{
  attributes: {
    "metadata.version":    "3.0.0",
    "dataSource.vendor":   "Check Point",
    "dataSource.name":     "Check Point Firewall",
    "dataSource.category": "security",
    "metadata.product.vendor_name": "Check Point",
    "metadata.product.name":        "Next Generation Firewall",
    "metadata.log_provider":        "syslog",
    "severity_id": 1,
    "severity": "Informational"
  },

  patterns: {
    ip:        "\\d+\\.\\d+\\.\\d+\\.\\d+",
    num:       "\\d+",
    word:      "[\\w-]+",
    qval:      "[^;\"]+",
    uuid:      "\\{[^}]+\\}",
    rest:      ".*"
  },

  formats: [
    // ═══════════════════════════════════════════════════════════════════════════
    // PIPE-DELIMITED: time=...|action=...|src=...|dst=...
    // ═══════════════════════════════════════════════════════════════════════════

    // PIPE - Firewall Accept
    {
      id: "cp_pipe_accept",
      attributes: {
        class_uid: 4001, class_name: "Network Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 6, activity_name: "Traffic",
        type_uid: 400106,
        disposition_id: 1, disposition: "Allowed"
      },
      format: "time=$time_epoch=num$[|]hostname=$cp_hostname=word$[|]product=$cp_product=word$[|]layer_name=$layer_name=word$[|]action=Accept[|]rule_uid=$rule_uid=qval$[|]ifdir=$iface_dir=word$[|]ifname=$iface_name=word$[|]loguid=$log_uid=uuid$[|]origin=$origin_ip=ip$[|]src=$src_ip=ip$[|]dst=$dst_ip=ip$[|]proto=$proto_num=num$[|]s_port=$src_port=num$[|]service=$dst_port=num$.*",
      halt: true
    },

    // PIPE - Firewall Drop
    {
      id: "cp_pipe_drop",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        activity_id: 1, activity_name: "Create",
        type_uid: 200401,
        disposition_id: 2, disposition: "Blocked",
        severity_id: 3, severity: "Medium",
        "finding_info.title": "Check Point Firewall Block",
        confidence_id: 3, confidence: "High"
      },
      format: "time=$time_epoch=num$[|]hostname=$cp_hostname=word$[|]product=$cp_product=word$.*action=Drop.*src=$src_ip=ip$[|]dst=$dst_ip=ip$[|]proto=$proto_num=num$.*",
      halt: true
    },

    // PIPE - Generic firewall fallback (any pipe format with src/dst)
    {
      id: "cp_pipe_fw",
      attributes: {
        class_uid: 4001, class_name: "Network Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 6, activity_name: "Traffic",
        type_uid: 400106
      },
      format: "time=$time_epoch=num$[|].*src=$src_ip=ip$[|]dst=$dst_ip=ip$.*",
      halt: true
    },

    // ═══════════════════════════════════════════════════════════════════════════
    // SEMICOLON FORMAT: [field:"value"; ...]
    // Fields appear in alphabetical order in CP Log Exporter
    // ═══════════════════════════════════════════════════════════════════════════

    // IDENTITY AWARENESS - Auth Success (no dst field, must precede generic Accept)
    {
      id: "cp_auth_ok",
      attributes: {
        class_uid: 3002, class_name: "Authentication",
        category_uid: 3, category_name: "Identity & Access Management",
        activity_id: 1, activity_name: "Logon",
        type_uid: 300201,
        status_id: 1, status: "Success"
      },
      format: ".*action:\"Accept\";.*product:\"Identity Awareness\";.*user:\"$user_name=qval$\";.*auth_method:\"$auth_method=qval$\";.*identity_src:\"$identity_src=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
      halt: true
    },

    // IDENTITY AWARENESS - Auth Failure
    {
      id: "cp_auth_fail",
      attributes: {
        class_uid: 3002, class_name: "Authentication",
        category_uid: 3, category_name: "Identity & Access Management",
        activity_id: 1, activity_name: "Logon",
        type_uid: 300201,
        status_id: 2, status: "Failure",
        severity_id: 3, severity: "Medium"
      },
      format: ".*action:\"Reject\";.*product:\"Identity Awareness\";.*user:\"$user_name=qval$\";.*auth_method:\"$auth_method=qval$\";.*reason:\"$status_detail=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
      halt: true
    },

    // ANTI-BOT
    {
      id: "cp_antibot",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        activity_id: 1, activity_name: "Create",
        type_uid: 200401,
        severity_id: 5, severity: "Critical",
        "finding_info.title": "Check Point Anti-Bot Detection",
        confidence_id: 3, confidence: "High"
      },
      format: ".*action:\"$cp_action=word$\";.*product:\"Anti-Bot\";.*malware_name:\"$malware_name=qval$\";.*protection_name:\"$protection=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
      halt: true
    },

    // ANTI-VIRUS
    {
      id: "cp_antivirus",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        activity_id: 1, activity_name: "Create",
        type_uid: 200401,
        severity_id: 5, severity: "Critical",
        "finding_info.title": "Check Point Anti-Virus Detection",
        confidence_id: 3, confidence: "High"
      },
      format: ".*action:\"$cp_action=word$\";.*product:\"Anti-Virus\";.*malware:\"$malware_name=qval$\";.*file_name:\"$file_name=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
      halt: true
    },

    // THREAT EMULATION
    {
      id: "cp_te",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        activity_id: 1, activity_name: "Create",
        type_uid: 200401,
        severity_id: 6, severity: "Fatal",
        "finding_info.title": "Check Point Threat Emulation",
        confidence_id: 3, confidence: "High"
      },
      format: ".*action:\"$cp_action=word$\";.*product:\"Threat Emulation\";.*malware:\"$malware_name=qval$\";.*file_name:\"$file_name=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
      halt: true
    },

    // IPS
    {
      id: "cp_ips",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        activity_id: 1, activity_name: "Create",
        type_uid: 200401,
        severity_id: 4, severity: "High",
        "finding_info.title": "Check Point IPS Detection",
        confidence_id: 3, confidence: "High"
      },
      format: ".*action:\"$cp_action=word$\";.*product:\"IPS\";.*attack:\"$attack=qval$\";.*protection_name:\"$protection=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
      halt: true
    },

    // SMARTDEFENSE (Legacy IPS)
    {
      id: "cp_smartdef",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        activity_id: 1, activity_name: "Create",
        type_uid: 200401,
        severity_id: 4, severity: "High",
        "finding_info.title": "Check Point SmartDefense"
      },
      format: ".*action:\"$cp_action=word$\";.*product:\"SmartDefense\";.*attack:\"$attack=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
      halt: true
    },

    // URL FILTERING - Block
    {
      id: "cp_urlf_block",
      attributes: {
        class_uid: 4002, class_name: "HTTP Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 6, activity_name: "Traffic",
        type_uid: 400206,
        disposition_id: 2, disposition: "Blocked",
        severity_id: 2, severity: "Low"
      },
      format: ".*action:\"Block\";.*product:\"URL Filtering\";.*resource:\"$url=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
      halt: true
    },

    // URL FILTERING - Allow
    {
      id: "cp_urlf_allow",
      attributes: {
        class_uid: 4002, class_name: "HTTP Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 6, activity_name: "Traffic",
        type_uid: 400206,
        disposition_id: 1, disposition: "Allowed"
      },
      format: ".*action:\"$cp_action=word$\";.*product:\"URL Filtering\";.*resource:\"$url=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
      halt: true
    },

    // APPLICATION CONTROL
    {
      id: "cp_appc",
      attributes: {
        class_uid: 4001, class_name: "Network Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 6, activity_name: "Traffic",
        type_uid: 400106
      },
      format: ".*action:\"$cp_action=word$\";.*product:\"Application Control\";.*appi_name:\"$app_name=qval$\";.*app_category:\"$app_cat=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
      halt: true
    },

    // VPN
    {
      id: "cp_vpn",
      attributes: {
        class_uid: 4014, class_name: "Tunnel Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 1, activity_name: "Open",
        type_uid: 401401,
        status_id: 1, status: "Success"
      },
      format: ".*action:\"$cp_action=qval$\";.*product:\"VPN\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*user:\"$user_name=qval$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
      halt: true
    },

    // DLP
    {
      id: "cp_dlp",
      attributes: {
        class_uid: 2006, class_name: "Data Security Finding",
        category_uid: 2, category_name: "Findings",
        activity_id: 1, activity_name: "Create",
        type_uid: 200601,
        severity_id: 4, severity: "High",
        "finding_info.title": "Check Point DLP Violation"
      },
      format: ".*action:\"$cp_action=word$\";.*product:\"DLP\";.*dlp_rule_name:\"$dlp_rule=qval$\";.*file_name:\"$file_name=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
      halt: true
    },

    // SMARTCONSOLE Audit
    {
      id: "cp_audit",
      attributes: {
        class_uid: 3004, class_name: "Entity Management",
        category_uid: 3, category_name: "Identity & Access Management",
        activity_id: 0, activity_name: "Unknown",
        type_uid: 300400
      },
      format: ".*product:\"SmartConsole\";.*administrator:\"$admin_user=qval$\";.*operation:\"$operation=qval$\";.*object_name:\"$obj_name=qval$\";.*object_type:\"$obj_type=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
      halt: true
    },

    // FIREWALL ACCEPT - generic with rule_name
    {
      id: "cp_fw_accept",
      attributes: {
        class_uid: 4001, class_name: "Network Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 6, activity_name: "Traffic",
        type_uid: 400106,
        disposition_id: 1, disposition: "Allowed"
      },
      format: ".*action:\"Accept\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*rule_name:\"$rule_name=qval$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*",
      halt: true
    },

    // FIREWALL ACCEPT - without rule_name
    {
      id: "cp_fw_accept_norule",
      attributes: {
        class_uid: 4001, class_name: "Network Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 6, activity_name: "Traffic",
        type_uid: 400106,
        disposition_id: 1, disposition: "Allowed"
      },
      format: ".*action:\"Accept\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*",
      halt: true
    },

    // FIREWALL DROP
    {
      id: "cp_fw_drop",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        activity_id: 1, activity_name: "Create",
        type_uid: 200401,
        disposition_id: 2, disposition: "Blocked",
        severity_id: 3, severity: "Medium",
        "finding_info.title": "Check Point Firewall Block",
        confidence_id: 3, confidence: "High"
      },
      format: ".*action:\"Drop\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*rule_name:\"$rule_name=qval$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*",
      halt: true
    },

    // FIREWALL REJECT
    {
      id: "cp_fw_reject",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        activity_id: 1, activity_name: "Create",
        type_uid: 200401,
        disposition_id: 2, disposition: "Blocked",
        severity_id: 3, severity: "Medium",
        "finding_info.title": "Check Point Firewall Reject",
        confidence_id: 3, confidence: "High"
      },
      format: ".*action:\"Reject\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*rule_name:\"$rule_name=qval$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*",
      halt: true
    },

    // GENERIC FALLBACK - just extract src/dst if present
    {
      id: "cp_fallback",
      attributes: {
        class_uid: 4001, class_name: "Network Activity",
        category_uid: 4, category_name: "Network Activity",
        activity_id: 0, activity_name: "Unknown",
        type_uid: 400100
      },
      format: ".*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*"
    }
  ],

  mappings: {
    version: 1,
    mappings: [
      {
        transformations: [
          { rename: { from: "src_ip", to: "src_endpoint.ip" } },
          { rename: { from: "dst_ip", to: "dst_endpoint.ip" } },
          { rename: { from: "src_port", to: "src_endpoint.port" } },
          { rename: { from: "dst_port", to: "dst_endpoint.port" } },
          { rename: { from: "iface_name", to: "src_endpoint.interface_name" } },
          { rename: { from: "proto_num", to: "connection_info.protocol_num" } },
          { rename: { from: "iface_dir", to: "connection_info.direction" } },
          { rename: { from: "user_name", to: "actor.user.name" } },
          { rename: { from: "admin_user", to: "actor.user.name" } },
          { rename: { from: "rule_name", to: "firewall_rule.name" } },
          { rename: { from: "rule_uid", to: "firewall_rule.uid" } },
          { rename: { from: "app_name", to: "app.name" } },
          { rename: { from: "app_cat", to: "app.category" } },
          { rename: { from: "url", to: "http_request.url.original" } },
          { rename: { from: "malware_name", to: "malware.name" } },
          { rename: { from: "attack", to: "finding_info.title" } },
          { rename: { from: "protection", to: "finding_info.desc" } },
          { rename: { from: "file_name", to: "file.name" } },
          { rename: { from: "auth_method", to: "auth_protocol" } },
          { rename: { from: "dlp_rule", to: "policy.name" } },
          { rename: { from: "operation", to: "activity_name" } },
          { rename: { from: "obj_name", to: "entity.name" } },
          { rename: { from: "obj_type", to: "entity.type" } },
          { rename: { from: "status_detail", to: "status_detail" } },
          { rename: { from: "origin_ip", to: "device.ip" } },
          { rename: { from: "cp_hostname", to: "device.hostname" } },
          { rename: { from: "cp_product", to: "metadata.product.feature.name" } },
          { rename: { from: "log_uid", to: "metadata.uid" } },
          { rename: { from: "cp_action", to: "unmapped.action" } },
          { rename: { from: "layer_name", to: "unmapped.layer_name" } },
          { rename: { from: "identity_src", to: "unmapped.identity_source" } },
          { rename: { from: "time_epoch", to: "unmapped.time_epoch" } }
        ]
      }
    ]
  }
}
