.created_time_dt", match: ".*", replace: "$0" },

        // ─── Compliance tags (BSI / NIS2 / gematik / GDPR) ──────────────
        { input: "event_category", output: "compliance.standard", match: ".*", replace: "BSI-Grundschutz,NIS2,gematik-TI,GDPR" }
      ]
    }
  ]
}
